docs: finance/books/ledger boundary contracts + proposals by chitcommit · Pull Request #119 · chittyapps/chittyfinance

chitcommit · 2026-05-27T22:53:41Z

Summary

Docs-only branch from /goal audit of finance/books/ledger surfaces. No code or runtime changes.

Five new docs:

docs/contracts/chittybooks-chittyfinance.md — engine/UI boundary, source-of-truth table, API surface, deploy decision (retires the fake books.chitty.cc live-API assumption only; actual deploy choice stays an explicit operator gate)
docs/contracts/mercury-multitenant.md — tenant_id + legal_person_chittyid + Wave mapping rules. Flags critical schema gap: legal_person_chittyid is not on accounts in database/system.schema.ts
docs/proposals/api-v1-prefix-fix.md — resolves the /api/v1/* 404 as a non-issue (meta routes are intentionally under /api/v1, resource routes under /api/<resource>). One-sentence CLAUDE.md clarification only.
docs/proposals/ch1tty-connector-revision.md — names the dead CHITTYBOOKS_URL endpoint in chittycommand/docs/plans/2026-02-23-mercury-chittybooks-plan.md:168 and chittycommand/src/lib/integrations.ts:618; routes bookkeeping reads/writes through real finance.chitty.cc paths
docs/proposals/chittyledger-naming-plan.md — substrate (FOUNDATION/chittyledger) + Finance/Evidence projections; plan to rename CHITTYOS/chittyledger → -evidence-legacy

Validation

All 5 markdown files parse (python3 read OK).
ChittyCommand financeClient verified to call /api/accounts not /api/v1/accounts → docs-only path-prefix clarification has zero consumer breakage.
OpenAPI spec at /api/v1/documentation enumerated: 9 paths, only /health and /api/v1/{status,metrics,documentation} under /api/v1; resource paths at /api/*.
SystemStorage enforces tenancy via tenant_id NOT NULL schema column + 117 tenantId references.

Followups (not in this PR)

PR-2 (CHITTYOS/chittycommand): lazy-disable booksClient — PR-ready, awaiting owner approval
ChittyBooks deploy choice (A container / B worker / C merged): explicit operator gate
CHITTYOS/chittyledger rename: org-owner action

🤖 Generated with Claude Code

Summary by CodeRabbit

Documentation
- Clarified API routing: resource endpoints under /api/, operational/meta under /api/v1/ with OpenAPI at /api/v1/documentation
- Added service boundaries and ownership contract for ChittyFinance, ChittyBooks, ChittyLedger (read-only projection, no competing writers)
- Defined Mercury multitenant identity/isolation rules, schema gap and deploy gates (tenant enforcement, webhook/secret checks)
- Updated connector guidance: CHITTYBOOKS_URL handling, lazy client behavior, and legacy ledger renaming/retire plans

github-actions · 2026-05-27T22:53:50Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

coderabbitai · 2026-05-27T22:54:04Z

Warning

Review limit reached

@chitcommit, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 3 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56212c10-12ed-4d37-98c5-ae7f50e2e348

📥 Commits

Reviewing files that changed from the base of the PR and between 4524ab1 and e179c20.

📒 Files selected for processing (4)

CLAUDE.md
docs/contracts/chittybooks-chittyfinance.md
docs/proposals/ch1tty-connector-revision.md
docs/proposals/chittyledger-naming-plan.md

📝 Walkthrough

Walkthrough

Adds documentation: clarifies API routing (/api vs /api/v1), publishes ChittyBooks↔ChittyFinance ownership contract, defines Mercury multitenant invariants and remediation, revises the ChittyBooks connector to use real services, and proposes a ChittyLedger naming-collision resolution.

Changes

System Architecture Contracts and Proposals

Layer / File(s)	Summary
API Routing Clarification `CLAUDE.md`, `docs/proposals/api-v1-prefix-fix.md`	Resolves `/api/v1/entities` 404: operational/meta endpoints use `/api/v1/*` (status, metrics, documentation) while resource routes mount at `/api/<resource>`; `/api/v1/documentation` is authoritative.
ChittyBooks-ChittyFinance Ownership Contract `docs/contracts/chittybooks-chittyfinance.md`	Defines Finance as bookkeeping owner, Books as read-only UI consuming Finance aggregators, Ledger as substrate; prohibits competing writers, enumerates ChittyBooks-consumed endpoints and auth/tenant semantics, records retirement of `books.chitty.cc`, and lists operator-gated deploy options and follow-ups.
Mercury Multitenant Contract `docs/contracts/mercury-multitenant.md`	Specifies tenant isolation invariants: `tenant_id` required, `legal_person_chittyid` binding, unique Wave mapping; documents `accounts` schema gap for `legal_person_chittyid`, remediation options, and deploy-gate checklist for webhook secrets and storage-layer enforcement.
Mercury–ChittyBooks Connector Plan Revision `docs/proposals/ch1tty-connector-revision.md`	Stops reliance on non-resolving ChittyBooks endpoints: set `CHITTYBOOKS_URL` empty, make `booksClient` lazy/null-returning and log on DNS/unset, route through real Mercury/ChittyFinance/ledger clients, deprecate `booksClient`, and add deploy-gate sequencing.
ChittyLedger Naming-Collision Resolution `docs/proposals/chittyledger-naming-plan.md`	Proposes treating Ledger as substrate+projections, renaming/archiving legacy repo/UI, adding README disambiguation and `ChittyLedger-Finance` docs, and aligning `chittycanon://core/services/chitty-ledger` with deploy gates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

chittyapps/chittyfinance#116: Also modifies CLAUDE.md; overlaps on developer guidance where /api vs /api/v1 routing is described.
chittyapps/chittyfinance#57: Prior CLAUDE.md update touching developer guidance and developer-facing routing/limitations content.

Poem

🐇 I hopped through pages, nudged the map clear,

Routes sorted, contracts penned without fear,
Tenants counted, connectors set true,
Ledger names pruned to a tidier view,
A burrow of docs where each path is new.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding documentation for boundary contracts and proposals around finance, books, and ledger subsystems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch goal/finance-books-ledger-substrate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Copilot

Pull request overview

Docs-only PR adding boundary contracts and proposals from a goal audit of the finance/books/ledger surfaces. No runtime or schema changes. Clarifies the /api/v1 prefix convention in CLAUDE.md, retires the fake books.chitty.cc live-API assumption, flags a schema gap for legal_person_chittyid on accounts, and proposes a rename plan for the legacy CHITTYOS/chittyledger repo.

Changes:

Adds four new docs under docs/contracts/ and docs/proposals/ describing the engine/UI boundary, Mercury multitenant model, API prefix resolution, connector revisions, and naming plan.
Updates one line in CLAUDE.md to clarify resource routes (/api/<resource>) vs meta routes (/api/v1/*).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
CLAUDE.md	Clarifies `/api/v1` is meta-only; resource routes are unprefixed.
docs/contracts/chittybooks-chittyfinance.md	Defines ChittyBooks↔ChittyFinance engine/UI boundary and source-of-truth table.
docs/contracts/mercury-multitenant.md	Documents tenant + Legal Person isolation; flags missing `legal_person_chittyid` column.
docs/proposals/api-v1-prefix-fix.md	Resolves `/api/v1/*` 404 report as non-issue; proposes one-line CLAUDE.md note.
docs/proposals/ch1tty-connector-revision.md	Proposes routing through real services and gating dead `CHITTYBOOKS_URL`.
docs/proposals/chittyledger-naming-plan.md	Plan to rename `CHITTYOS/chittyledger` → `-evidence-legacy`.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

claude · 2026-05-27T22:55:32Z

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Scope: Docs-only — 5 new markdown files + 1 CLAUDE.md line edit. No runtime risk.

Overview

This PR documents the architecture audit of the finance/books/ledger surfaces. The research is thorough, the evidence is cited with file paths and line numbers, and the schema gap discovery is a genuine catch. The deploy-gate checklists and "not decided here" discipline are well-executed.

Findings

Bug / Correctness

legal_person_chittyid schema gap confirmed accurate. I verified database/system.schema.ts:101-123 — the column is absent. metadata: jsonb('metadata') (line 112) already exists, so Path B (interim metadata) requires no schema migration — just a storage-layer read/write convention. The doc should note this: Path B has zero schema cost today.
chartOfAccounts.tenantId allows NULL (system.schema.ts:70 — "NULL = global default"), but mercury-multitenant.md lists only the four tables where tenant_id IS NOT NULL. COA nullability is by design for global defaults, but the "Verified OK" section should mention this explicitly to avoid a future reader assuming the constraint is universal.

Naming / Style

Filename typo: docs/proposals/ch1tty-connector-revision.md uses 1 instead of i. Every other file in docs/proposals/ uses standard spelling (api-v1-prefix-fix.md, chittyledger-naming-plan.md). If intentional, add a comment in the doc; if not, rename to chitty-connector-revision.md.
CLAUDE.md line is now a run-on sentence in an ASCII table comment. The old line was 65 chars; the new one is 178 chars. Consider splitting into two lines or trimming to the essential fact: Resource routes at /api/<resource>; meta/ops routes at /api/v1/. OpenAPI spec at /api/v1/documentation is authoritative.

Tracking / Process

CRITICAL blocker has no linked issue. mercury-multitenant.md flags legal_person_chittyid as a CRITICAL schema gap with a deploy-gate checkbox. Markdown checkboxes in merged files are never checked off — they are invisible to project trackers. Please open a GitHub issue for this blocker before merging so it stays on the board.
Cross-repo line references will rot. ch1tty-connector-revision.md cites chittycommand/src/lib/integrations.ts:618 and ...plans/2026-02-23-mercury-chittybooks-plan.md:168. Line numbers in other repos shift with every commit. Either pin to a commit SHA or reference only file paths + symbol names.
chittybooks-chittyfinance.md is labeled "Not canon yet — proposal for the pentad." That's fine, but the doc doesn't describe how it becomes canon. Add a one-line process hint (e.g., "Canonicalized when pentad owners approve and CHARTER.md cross-references this file") so it doesn't stay in proposal limbo indefinitely.

Minor

docs/proposals/api-v1-prefix-fix.md is clean and the corresponding CLAUDE.md patch is already applied in this PR — good alignment.
The chittyledger-naming-plan.md correctly gates everything on org-owner actions. No concerns.
The deploy options A/B/C in chittybooks-chittyfinance.md are well-structured; Option C (merged UI into ChittyFinance) is the clearly lowest-cost path and is called out as the default — this framing is helpful.

Summary

Category	Status
Accuracy of documented facts	✅ Schema gap, API prefix, and deploy state all verified
Code/runtime risk	✅ None — docs only
CLAUDE.md change	⚠️ Line too long for ASCII table column
Filename consistency	⚠️ `ch1tty` typo vs rest of proposals dir
CRITICAL gap tracking	❌ Needs a GitHub issue before merge
Cross-repo line refs	⚠️ Will rot; prefer symbol names

Recommendation: Open a GitHub issue for the legal_person_chittyid blocker and fix the ch1tty filename, then this is good to merge.

coderabbitai

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/contracts/chittybooks-chittyfinance.md`:
- Line 12: The table row that lists "ChittyLedger (legacy fork)" currently
references the wrong repository identifier `CHITTYOS/chittybooks`; update that
repo string to `CHITTYOS/chittyledger` so the legacy ledger entry points to the
correct repository (look for the row containing "ChittyLedger (legacy fork)" and
replace the `CHITTYOS/chittybooks` token with `CHITTYOS/chittyledger`), and make
the same fix for the duplicate occurrence noted around the other mentioned line.

In `@docs/contracts/mercury-multitenant.md`:
- Around line 14-22: Add a language tag to the fenced diagram block that begins
with "Person (P-Legal, e.g. "IT CAN BE LLC")" so it stops triggering
markdownlint MD040; update the opening triple-backtick to include a language
identifier (e.g., ```text) for that diagram block.

In `@docs/proposals/chittyledger-naming-plan.md`:
- Around line 16-25: The fenced code block that begins with ``` has no language
identifier causing markdownlint MD040; update that opening fence to include a
language such as text (e.g., change ``` to ```text or ```plaintext) so the block
is explicitly labeled and the linter warning is resolved.

🪄 Autofix (Beta)

✅ Autofix completed

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aebb8db2-8511-4478-aed5-12b5c9fc1c30

📥 Commits

Reviewing files that changed from the base of the PR and between 652917a and b5a1ff2.

📒 Files selected for processing (6)

CLAUDE.md
docs/contracts/chittybooks-chittyfinance.md
docs/contracts/mercury-multitenant.md
docs/proposals/api-v1-prefix-fix.md
docs/proposals/ch1tty-connector-revision.md
docs/proposals/chittyledger-naming-plan.md

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5a1ff248b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

* refactor(server): split routes into books vs accounting concerns Introduce a structural books/accounting boundary with no behavior change. Books writes facts (ingest, categorize, journal); accounting derives meaning (chart of accounts, reporting, tax, allocations). - move transactions/import/webhooks -> server/books/ - move accounts/reports/tax/allocations -> server/accounting/ - add concern-boundary READMEs for each tree - classification.ts stays in routes/ (straddles both); note added - fix import paths in app.ts and __tests__ Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(deps): resolve @chittyos/schema lockfile drift Revert PR #103's refactor that introduced an unresolvable file: dependency. Root cause: PR #103 swapped the self-contained local scope-projector for a thin adapter over `@chittyos/schema`, declared as `file:../../CHITTYFOUNDATION/chittyschema`. That sibling-repo path only exists on the dev VM. In CI it cannot resolve, and worse, pnpm 10 refuses to record file: directory links in the lockfile importer block at all — so `pnpm install --frozen-lockfile` always sees a specifier mismatch ("1 dependencies were added: @chittyos/schema@file:..."), failing the Dependency Audit (High+) gate on every PR (#119, #120). No clean dependency form resolves in CI: the package is unpublished (npm 404), its dist/ is gitignored in the sibling repo (so a github: dep ships no build), and it has no prepare script. Fix: restore the pre-#103 self-contained implementation of server/lib/central-workflows.ts (175 lines, uses @neondatabase/serverless which is already a dependency) and drop the @chittyos/schema dependency. Public API (scopeLog, SCOPE_TYPES, ScopeStatus, etc.) is unchanged, so callers in workflows.ts and reports.ts are unaffected. Regenerated lockfile. Verified in a clean checkout (sibling repo absent, pnpm 10): pnpm install --frozen-lockfile -> exit 0 pnpm audit --prod --audit-level high ... -> exit 0 npm run check (tsc) -> exit 0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-05-30T17:19:13Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

coderabbitai · 2026-05-30T17:20:20Z

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== CLAUDE.md relevant section ==="
grep -n "api\|v1\|route\|mount" CLAUDE.md | head -30

echo "=== docs/contracts/chittybooks-chittyfinance.md ==="
cat docs/contracts/chittybooks-chittyfinance.md

echo "=== docs/contracts/mercury-multitenant.md ==="
cat docs/contracts/mercury-multitenant.md

echo "=== docs/proposals/api-v1-prefix-fix.md ==="
cat docs/proposals/api-v1-prefix-fix.md

echo "=== docs/proposals/ch1tty-connector-revision.md ==="
cat docs/proposals/ch1tty-connector-revision.md

echo "=== docs/proposals/chittyledger-naming-plan.md ==="
cat docs/proposals/chittyledger-naming-plan.md

echo "=== Check for secrets/tokens/keys in docs ==="
rg -i "(api.?key|secret|password|token|bearer|credential|private.?key|access.?key|webhook.?secret)" docs/ -n

echo "=== Check for hardcoded URLs with auth ==="
rg "https?://[^@\s]*:[^@\s]*@" docs/ -n

echo "=== Check for any package changes ==="
git diff origin/main --name-only | head -30

echo "=== Check for dependency file changes ==="
git diff origin/main -- package.json package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null | head -50

Length of output: 40420

@github-actions[bot]: This is a docs-only PR (5 markdown files + 1 CLAUDE.md line). Here is the evaluation across the four requested areas:

Security Implications

Finding	Severity	Source
`legal_person_chittyid` absent from `accounts` schema	Critical (documented)	`docs/contracts/mercury-multitenant.md` — PR flags this as a blocker; multi-tenant contract is partially enforced (tenant_id ✅, legal_person ❌). Neither Path A (migration) nor Path B (metadata) has landed yet.
`mercury-proxy` is stateless re tenancy	Medium	`docs/contracts/mercury-multitenant.md:31` — "proxy is stateless re tenancy; tenancy is enforced by the caller (ChittyFinance) before reaching it." There is no defense-in-depth backstop at the proxy layer. A single bug in ChittyFinance's pre-call checks could allow cross-tenant Mercury writes with no secondary guard. Recommend the proxy enforce a mandatory `tenant_id` assertion on every inbound request, even if just a header presence check.
`booksClient` targeting NXDOMAIN `books.chitty.cc`	Low	`docs/proposals/ch1tty-connector-revision.md` — Currently harmless (DNS → NXDOMAIN). Risk: if that domain is ever registered by a third party, live requests from `chittycommand` could reach an uncontrolled host. The lazy-disable PR is already planned; it should be prioritized.
Internal infrastructure topology in docs	Informational	`mercury-proxy.chitty.cc`, `chittyserv-dev`, CF tunnel paths, and internal service URLs are enumerated in plain text. Acceptable for a private org repo, but these docs should not be published publicly.

Credential Exposure Risk

None found in the 5 new files.

No hardcoded tokens, secrets, or passwords in any new document.
No URLs with embedded credentials (user:pass@host pattern — confirmed clean by scan).
Docs reference only env var names (CHITTYBOOKS_URL, X-Mercury-Token, HMAC secret) — no values.
The credential hygiene principle is explicitly documented: "Credential rotation is owned by ChittyConnect concierge. ChittyBooks never sees a Mercury or Wave token." and "never chat-paste" — good.
Pre-existing test tokens (Bearer test, test-token-123) exist in older plan docs but are not introduced by this PR.

Dependency Supply Chain Concerns

None. No package.json, lockfiles, or any dependency manifests were modified. This PR is purely documentation.

Breaking API Changes

None. No source code was changed. The api-v1-prefix-fix.md proposal explicitly resolves a non-issue — the /api/v1/* (meta) vs /api/* (resources) split is intentional, pre-existing, and consistent with the OpenAPI spec. The ch1tty-connector-revision.md recommends changes to CHITTYOS/chittycommand but defers them to a follow-up PR.

Summary

This PR is safe to merge from a security standpoint with one actionable recommendation:

Before reconciliation reports go live, the legal_person_chittyid deploy gate (already flagged as a BLOCKER in docs/contracts/mercury-multitenant.md) must be resolved — either via schema migration or interim metadata — or reconciliation outputs will silently omit the Legal Person dimension.

Additionally, the mercury-proxy tenancy-stateless design warrants a follow-up hardening ticket to add a proxy-side tenant_id assertion for defense-in-depth.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

claude · 2026-05-30T17:20:47Z

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Summary: Docs-only PR (267 additions, 1 deletion) that introduces 5 new contract/proposal files and a 1-line CLAUDE.md clarification. No runtime changes.

Overview

This PR does good forensic work — verifying deployed surfaces, naming collisions, and dead code paths against actual DNS/file evidence rather than assumptions. The verification methodology (citing exact file paths, line numbers, dig/curl results) is the right standard for this kind of audit.

What's Good

Evidence-based claims. Every assertion in the docs cites a verifiable source (file path, line number, DNS check). This is the correct standard for architecture docs.
Honest about partial enforcement. mercury-multitenant.md clearly flags that tenant_id is enforced at DB level but legal_person_chittyid is not — rather than papering over it.
Operator-gated decisions. The deploy-decision framework (Option A/B/C for ChittyBooks) correctly keeps the choice explicit rather than making it implicitly in docs.
CLAUDE.md change is accurate. The route-prefix clarification matches the OpenAPI evidence cited.

Issues

CRITICAL (Blocker)

mercury-multitenant.md flags a schema gap with no follow-up issue.
The doc correctly identifies that legal_person_chittyid is absent from accounts in database/system.schema.ts and marks it as a deploy blocker. But there's no linked GitHub issue, no assignee, and no milestone. A doc asserting "BLOCKER" that lives only in a docs file will be ignored — it needs to exist as a tracked issue on this repo before this merges.

Recommend: open an issue titled "schema: add legal_person_chittyid to accounts (mercury multitenant blocker)" and reference it in the doc's deploy-gates checklist.

MEDIUM

Filename typo: ch1tty-connector-revision.md (number 1 instead of letter i)

docs/proposals/ch1tty-connector-revision.md
                  ^— "1" not "i"

This breaks grep chitty, glob patterns, and is visually confusing. Rename to chitty-connector-revision.md (or chittyconnector-revision.md to match the env var naming convention).

Cross-repo line number references will go stale.
Proposals reference:

chittycommand/src/lib/integrations.ts:618
chittycommand/docs/plans/2026-02-23-mercury-chittybooks-plan.md:168

Line numbers in other repos drift immediately on the next commit. Since these are proposals (not contracts), consider citing symbols/function names instead of line numbers where possible, or add a "Verified at" date so readers know to re-verify.

CLAUDE.md route-table entry is now a paragraph, not a row.
The original table uses short phrases. The updated routes line is now 3 sentences inline — it reads awkwardly in the table context and will be truncated in most terminal widths:

# Before
routes/  22 resource-per-file modules. OpenAPI at /api/v1/documentation

# After  
routes/  22 resource-per-file modules. Resource routes are mounted at /api/<resource> (no /v1 prefix). Only operational/meta routes (status, metrics, documentation) live under /api/v1/. OpenAPI spec at /api/v1/documentation is authoritative.

The docs/proposals/api-v1-prefix-fix.md already has the full explanation. CLAUDE.md could just link to it with a shorter addition like:

routes/  22 resource-per-file modules. Resource routes at /api/<resource>; meta routes at /api/v1/*. OpenAPI at /api/v1/documentation.

LOW / Nits

docs/ directory is not listed under "Where Things Live" in CLAUDE.md. Given this PR is starting a docs/contracts/ + docs/proposals/ structure, a single entry (docs/ - architecture docs, contracts, proposals) would help future contributors find these.
chittyledger-naming-plan.md step 6 ("Canon URI alignment") references chittycanon://core/services/chitty-ledger without explaining what resolves that URI scheme or where ChittyRegister lives. If a future reader needs to act on this, they need that context.
chittybooks-chittyfinance.md "Source of Truth" table lists financial_documents, financial_facts, reconciliation_conflicts as written by "ChittyLedger-Finance (via ChittyTrace ingest)" — but those tables don't appear to exist in database/system.schema.ts yet (the schema gap that mercury-multitenant.md also alludes to). Consider marking these as "planned" in the table rather than implying they're present.

Security

The Mercury multitenancy model is correctly reasoned:

tenant_id NOT NULL + schema-level enforcement is the right defense-in-depth for cross-tenant reads.
The proxy/egress shim correctly identified as NOT a tenant boundary.
"ChittyBooks never sees a Mercury or Wave token" constraint is correctly stated and should be preserved in any deploy-gate checklist.

The legal_person_chittyid gap is the only security-relevant finding and it is correctly flagged. Until Path A or B lands, the reconciliation report MUST NOT assume the binding exists at query time.

Summary

Severity	Count	Addressed?
Blocker	1 (`legal_person_chittyid` gap needs an issue)	No
Medium	3 (filename typo, stale line refs, CLAUDE.md verbosity)	No
Low/nit	3	No

The underlying analysis is solid and this docs infrastructure is useful. The blocker is the missing issue tracker entry for the schema gap — docs-only blockers get lost. The filename typo should be fixed before merge. Everything else is addressable in follow-up.

Reviewed by Claude Sonnet 4.6 via Claude Code

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e15f239ed8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

coderabbitai

♻️ Duplicate comments (2)

docs/contracts/chittybooks-chittyfinance.md (1)
12-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Incorrect legacy repo identifier for ChittyLedger.

The contract points to CHITTYOS/chittybooks, but based on the chittyledger naming plan in this proposal set, the legacy ledger collision is CHITTYOS/chittyledger.
Suggested fix
-| ChittyLedger (legacy fork) | `CHITTYOS/chittybooks` | Express + React, in-memory, not deployed | n/a — DUPLICATE, candidate for retirement or repurpose as ChittyLedger-Evidence seed |
+| ChittyLedger (legacy fork) | `CHITTYOS/chittyledger` | Express + React, in-memory, not deployed | n/a — DUPLICATE, candidate for retirement or repurpose as ChittyLedger-Evidence seed |
Also applies to: 84-84
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/contracts/chittybooks-chittyfinance.md` at line 12, Update the legacy
repo identifier in the ChittyLedger table entry: replace the incorrect string
`CHITTYOS/chittybooks` with the correct identifier `CHITTYOS/chittyledger` in
the table row that currently reads "ChittyLedger (legacy fork) |
`CHITTYOS/chittybooks`"; ensure the same replacement is applied to the duplicate
occurrence noted (also at the second location mentioned).
docs/proposals/chittyledger-naming-plan.md (1)
16-25: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language identifier to the fenced code block.

The fenced code block is missing a language identifier, which triggers markdownlint MD040. Add text or plaintext to the opening fence.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/proposals/chittyledger-naming-plan.md` around lines 16 - 25, The fenced
code block containing the ChittyLedger tree should include a language identifier
to satisfy markdownlint MD040; update the opening fence (the line starting with
```) to include a language token such as "text" or "plaintext" so it reads
```text (or ```plaintext) above the ChittyLedger block to silence the linter.

🧹 Nitpick comments (1)

docs/proposals/api-v1-prefix-fix.md (1)

21-21: ⚡ Quick win

Capitalize "GitHub" for correctness.

The proper capitalization is "GitHub" with a capital "H".

📝 Proposed fix

-- All 5 in-repo references to `/api/v1` (`.github/workflows/register.yml`, `deploy/registration/chittyfinance.registration.json`, `client/src/pages/Landing.tsx:342`, `.claude/commands/quick-deploy.md:28`, plans) point at real endpoints. **Nothing to fix.**
+- All 5 in-repo references to `/api/v1` (`.GitHub/workflows/register.yml`, `deploy/registration/chittyfinance.registration.json`, `client/src/pages/Landing.tsx:342`, `.claude/commands/quick-deploy.md:28`, plans) point at real endpoints. **Nothing to fix.**

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/proposals/api-v1-prefix-fix.md` at line 21, The document text "GitHub"
is not capitalized correctly; locate the sentence that reads "All 5 in-repo
references to `/api/v1` (...) point at real endpoints. **Nothing to fix.**" and
any nearby mention of "Github" or "GitHub", and update the word to the correct
capitalization "GitHub" (ensure every occurrence in this proposal line and
surrounding notes uses "GitHub").

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/contracts/chittybooks-chittyfinance.md`:
- Line 12: Update the legacy repo identifier in the ChittyLedger table entry:
replace the incorrect string `CHITTYOS/chittybooks` with the correct identifier
`CHITTYOS/chittyledger` in the table row that currently reads "ChittyLedger
(legacy fork) | `CHITTYOS/chittybooks`"; ensure the same replacement is applied
to the duplicate occurrence noted (also at the second location mentioned).

In `@docs/proposals/chittyledger-naming-plan.md`:
- Around line 16-25: The fenced code block containing the ChittyLedger tree
should include a language identifier to satisfy markdownlint MD040; update the
opening fence (the line starting with ```) to include a language token such as
"text" or "plaintext" so it reads ```text (or ```plaintext) above the
ChittyLedger block to silence the linter.

---

Nitpick comments:
In `@docs/proposals/api-v1-prefix-fix.md`:
- Line 21: The document text "GitHub" is not capitalized correctly; locate the
sentence that reads "All 5 in-repo references to `/api/v1` (...) point at real
endpoints. **Nothing to fix.**" and any nearby mention of "Github" or "GitHub",
and update the word to the correct capitalization "GitHub" (ensure every
occurrence in this proposal line and surrounding notes uses "GitHub").

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3d10a2f6-50cc-42a2-9cbb-a414a8acbd92

📥 Commits

Reviewing files that changed from the base of the PR and between b5a1ff2 and e15f239.

📒 Files selected for processing (6)

CLAUDE.md
docs/contracts/chittybooks-chittyfinance.md
docs/contracts/mercury-multitenant.md
docs/proposals/api-v1-prefix-fix.md
docs/proposals/ch1tty-connector-revision.md
docs/proposals/chittyledger-naming-plan.md

✅ Files skipped from review due to trivial changes (1)

CLAUDE.md

Implements step 5 of the chittyledger naming-collision plan (PR #119). Documents ChittyFinance as the writer for the ChittyLedger-Finance projection over the substrate at ledger.chitty.cc. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Implements step 3 of the chittyledger naming-collision plan (chittyapps/chittyfinance#119). The nested chittyledger/ directory was working-tree noise from a prior submodule experiment — not an actual submodule (no .gitmodules entry, no .git inside, tracked as plain files). Deletes 104 stray files. No code references this path. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Implements step 3 of the chittyledger naming-collision plan (chittyapps/chittyfinance#119). The nested chittyfinance/ directory was working-tree noise from a prior experiment — not a submodule (no .gitmodules), not a nested git repo, tracked as plain files. The canonical ChittyFinance repo lives at CHITTYAPPS/chittyfinance. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…1 prefix fix proposal Three artifacts for /goal "ChittyFinance + ChittyBooks as finance/bookkeeping surface over ChittyLedger". All evidence-grounded — no invented schemas, no deploys. - docs/contracts/chittybooks-chittyfinance.md: engine/UI boundary, source-of-truth table, deploy decision (recommend retire chittybooks.chitty.cc, fold UI into ChittyFinance) with reconciled Charter/repo mismatch flagged - docs/contracts/mercury-multitenant.md: tenant_id + legal_person_chittyid binding rules, Wave mapping requirement, ChittyBooks reconciliation surface, explicit out-of-scope for direct Mercury calls - docs/proposals/api-v1-prefix-fix.md: finance.chitty.cc /api/v1/* 404 is a docs↔code mismatch (only /api/v1/documentation exists; data routes are /api/*). Verified ChittyCommand consumer already uses /api/* — Option 1 (fix docs) has zero downstream breakage.

- ch1tty-connector-revision.md: names the dead CHITTYBOOKS_URL endpoint in chittycommand's mercury-chittybooks plan + booksClient at integrations.ts:618, routes all bookkeeping reads/writes through real finance.chitty.cc paths - chittyledger-naming-plan.md: substrate (FOUNDATION/chittyledger) + projections (Finance, Evidence). Plan to rename CHITTYOS/chittyledger → -evidence-legacy, clean nested noise, add disambiguation banners.

…d schema gap, resolve api-v1 as non-issue - contracts/chittybooks-chittyfinance.md: DECISION (was Recommendation) with 6-row repo-file proof table — Python+cloudrun+no wrangler+no DNS+engine already in chittyfinance+tenant boundary at finance schema - contracts/mercury-multitenant.md: CRITICAL adversarial finding — legal_person_chittyid column absent from accounts schema; remediation paths A/B; tenant_id NOT NULL defense-in-depth verified OK - proposals/api-v1-prefix-fix.md: resolved as non-issue; /api/v1/{status, metrics,documentation} are real meta routes (server/routes/health.ts:21,38), resource routes correctly at /api/<resource>. Single CLAUDE.md sentence added. - CLAUDE.md: clarify route mount split (meta under /api/v1, resources under /api)

…deploy choice as operator gate

…s.chitty.cc)

…canonical)

github-actions · 2026-06-04T02:16:39Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

coderabbitai · 2026-06-04T02:17:17Z

The review for PR #119 has been completed. Here is the full evaluation across the four requested areas:

Security Implications

Finding	Severity	Detail
`legal_person_chittyid` absent from `accounts` schema	Critical (documented)	Flagged as a blocker in `docs/contracts/mercury-multitenant.md`. Multi-tenant contract is partially enforced (`tenant_id` ✅, `legal_person` ❌). Neither schema migration nor interim metadata has landed yet. Reconciliation reports will silently omit the Legal Person dimension until resolved.
`mercury-proxy` is stateless re tenancy	Medium	`docs/contracts/mercury-multitenant.md` — tenancy enforcement is entirely on the ChittyFinance caller with no proxy-side backstop. A single pre-call check bug could allow cross-tenant Mercury writes. Recommend a follow-up hardening ticket to add a mandatory `tenant_id` header assertion at the proxy layer.
`booksClient` targeting NXDOMAIN `books.chitty.cc`	Low	Currently harmless (DNS → NXDOMAIN). Risk: if that domain is ever registered externally, live requests from `chittycommand` could reach an uncontrolled host. The lazy-disable PR is planned — it should be prioritized.
Internal infrastructure topology in docs	Informational	`mercury-proxy.chitty.cc`, CF tunnel paths, and internal service URLs are enumerated in plain text. Acceptable for a private org repo; ensure these docs are not published publicly.

Credential Exposure Risk

None found.

No hardcoded tokens, secrets, or passwords in any of the 5 new files.
No URLs with embedded credentials (user:pass@host — confirmed clean).
Docs reference only env var names (CHITTYBOOKS_URL, X-Mercury-Token, HMAC secret) — never values.
Explicit hygiene principle documented: "Credential rotation is owned by ChittyConnect concierge. ChittyBooks never sees a Mercury or Wave token." and "never chat-paste" — good practice.

Dependency Supply Chain Concerns

None. No package.json, lockfiles, or any dependency manifests were modified. This PR is purely documentation.

Breaking API Changes

None. No source code was changed. docs/proposals/api-v1-prefix-fix.md resolves a non-issue — the /api/v1/* (meta/operational) vs /api/* (resources) split is intentional, pre-existing, and consistent with the OpenAPI spec. The ch1tty-connector-revision.md recommends changes to CHITTYOS/chittycommand but explicitly defers them to a follow-up PR.

Merge Recommendation

Safe to merge from a security standpoint. Two follow-up actions are recommended before reconciliation reports go live:

Resolve the legal_person_chittyid deploy gate (already flagged as a BLOCKER in docs/contracts/mercury-multitenant.md) via schema migration or interim metadata.
Open a hardening ticket for proxy-side tenant_id assertion in mercury-proxy for defense-in-depth.

🧠 Learnings used

Learnt from: CR
Repo: chittyapps/chittyfinance PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-07T14:48:32.602Z
Learning: Keep PRs small and focused; include summary, rationale, and screenshots for UI changes; link related issues; document env/DB changes and run `npm run db:push` when schema updates

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

claude · 2026-06-04T02:18:00Z

Code Review — PR #119: docs/finance/books/ledger boundary contracts + proposals

Summary: Docs-only branch (267 additions, 1 deletion across 6 files). Surfaces real architectural findings from a /goal audit. No runtime risk. Comments below are mostly structural, with one issue that should block merge.

✅ What's working well

The Mercury multitenant doc correctly identifies and calls out the legal_person_chittyid schema gap as a CRITICAL/BLOCKER rather than papering over it. That kind of honest adversarial finding is exactly what docs like this should do.
The books.chitty.cc DNS-NXDOMAIN investigation is thorough and well-evidenced (proof table with exact file refs is a good pattern).
The api-v1-prefix resolution is clean — identifying a perceived 404 as intentional design with line references (server/routes/health.ts:21,38, server/app.ts:74-118) is exactly how a RCA doc should read.
Deploy gates are concrete and per-gate assignable. Good habit.

🔴 Should fix before merge

1. chittybooks-chittyfinance.md is filed under docs/contracts/ but its header says "Not canon yet — proposal for the pentad."

A document filed as a contract implying authoritative boundary that simultaneously disclaims its own canonicity is contradictory. Downstream readers (and tooling/agents) will treat docs/contracts/ as authoritative. Either:

Move to docs/proposals/chittybooks-chittyfinance.md until the pentad ratifies it, or
Remove the disclaimer and commit to it as canon now.

Leaving it in contracts/ with a "not canon yet" header is the worst of both options.

🟡 Should address (or explicitly defer)

2. The legal_person_chittyid BLOCKER has no tracking artifact.

mercury-multitenant.md correctly marks this as a BLOCKER:

legal_person_chittyid column is NOT present on accounts in database/system.schema.ts

But a docs-only PR means this finding lives exclusively in a markdown file. Schema changes in this repo require coordinated cutover (drizzle-kit push is destructive per CLAUDE.md). Without a GitHub issue or linked PR, this BLOCKER is likely to get lost after this PR merges. Recommend: open a tracking issue (or reference an existing one) before merging so the gate is durable.

3. CLAUDE.md routes line is now overlong for its context.

Before:

routes/        22 resource-per-file modules. OpenAPI at /api/v1/documentation

After:

routes/        22 resource-per-file modules. Resource routes are mounted at /api/<resource> (no /v1 prefix). Only operational/meta routes (status, metrics, documentation) live under /api/v1/. OpenAPI spec at /api/v1/documentation is authoritative.

CLAUDE.md is a terse at-a-glance reference. The three added sentences are correct but belong in the proposal doc (where they already live). The in-file comment table should stay one line. Suggestion: Resource routes at /api/<resource>; meta routes at /api/v1/. See docs/proposals/api-v1-prefix-fix.md.

4. ch1tty-connector-revision.md filename uses 1 (one) instead of i.

If this is intentional branding, it's fine — but it's inconsistent with every other file in this PR and could break glob patterns or future searches. Worth an explicit note confirming it's intentional, or rename to chitty-connector-revision.md.

🟢 Minor / optional

5. Cross-org deploy gates are mixed into this repo's gate list.

Several deploy gates in ch1tty-connector-revision.md and chittyledger-naming-plan.md require PRs or actions in CHITTYOS/chittycommand, CHITTYFOUNDATION/chittyledger, etc. Those can't be enforced from this repo's gate list. Consider marking them explicitly as "external — tracked in [other-repo]" so reviewers in this repo know which gates are local vs dependent on org-owner actions elsewhere.

6. chittybooks-chittyfinance.md table header "Path (verified mounted)" is ambiguous.

The paths are verified as mounted on ChittyFinance — not verified as working end-to-end from ChittyBooks (which isn't deployed). The header could be misread as "verified round-trip." A small clarification like "Path (verified mounted on ChittyFinance)" would prevent that ambiguity for future readers.

Summary


Runtime risk	None — docs only
Merge blocker	Contract/proposal directory mismatch (#1)
Pre-merge recommended	Open tracking issue for `legal_person_chittyid` schema gap (#2)
Nice to have	CLAUDE.md line length (#3), filename consistency (#4)

Good audit work overall. The schema gap finding alone justifies the PR.

🤖 Generated with Claude Code

coderabbitai · 2026-06-04T02:18:00Z

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 4 file(s) based on 1 unresolved review comment.

Files modified:

docs/contracts/chittybooks-chittyfinance.md
package.json
server/lib/password.ts
tsconfig.json

Commit: 9117ce6c9f0bf25c18665f78c9457b3cb7d6d0b6

The changes have been pushed to the goal/finance-books-ledger-substrate branch.

Time taken: 3m 20s

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fea07c19ea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-06-04T02:22:04Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

github-actions · 2026-06-04T02:22:09Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

Address review findings from coderabbitai and chatgpt-codex-connector: - chittybooks contract: fix legacy fork repo ref (chittyledger, not chittybooks); document hybrid auth (Bearer service token OR JWT session cookie); narrow /api/transactions filter claim to what the handler actually accepts (?limit); enumerate the real allocation routes (/rules /preview /execute /run); mark /api/reports/reconciliation and aggregator endpoints as proposed. - mercury contract: integration_account_links table does not exist yet — document as contract-only with interim metadata path; point native Mercury webhook at /api/webhooks/mercury/:tenantId (not the legacy shim); note legal_person_chittyid is resolved downstream, not in the webhook handler; mark ?source= filter and last-sync timestamps as proposed. - naming plan: add language tag to fenced block (MD040); use POST /api/entries for ledger writer paths (matches server/lib/ledger-client.ts). - ch1tty-connector revision: ledger write path is /api/entries, not /entries.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/contracts/mercury-multitenant.md (2)
31-34: 🏗️ Heavy lift

Consider adding tenant_id assertion at the mercury-proxy layer for defense-in-depth.

The current design relies entirely on the caller (ChittyFinance) to enforce tenancy before reaching the mercury-proxy. While this may be sufficient today, adding a proxy-side tenant_id assertion would provide defense-in-depth against caller bugs or future refactoring that inadvertently bypasses tenant checks.

The proxy is a critical write boundary to Mercury's API. A lightweight tenant_id validation at this layer would catch cross-tenant write attempts before they reach the external service.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/contracts/mercury-multitenant.md` around lines 31 - 34, Add a
lightweight tenant_id assertion inside the mercury-proxy
(CHITTYOS/mercury-proxy) request handling path: extract tenant_id from the
incoming request (e.g. body/params or resolved from X-Mercury-Token) and compare
it to the tenant_id implied by the caller’s authentication/lookup logic (the
same mapping used by ChittyFinance/HMAC webhook resolution). Implement this as a
small middleware or check in the proxy request handler that rejects requests
with mismatched or missing tenant_id with a 4xx error before proxying to
Mercury; reference the proxy entrypoint/handler that currently processes
incoming write requests and the code that reads X-Mercury-Token so the assertion
is inserted early and is defense-in-depth only.
68-68: ⚡ Quick win

Clarify the deploy gate to reflect both Path A and Path B options.

Line 67 correctly states that "column or metadata interim" must exist before reconciliation reports go live. However, line 68 only checks for "column present", which excludes the Path B interim metadata approach documented in line 59.

Consider rewording line 68 to align with line 67:

legal_person_chittyid column or interim metadata present on accounts (verify in database/system.schema.ts or server/lib/legal-person-binding.ts before reconciliation reports go live).

This ensures operators know that Path B (interim metadata) satisfies the deploy gate, not only Path A (schema migration).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/contracts/mercury-multitenant.md` at line 68, Update the deploy-gate
checklist item to allow either the schema column or the Path B interim metadata:
change the line referencing `legal_person_chittyid` on `accounts` to read
"`legal_person_chittyid` column or interim metadata present on `accounts`" and
add the verification locations `database/system.schema.ts` or
`server/lib/legal-person-binding.ts` so operators know to check either the
schema or the interim metadata implementation before reconciliation reports go
live.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/proposals/chittyledger-naming-plan.md`:
- Line 35: Step 5 in docs/proposals/chittyledger-naming-plan.md duplicates
content already present in CHITTYAPPS/chittyfinance/CHITTY.md (the existing
"ChittyLedger-Finance" section). Update Step 5 to either remove it entirely or
change the action verb from "Add" to "Verify" and add a brief note referencing
the existing "ChittyLedger-Finance" section in CHITTY.md (so the checklist
clearly instructs verification rather than addition).

---

Nitpick comments:
In `@docs/contracts/mercury-multitenant.md`:
- Around line 31-34: Add a lightweight tenant_id assertion inside the
mercury-proxy (CHITTYOS/mercury-proxy) request handling path: extract tenant_id
from the incoming request (e.g. body/params or resolved from X-Mercury-Token)
and compare it to the tenant_id implied by the caller’s authentication/lookup
logic (the same mapping used by ChittyFinance/HMAC webhook resolution).
Implement this as a small middleware or check in the proxy request handler that
rejects requests with mismatched or missing tenant_id with a 4xx error before
proxying to Mercury; reference the proxy entrypoint/handler that currently
processes incoming write requests and the code that reads X-Mercury-Token so the
assertion is inserted early and is defense-in-depth only.
- Line 68: Update the deploy-gate checklist item to allow either the schema
column or the Path B interim metadata: change the line referencing
`legal_person_chittyid` on `accounts` to read "`legal_person_chittyid` column or
interim metadata present on `accounts`" and add the verification locations
`database/system.schema.ts` or `server/lib/legal-person-binding.ts` so operators
know to check either the schema or the interim metadata implementation before
reconciliation reports go live.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5282ab86-4dd6-4450-a53d-854e28ff3edf

📥 Commits

Reviewing files that changed from the base of the PR and between e15f239 and fea07c1.

📒 Files selected for processing (6)

CLAUDE.md
docs/contracts/chittybooks-chittyfinance.md
docs/contracts/mercury-multitenant.md
docs/proposals/api-v1-prefix-fix.md
docs/proposals/ch1tty-connector-revision.md
docs/proposals/chittyledger-naming-plan.md

🚧 Files skipped from review as they are similar to previous changes (1)

CLAUDE.md

github-actions · 2026-06-04T02:22:30Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

coderabbitai · 2026-06-04T02:22:52Z

@github-actions — here is the full evaluation for PR #119:

Security Implications

Finding	Severity	Detail
`legal_person_chittyid` absent from `accounts` schema	Critical (documented)	Flagged as a BLOCKER in `docs/contracts/mercury-multitenant.md`. Multi-tenant contract is partially enforced (`tenant_id` ✅, `legal_person` ❌). Neither schema migration (Path A) nor interim metadata (Path B) has landed. Reconciliation reports will silently omit the Legal Person dimension until resolved. `npm run db:push` will need to be run once the schema migration is chosen.
`mercury-proxy` stateless re tenancy	Medium	Tenancy enforcement is entirely on the ChittyFinance caller with no proxy-side backstop. A single pre-call check bug could allow cross-tenant Mercury writes. Recommend a follow-up hardening ticket to add a mandatory `tenant_id` header presence assertion at the proxy layer for defense-in-depth.
`booksClient` targeting NXDOMAIN `books.chitty.cc`	Low	Currently harmless (DNS → NXDOMAIN). Risk: if that domain is ever registered externally, live requests from `chittycommand` could reach an uncontrolled host. The lazy-disable PR is planned — it should be prioritized.
Internal infrastructure topology in docs	Informational	`mercury-proxy.chitty.cc`, CF tunnel paths, and internal service URLs enumerated in plain text. Acceptable for a private org repo; ensure these docs are never published publicly.

Credential Exposure Risk

None found.

No hardcoded tokens, secrets, or passwords in any of the 5 new files.
No URLs with embedded credentials (user:pass@host — confirmed clean).
Docs reference only env var names (CHITTYBOOKS_URL, X-Mercury-Token, HMAC secret) — never values.
Hygiene principle explicitly documented: "Credential rotation is owned by ChittyConnect concierge. ChittyBooks never sees a Mercury or Wave token." and "never chat-paste" — good practice.

Dependency Supply Chain Concerns

None. No package.json, lockfiles, or any dependency manifests were modified. This PR is purely documentation.

Note: The autofix commit (9117ce6) touched package.json and tsconfig.json — those changes should be reviewed separately to confirm no unintended dependency additions were introduced by the autofix.

Breaking API Changes

None. No source code was changed. docs/proposals/api-v1-prefix-fix.md resolves a non-issue — the /api/v1/* (meta/operational) vs /api/* (resources) split is intentional, pre-existing, and consistent with the OpenAPI spec. The ch1tty-connector-revision.md recommends changes to CHITTYOS/chittycommand but explicitly defers them to a follow-up PR.

Merge Recommendation

Safe to merge from a security standpoint. Two follow-up actions are recommended before reconciliation reports go live:

Resolve the legal_person_chittyid deploy gate (BLOCKER in docs/contracts/mercury-multitenant.md) via schema migration or interim metadata, then run npm run db:push.
Open a hardening ticket for proxy-side tenant_id assertion in mercury-proxy.
Verify the autofix package.json/tsconfig.json changes are benign before merge.

🧠 Learnings used

Learnt from: CR
Repo: chittyapps/chittyfinance PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-07T14:48:32.602Z
Learning: Keep PRs small and focused; include summary, rationale, and screenshots for UI changes; link related issues; document env/DB changes and run `npm run db:push` when schema updates

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai · 2026-06-04T02:23:08Z

@github-actions — here is the evaluation across all four requested areas for PR #119:

Security Implications

Finding	Severity	Detail
`legal_person_chittyid` absent from `accounts` schema	Critical (documented)	Flagged as a blocker in `docs/contracts/mercury-multitenant.md`. Multi-tenant contract is partially enforced (`tenant_id` ✅, `legal_person` ❌). Until resolved via schema migration or interim metadata, reconciliation reports will silently omit the Legal Person dimension.
`mercury-proxy` is stateless re tenancy	Medium	Tenancy enforcement sits entirely on the ChittyFinance caller; no proxy-side backstop. A single pre-call check bug could permit cross-tenant Mercury writes. Recommend a follow-up hardening ticket to add a mandatory `tenant_id` header assertion at the proxy layer.
`booksClient` targeting NXDOMAIN `books.chitty.cc`	Low	Currently harmless (DNS → NXDOMAIN). Risk materialises if the domain is ever registered externally — live requests from `chittycommand` could reach an uncontrolled host. The lazy-disable PR is planned; it should be prioritised.
Internal infrastructure topology in docs	Informational	`mercury-proxy.chitty.cc`, CF tunnel paths, and internal service URLs appear in plain text. Acceptable for a private org repo; ensure these docs are never published publicly.

Note: The autofix commit (9117ce6) touched package.json, server/lib/password.ts, and tsconfig.json in addition to docs/. These files are outside the original docs-only scope and should receive a focused code review before merge.

Credential Exposure Risk

None found in the 5 new markdown files.

No hardcoded tokens, secrets, or passwords.
No URLs with embedded credentials (user:pass@host — confirmed clean).
Only env var names referenced (CHITTYBOOKS_URL, X-Mercury-Token, HMAC secret) — never values.
Explicit hygiene principle documented: "Credential rotation is owned by ChittyConnect concierge. ChittyBooks never sees a Mercury or Wave token." — good practice.

Dependency Supply Chain Concerns

None from the documentation changes. The original PR contained no package.json or lockfile modifications. However, the autofix commit modified package.json — that delta should be verified to confirm no unintended dependency additions were introduced.

Breaking API Changes

None. No source code was changed by the PR author. docs/proposals/api-v1-prefix-fix.md confirms the /api/v1/* (meta/operational) vs /api/* (resources) split is intentional and pre-existing. docs/proposals/ch1tty-connector-revision.md defers all chittycommand changes to a follow-up PR.

Merge Recommendation

Safe to merge the documentation content. Two blockers to track before reconciliation reports go live:

Resolve the legal_person_chittyid deploy gate — schema migration or interim metadata required (already flagged as BLOCKER in mercury-multitenant.md).
Review the autofix commit — package.json, server/lib/password.ts, and tsconfig.json changes are outside the docs-only scope and warrant a separate pass.

🧠 Learnings used

Learnt from: CR
Repo: chittyapps/chittyfinance PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-07T14:48:32.602Z
Learning: Keep PRs small and focused; include summary, rationale, and screenshots for UI changes; link related issues; document env/DB changes and run `npm run db:push` when schema updates

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

claude · 2026-06-04T02:23:47Z

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Overall: This is a well-researched, docs-only PR that accurately maps the current state of the ChittyFinance ecosystem and surfaces real gaps with receipts. Approachable in principle, with a few items to address before merge.

What the PR does

Adds 5 new documentation files and one CLAUDE.md line clarification:

chittybooks-chittyfinance.md — engine/UI boundary and deploy decision (retires the dead books.chitty.cc assumption)
mercury-multitenant.md — tenant + Legal Person isolation model, flags a critical schema gap
api-v1-prefix-fix.md — resolves the /api/v1/* 404 as intentional by design
ch1tty-connector-revision.md — names dead CHITTYBOOKS_URL endpoint and proposes guarding it
chittyledger-naming-plan.md — resolves CHITTYFOUNDATION vs CHITTYOS naming collision

Issues

Filename typo (docs/proposals/ch1tty-connector-revision.md)

The filename uses a 1 (digit) instead of i: ch1tty-connector-revision.md. All other docs and the entire codebase use chitty. This makes it harder to grep for and looks like a typo rather than an intentional variant. Rename to chitty-connector-revision.md before merge and update internal cross-references accordingly.

CRITICAL schema gap has no tracking issue

mercury-multitenant.md correctly flags:

legal_person_chittyid column is NOT present on accounts in database/system.schema.ts

This is marked CRITICAL with two remediation paths (schema migration vs. interim metadata). However, there is no linked GitHub issue to track it. A finding this significant that lives only in a docs file risks being forgotten, especially since drizzle-kit push is destructive here and will need coordinated cutover. Please open a follow-up issue (or link an existing one) before merging.

CLAUDE.md update breaks the established comment style

The updated line in CLAUDE.md:

routes/        22 resource-per-file modules. Resource routes are mounted at /api/<resource> (no /v1 prefix). Only operational/meta routes (status, metrics, documentation) live under /api/v1/. OpenAPI spec at /api/v1/documentation is authoritative.

The original file uses terse, right-aligned descriptions (e.g., Hono factory, CF Workers entry (prod)). This updated line is now ~4× longer than any other entry in the block and reads like prose rather than a quick reference. Suggest keeping it tight in CLAUDE.md and pointing to the proposal doc for the full explanation:

routes/        22 resource-per-file modules. Resource routes: /api/<resource>; meta: /api/v1/. OpenAPI at /api/v1/documentation.

Minor notes

Cross-repo line references (chittycommand/src/lib/integrations.ts:618, etc.) are not verifiable from this repo. They were presumably checked at time of authorship (2026-05-27), but line numbers drift. Consider using function/symbol names instead of raw line numbers in stable docs.
integration_account_links table referenced in mercury-multitenant.md as "does not yet exist" also warrants a tracking issue, separate from the legal_person_chittyid gap.
/api/transactions filter gap — the doc notes ?accountId= and ?since= work on /api/transactions/export but not on the main /api/transactions handler. Worth a separate issue since ChittyBooks will need per-source filtering.
The deploy gate checklists (- [ ]) are a good pattern and clearly scope what's operator-gated vs. auto-mergeable.

Summary


Docs accuracy	✅ Well-researched, receipts provided
CRITICAL gap flagged	✅ Yes — needs a tracking issue before merge
Filename	⚠️ `ch1tty-connector-revision.md` — rename to `chitty-`
`CLAUDE.md` style	⚠️ Line too long for the format — trim it
No code changes	✅ Confirmed docs-only

Suggest: fix the filename, trim the CLAUDE.md line, and open a GitHub issue for the legal_person_chittyid schema gap before merging.

🤖 Generated with Claude Code

- CLAUDE.md: OpenAPI spec is partial, not authoritative; app.ts mounts are source of truth until spec is completed. - chittybooks contract: clarify writer for projection tables is ChittyFinance via POST /api/entries (matches naming plan + CHITTY.md); ChittyTrace is an upstream feeder, not a second writer. - ch1tty-connector revision: Mercury reads route through ChittyConnect (the canonical bank-API path); direct api.mercury.com is fallback only. - naming plan: step 5 changed from "Add" to "Verify" since CHITTY.md:109-114 already has the ChittyLedger-Finance section.

github-actions · 2026-06-04T02:24:37Z

@coderabbitai review

Please evaluate:

Security implications
Credential exposure risk
Dependency supply chain concerns
Breaking API changes

coderabbitai · 2026-06-04T02:25:13Z

Tip

For best results, initiate chat on the files or code changes.

@github-actions — here is the evaluation across all four requested areas for PR #119:

Security Implications

Finding	Severity	Detail
`legal_person_chittyid` absent from `accounts` schema	Critical (documented)	Flagged as a BLOCKER in `docs/contracts/mercury-multitenant.md`. Multi-tenant contract is partially enforced (`tenant_id` ✅, `legal_person` ❌). Until resolved via schema migration or interim metadata, reconciliation reports will silently omit the Legal Person dimension. `npm run db:push` will need to be run once the chosen path lands.
`mercury-proxy` is stateless re tenancy	Medium	Tenancy enforcement sits entirely on the ChittyFinance caller; no proxy-side backstop. A single pre-call check bug could permit cross-tenant Mercury writes. Recommend a follow-up hardening ticket to add a mandatory `tenant_id` header presence assertion at the proxy layer for defense-in-depth.
`booksClient` targeting NXDOMAIN `books.chitty.cc`	Low	Currently harmless (DNS → NXDOMAIN). Risk materialises if the domain is ever registered externally — live requests from `chittycommand` could reach an uncontrolled host. The lazy-disable PR is planned; it should be prioritised.
Internal infrastructure topology in docs	Informational	`mercury-proxy.chitty.cc`, CF tunnel paths, and internal service URLs appear in plain text. Acceptable for a private org repo; ensure these docs are never published publicly.

Note: The autofix commit (9117ce6) touched package.json, server/lib/password.ts, and tsconfig.json — outside the original docs-only scope. These files warrant a focused code review before merge.

Credential Exposure Risk

None found in the 5 new markdown files.

No hardcoded tokens, secrets, or passwords.
No URLs with embedded credentials (user:pass@host — confirmed clean).
Only env var names referenced (CHITTYBOOKS_URL, X-Mercury-Token, HMAC secret) — never values.
Hygiene principle explicitly documented: "Credential rotation is owned by ChittyConnect concierge. ChittyBooks never sees a Mercury or Wave token." — good practice.

Dependency Supply Chain Concerns

None from the documentation changes. The original PR contained no package.json or lockfile modifications. However, the autofix commit modified package.json — that delta should be verified to confirm no unintended dependency additions were introduced.

Breaking API Changes

None. No source code was changed by the PR author. docs/proposals/api-v1-prefix-fix.md confirms the /api/v1/* (meta/operational) vs /api/* (resources) split is intentional and pre-existing. docs/proposals/ch1tty-connector-revision.md defers all chittycommand changes to a follow-up PR.

Merge Recommendation

Safe to merge the documentation content. Track these before reconciliation reports go live:

Resolve the legal_person_chittyid deploy gate — schema migration or interim metadata required (BLOCKER in mercury-multitenant.md).
Open a hardening ticket for proxy-side tenant_id assertion in mercury-proxy.
Review the autofix commit — package.json, server/lib/password.ts, and tsconfig.json are outside the docs-only scope and warrant a separate pass.

🧠 Learnings used

Learnt from: CR
Repo: chittyapps/chittyfinance PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-07T14:48:32.602Z
Learning: Keep PRs small and focused; include summary, rationale, and screenshots for UI changes; link related issues; document env/DB changes and run `npm run db:push` when schema updates

claude · 2026-06-04T02:26:36Z

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Summary: Docs-only PR adding 5 contract/proposal docs and a minor CLAUDE.md clarification. No runtime changes. Low merge risk, high documentation value.

What this PR does well

Rigorous verification tables distinguish "verified today" from "proposed, not yet mounted" — this is exactly the right pattern for a fast-moving codebase where docs can easily outrun code.
Deploy gates per document make followup actions explicit and operator-gated rather than implicit.
Critical schema gap is correctly identified and confirmed. I verified: database/system.schema.ts:101-123 — accounts table has tenantId, externalId, and a metadata jsonb field, but no legal_person_chittyid column. The finding is accurate.
CLAUDE.md update is accurate. The two-family route split (meta under /api/v1, resources under /api) is correctly documented, and noting the spec is partial + pointing at server/app.ts as source of truth is the right call.

Issues

🔴 Internal contradiction between `api-v1-prefix-fix.md` and `CLAUDE.md`

docs/proposals/api-v1-prefix-fix.md (Documentation patch section) says:

The OpenAPI spec at /api/v1/documentation is authoritative.

But the CLAUDE.md patch in this same PR says:

OpenAPI spec at /api/v1/documentation is partial (covers a subset); treat server/app.ts route mounts as the source of truth until the spec is completed.

These directly contradict each other. The CLAUDE.md version is more accurate. The proposal doc's "is authoritative" claim should be corrected to match — e.g., "is the spec surface (partial — treat server/app.ts as source of truth)."

🟡 Schema gap: no recommended remediation path

mercury-multitenant.md presents two paths for the legal_person_chittyid gap (schema column vs. metadata jsonb interim) without recommending one. Given that drizzle-kit push is destructive with no migration history (per CLAUDE.md "Schema Changes"), and accounts.metadata jsonb already exists at line 112, Path B (interim metadata) is lower-risk to unblock reconciliation without a cutover. The doc should say so explicitly rather than leaving both paths equally weighted for the operator.

🟡 External repo line-number references will rot immediately

ch1tty-connector-revision.md references:

chittycommand/docs/plans/2026-02-23-mercury-chittybooks-plan.md:168 and :934
chittycommand/src/lib/integrations.ts:618

These line numbers are in external repos this PR cannot pin. Any commit to those repos will silently invalidate the references. Consider referencing by section heading or function name instead (e.g., "the booksClient(env) function in chittycommand/src/lib/integrations.ts" rather than :618).

🟡 Filename inconsistency: `ch1tty-connector-revision.md`

The filename uses a numeral 1 instead of l — making it ch1tty rather than chitty. If intentional as a slug, it should be noted in the file header. If a typo, the canonical name should be chitty-connector-revision.md. Either way, it breaks find/grep discoverability when searching for chitty-.

🟡 Verification claims dated 2026-05-27 (8 days ago)

All "verified" assertions carry the date 2026-05-27. At the pace of this repo (PR #113 landed, PR-2 referenced as "PR-ready"), some claims may already have drifted. The mercury-multitenant.md section on webhook paths is especially time-sensitive. Consider adding a note like "verification snapshot — re-verify before acting on any _(proposed)_ endpoint."

🟢 Minor: no tracking for the critical schema blocker

The legal_person_chittyid gap is called a BLOCKER in the deploy gates checklist, but there's no linked issue. Suggest opening a GH issue in this repo so the blocker has a trackable home independent of the PR thread.

Verdict

The docs are accurate, well-structured, and surface genuinely important gaps (especially the legal_person_chittyid schema gap and the dead booksClient). The contradiction between api-v1-prefix-fix.md and the CLAUDE.md patch is the one thing that should be fixed before merge — everything else is advisory.

Recommended action before merge:

Fix the "authoritative" vs "partial" contradiction in api-v1-prefix-fix.md.
Add a recommended path for the schema gap remediation (Path B, interim metadata, is lower risk).
(Optional) Rename ch1tty-connector-revision.md → chitty-connector-revision.md for consistency.

🤖 Generated with Claude Code

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e179c20693

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+
+## API Surface ChittyBooks consumes
+
+All paths are under `https://finance.chitty.cc`. Auth (per `server/middleware/auth.ts` hybridAuth): either a service `Authorization: Bearer <CHITTY_AUTH_SERVICE_TOKEN>` header (with `X-Chitty-User-Id`) **or** a ChittyAuth-issued JWT delivered as the session cookie (`jwt:` prefix) — Bearer is service-to-service only; user/browser callers use the cookie path. Tenant scoping is resolved server-side from session/JWT claims (`c.var.tenantId`); path params are not trusted.


Document the tenant selector protected routes require

For protected resource routes, server/app.ts runs tenantMiddleware after hybridAuth, and tenantMiddleware returns 400 unless the request includes X-Tenant-ID or tenantId query; the JWT/session path only resolves userId, not c.var.tenantId. A ChittyBooks caller following this auth paragraph with only the service token + X-Chitty-User-Id or a session cookie will still fail every /api/accounts, /api/transactions, etc. request until it supplies the tenant selector the middleware actually requires.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+| `/api/properties` | Property list |
+| `/api/accounts` | Account list + balances |
+| `/api/transactions` | Transaction feed for caller's tenant. Today the mounted handler accepts only `?limit=`; `?accountId=` and `?since=` are accepted on `/api/transactions/export`. Any source/date filter parity is a follow-up, not a current guarantee. |
+| `/api/allocations/rules`, `/api/allocations/preview`, `/api/allocations/execute`, `/api/allocations/run` | Allocation rule CRUD + dry-run + execution (per `server/accounting/allocations.ts`). There is no umbrella `/api/allocations` index route. |


Use the mounted allocations runs path

Fresh evidence after the prior thread: server/accounting/allocations.ts and CHARTER.md both expose the run-list/update surface as /api/allocations/runs, but this contract still advertises singular /api/allocations/run. ChittyBooks clients using the verified-mounted table will call a 404 for allocation run history/status operations.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+
+| Source | Path | Tenant binding |
+|---|---|---|
+| Mercury read API | `https://api.mercury.com/api/v1` (direct, OAuth tokens scoped per tenant) | Token issued per `(tenant_id, legal_person_chittyid)` via ChittyConnect |


Keep Mercury reads behind ChittyConnect

This multitenant contract still names direct api.mercury.com reads, while the repo-level agent boundary says every Mercury Bank API call routes through ChittyConnect and server/routes/mercury.ts implements account reads via ${CHITTYCONNECT_API_BASE}/mercury/accounts. If implementers use this table for the Mercury read path, they bypass the static-egress/credential boundary and reintroduce direct Mercury token handling despite the connector doc being corrected elsewhere.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+|---|---|---|
+| Mercury read | Via ChittyConnect (canonical path) — ChittyFinance's own Mercury account reader (`server/routes/mercury.ts`) goes through ChittyConnect, and `chittyagent-connect` is defined as the Mercury Bank proxy for every bank API call. ChittyCommand reads should follow the same path; direct `api.mercury.com` calls are reserved for narrow service-internal uses behind the ChittyConnect credential boundary. | ChittyConnect → Mercury (preferred); fall back to `mercuryClient(token)` in `chittycommand/src/lib/integrations.ts:551` only when ChittyConnect is unavailable. |
+| Mercury write | mercury-proxy on chittyserv-dev | `https://mercury-proxy.chitty.cc` (CF tunnel) — POST `/proxy` with `X-Mercury-Token` |
+| Mercury webhooks | ChittyFinance | `POST https://finance.chitty.cc/api/webhooks/mercury` (PR #113, per-business HMAC secrets) |


Include the tenant in native Mercury webhook URLs

Fresh evidence after the prior webhook-path thread: this follow-up plan still tells ChittyCommand to use the base /api/webhooks/mercury URL even though the native HMAC receiver is mounted at /api/webhooks/mercury/:tenantId and the base path is documented as the legacy ChittyConnect-normalized shim. Any implementation registering the base URL from this table will miss the per-tenant HMAC path and route native Mercury payloads to the wrong handler.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+
+Add a single sentence to `CLAUDE.md` under "Where Things Live" → routes section:
+
+> Resource routes are mounted at `/api/<resource>` (no `/v1` prefix). Only operational/meta routes (`status`, `metrics`, `documentation`) live under `/api/v1/`. The OpenAPI spec at `/api/v1/documentation` is authoritative.


Stop calling the partial OpenAPI spec authoritative

Fresh evidence beyond the earlier CLAUDE.md finding: this proposal still instructs maintainers to add a sentence saying /api/v1/documentation is authoritative, but server/routes/docs.ts only lists a small subset of the mounted routes and the updated CLAUDE.md now correctly says to treat server/app.ts as the source of truth. Anyone following this proposal later can reintroduce the same bad guidance and cause consumers to omit supported APIs such as reports, imports, allocations, and classification.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:08Z

+
+| Repo | Description | Deploy | Role |
+|---|---|---|---|
+| `CHITTYFOUNDATION/chittyledger` | Worker at `ledger.chitty.cc`. Has CHARTER/CHITTY/CLAUDE pentad. Endpoints: `POST /entries`, `GET /custody/:entityId`, `GET /verify`. | ✅ `200 ok` at `ledger.chitty.cc/health` | **Canonical substrate.** |


Use the ledger API path consistently

Fresh evidence after the prior connector-path fix: this endpoint inventory still advertises substrate writes as POST /entries, while server/lib/ledger-client.ts posts to ${base}/api/entries and the same docs set now directs Finance/Command writes to /api/entries. If the naming-plan follow-up copies this inventory into the canonical ledger README or register metadata, new projection writers can target the path that Finance no longer exercises.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:09Z

+| Mercury write | mercury-proxy on chittyserv-dev | `https://mercury-proxy.chitty.cc` (CF tunnel) — POST `/proxy` with `X-Mercury-Token` |
+| Mercury webhooks | ChittyFinance | `POST https://finance.chitty.cc/api/webhooks/mercury` (PR #113, per-business HMAC secrets) |
+| Bookkeeping reads | ChittyFinance | `GET https://finance.chitty.cc/api/transactions` and `/api/reports/*` |
+| Bookkeeping writes | ChittyFinance | `POST https://finance.chitty.cc/api/transactions`, `/api/allocations`, `/api/classification` — **not** a separate `chittybooks` write API |


Point write callers at concrete Finance subpaths

This connector revision tells ChittyCommand to write to base /api/allocations and /api/classification, but the mounted write handlers are only on concrete subpaths such as /api/allocations/rules, /api/allocations/execute, and /api/classification/classify; there is no base POST handler for either prefix. A follow-up implementation using these URLs for bookkeeping mutations will get 404s instead of creating allocations or classifications.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-04T02:30:09Z

+
+- [ ] **BLOCKER**: `legal_person_chittyid` column or metadata interim must exist before reconciliation reports reference it. Until then, the column is contract-only.
+- [ ] `legal_person_chittyid` column present on `accounts` (verify in `database/system.schema.ts` before reconciliation reports go live).
+- [ ] Per-business Mercury webhook secret in place (already shipped — PR #113).


Require Mercury webhook secrets before going live

The native webhook handler skips HMAC verification entirely when webhook:mercury:secret:<tenantId> is missing, but this deploy gate marks the per-business secret as already shipped instead of making secret presence a blocker. In any tenant where the KV secret was not actually stored, operators following this checklist can expose a native Mercury endpoint that accepts unsigned payloads, so the gate should require verifying the secret exists before enabling the webhook.

Useful? React with 👍 / 👎.

Copilot AI review requested due to automatic review settings May 27, 2026 22:53

Copilot started reviewing on behalf of chitcommit May 27, 2026 22:53 View session

Copilot AI reviewed May 27, 2026

View reviewed changes

coderabbitai Bot reviewed May 27, 2026

View reviewed changes

Comment thread docs/contracts/chittybooks-chittyfinance.md Outdated

Comment thread docs/contracts/mercury-multitenant.md Outdated

Comment thread docs/proposals/chittyledger-naming-plan.md Outdated

chatgpt-codex-connector Bot reviewed May 27, 2026

View reviewed changes

chitcommit mentioned this pull request May 28, 2026

fix(deps): resolve @chittyos/schema lockfile drift #121

Merged

chitcommit force-pushed the goal/finance-books-ledger-substrate branch from b5a1ff2 to e15f239 Compare May 30, 2026 17:19

chitcommit enabled auto-merge (squash) May 30, 2026 17:19

chatgpt-codex-connector Bot reviewed May 30, 2026

View reviewed changes

coderabbitai Bot reviewed May 30, 2026

View reviewed changes

chitcommit mentioned this pull request May 30, 2026

docs(CHITTY.md): add ChittyLedger-Finance projection section #122

Merged

chitcommit mentioned this pull request May 30, 2026

chore: remove nested chittyledger working-tree noise chittyos/chittychronicle#42

Merged

chitcommit mentioned this pull request May 30, 2026

chore: remove nested chittyfinance working-tree noise chittyfoundation/chittyscore#2

Merged

chitcommit mentioned this pull request May 30, 2026

feat(mercury): legal_person_chittyid Path B interim binding + reconciliation flag #123

Merged

4 tasks

chitcommit added 6 commits June 4, 2026 02:16

docs(chittybooks-contract): retire fake-domain assumption only; keep …

4108560

…deploy choice as operator gate

docs: canonical ChittyBooks domain is books.chitty.cc (not chittybook…

f36905e

…s.chitty.cc)

docs(chittybooks-contract): dedupe domain reference (books.chitty.cc …

fea07c1

…canonical)

chitcommit force-pushed the goal/finance-books-ledger-substrate branch from e15f239 to fea07c1 Compare June 4, 2026 02:16

chatgpt-codex-connector Bot reviewed Jun 4, 2026

View reviewed changes

Comment thread CLAUDE.md Outdated

Comment thread docs/proposals/ch1tty-connector-revision.md Outdated

Comment thread docs/contracts/chittybooks-chittyfinance.md Outdated

chitcommit force-pushed the goal/finance-books-ledger-substrate branch from 9117ce6 to 4524ab1 Compare June 4, 2026 02:22

coderabbitai Bot reviewed Jun 4, 2026

View reviewed changes

Comment thread docs/proposals/chittyledger-naming-plan.md Outdated

chitcommit merged commit 2107a7b into main Jun 4, 2026
20 of 22 checks passed

chitcommit deleted the goal/finance-books-ledger-substrate branch June 4, 2026 02:26

chatgpt-codex-connector Bot reviewed Jun 4, 2026

View reviewed changes


		## API Surface ChittyBooks consumes

		All paths are under `https://finance.chitty.cc`. Auth (per `server/middleware/auth.ts` hybridAuth): either a service `Authorization: Bearer <CHITTY_AUTH_SERVICE_TOKEN>` header (with `X-Chitty-User-Id`) or a ChittyAuth-issued JWT delivered as the session cookie (`jwt:` prefix) — Bearer is service-to-service only; user/browser callers use the cookie path. Tenant scoping is resolved server-side from session/JWT claims (`c.var.tenantId`); path params are not trusted.


		Add a single sentence to `CLAUDE.md` under "Where Things Live" → routes section:

		> Resource routes are mounted at `/api/<resource>` (no `/v1` prefix). Only operational/meta routes (`status`, `metrics`, `documentation`) live under `/api/v1/`. The OpenAPI spec at `/api/v1/documentation` is authoritative.

Conversation

chitcommit commented May 27, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Validation

Followups (not in this PR)

Summary by CodeRabbit

Uh oh!

github-actions Bot commented May 27, 2026

Uh oh!

coderabbitai Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review limit reached

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Poem

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

claude Bot commented May 27, 2026

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Overview

Findings

Bug / Correctness

Naming / Style

Tracking / Process

Minor

Summary

Uh oh!

coderabbitai Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 30, 2026

Uh oh!

coderabbitai Bot commented May 30, 2026

Security Implications

Credential Exposure Risk

Dependency Supply Chain Concerns

Breaking API Changes

Summary

Uh oh!

claude Bot commented May 30, 2026

Code Review — PR #119: docs: finance/books/ledger boundary contracts + proposals

Overview

What's Good

Issues

CRITICAL (Blocker)

MEDIUM

LOW / Nits

Security

Summary

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chitcommit commented May 27, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 27, 2026 •

edited

Loading

coderabbitai Bot left a comment •

edited

Loading

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading