fix(service): RED-2 — honor the advertised local_only authority_boundary on read paths#6
Conversation
…RED-2)
Plainweave's read tools advertise `local_only: True` /
`live_peer_calls: False`, but the read-time enrich path
`_enrich_loomweave_trace` called the HTTP-capable
`LoomweaveAdapter.resolve_identity`, which routes to the live identity
endpoint whenever a Loomweave URL is configured (WEFT_LOOMWEAVE_URL or
.weft/loomweave/ephemeral.port). So `plainweave_trace_link_list`, the
requirement dossier, and verification status made a LIVE peer call while
advertising they do not — and the dossier's own note ("endpoint
configured but was not called") was false. Honesty-invariant violation.
Fix (option a — honor the boundary): route `_enrich_loomweave_trace`
through `resolve_identity_local`, which resolves from the local Loomweave
catalog only and never makes a live peer call. Local resolution already
supplies everything enrich needs (content_hash, drift, orphan detection),
as the existing read-time-drift/orphan tests prove by mutating the local
DB and reading back. The advertised boundary is now true, and the dossier
note is honest.
Write-time normalization (`_normalize_trace_refs`, reached only from the
mutating create/accept trace ops, which do not advertise local_only) is
deliberately left on the HTTP-capable resolver.
Regression tests (both fail on the unfixed code):
- tests/state/test_trace_links.py: with an endpoint configured, `trace_for`
enrich makes no live peer call (`_http_json` patched to raise).
- tests/test_mcp_read_surface.py: with an endpoint configured, the dossier
tool reports `live_peer_calls=False` and makes no live peer call.
Refs: weft-d5091cba12
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fc94e6d72f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # true even when a Loomweave endpoint is configured (RED-2, | ||
| # weft-d5091cba12). Write-time normalization (``_normalize_trace_refs``) | ||
| # is a separate, non-local_only path and keeps live resolution. | ||
| current = self._loomweave_adapter().resolve_identity_local(lookup) |
There was a problem hiding this comment.
This helper is also used by _transition_trace() after accept_trace_link(): that path deliberately calls the HTTP-capable _normalize_trace_refs(), writes the live Loomweave snapshot, and then returns _trace_from_row(). When WEFT_LOOMWEAVE_URL is configured but the local Loomweave catalog is missing or behind the remote SEI data, this local-only re-resolution replaces the freshly accepted response with freshness="unknown"/identity_unsupported (or stale) even though the row was just accepted with a current live snapshot; the CLI/web accept response can therefore report a degraded trace immediately after a successful live-resolution mutation.
Useful? React with 👍 / 👎.
1 participant
Closes the RED-2 authority-boundary honesty-invariant violation (hub ticket
weft-d5091cba12): read tools advertiseauthority_boundary {local_only: true, live_peer_calls: false}, but the trace-enrich path called the HTTP-capableresolve_identity, making a live Loomweave call whenever an endpoint was configured — falsifying the advertised boundary (the code even self-contradicted with a "configured but was not called" note).Fix (option a — honor the boundary):
service.py:2488resolve_identity(lookup)→resolve_identity_local(lookup). The read-time enrich path needs only content_hash/drift/orphan, all available from the local sqlite catalog, so honoring breaks nothing — it just makes the advertisement true. The bar for the alternative (correct the advertisement) wasn't met.Correct nuance: the mutating
_normalize_trace_refspath (create/accept-trace) is deliberately LEFT on live resolution — it does not advertiselocal_only.Tests:
make cigreen (380 passed, 91.18% cov ≥ 90);wardline scanexit 0. Two anti-vacuous regression tests added (endpoint configured → no live call on the advertised-local read path + the dossier tool).Release mode: no cross-member contract change — aligns behavior to the EXISTING advertised contract. Ships solo.
🤖 Generated with Claude Code