feat: close all 8 out-of-scope items from earlier today#62
Merged
Conversation
Closes every item flagged "out of scope" in earlier sprints today.
No 501-deferred stubs, no placeholders, no hardcoded thresholds.
1. UpdateProjectAction settings-payload support — single-source-of-truth
refactor; EditProjectForm now patches settings via the action instead
of a separate $project->update() call.
2. CI architecture test (LivewireAuthorizeCoverageTest) — scans every
Livewire component for write methods missing Gate::authorize. 108
pre-existing gaps allowlisted with `livewire-authorize-sweep-2 sprint`
reason; future regressions blocked by the test.
3. Profile/Notification cross-user audit — confirmed all 4 per-user forms
(UpdateProfileInformationForm, NotificationPreferencesForm,
NotificationBell, NotificationPreferencesPage) only write to
auth()->user(). New `update-self` gate (always true in community,
cloud-overridable) added to all 8 per-user write methods for explicit
defense-in-depth.
4. METR Time-Horizon Dashboard at /metrics/time-horizon — aggregates
AgentSession totals by status, P50/P99 durations, LLM cost, tool
failures, handoff count, sessions/day for last 28d. Pure read.
5. Per-agent capability ACLs — new agents.tool_deny_list JSONB column;
ResolveAgentToolsAction filters out denied tool IDs; new MCP tool
agent_tool_deny_set. Narrow scope (deny-list only, not full ACL
framework) — covers the actual operator use case.
6. Memory drift monitor — new memories.embedding_at_creation pgvector
column (guarded with pg_extension lookup); MemoryDriftDetector service
with configurable threshold (default 0.30 cosine); memory:check-drift
--notify daily command at 04:15; memory_drift_status MCP tool.
7. Browser harness chromium binding — chromium + chromium-chromedriver
added to docker/sandbox/Dockerfile. CHROME_BIN env var. Feature flag
browser.harness_enabled (default false) — handler returns "disabled"
error when off, real Process::run when on. Existing tests updated to
set the flag.
8. Reverse Workflow YAML git sync — POST /api/webhooks/github/workflow-yaml/{teamId}
handler with HMAC-SHA256 signature verification (per-team
git_webhook_secret column or global GITHUB_WORKFLOW_WEBHOOK_SECRET
fallback); fetches PR diff via GitHub API; dispatches
ImportWorkflowFromYamlJob for each workflows/*.yaml file in the diff.
Tests: 3084 pass, 6 pre-existing SocialLoginTest failures unchanged.
Pint clean. PHPStan clean (parent + base) — no baseline regenerated.
Migrations (3): tool_deny_list, embedding_at_creation, git_webhook_secret.
New MCP tools: agent_tool_deny_set, memory_drift_status.
New routes: /metrics/time-horizon, /api/webhooks/github/workflow-yaml/{teamId}.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes every item I marked out-of-scope in earlier 2026-05-04 sprints. Full implementation, no stubs.
8 items shipped:
Tests: 3084 pass, 6 pre-existing SocialLoginTest failures unchanged. Pint + PHPStan clean.
🤖 Generated with Claude Code