Phase 6 — Four implementation plans for unplanned v2 features, each with codex adversarial review #76

dohertj2 · 2026-04-19T03:17:12-04:00

dohertj2 commented

2026-04-19 03:17:12 -04:00

Summary

After drivers paused, audited plan.md + driver-stability.md + acl-design.md + admin-ui.md for features documented-but-unshipped. Four coherent tracks had no implementation plan at all. This PR drafts them + runs each through a Codex adversarial review + bakes the findings into each plan.

Plans drafted

docs/v2/implementation/phase-6-1-resilience-and-observability.md — Polly pipelines, Tier A/B/C runtime enforcement, health endpoints, structured logging + correlation IDs, LiteDB fallback
docs/v2/implementation/phase-6-2-authorization-runtime.md — ACL permission-trie evaluator on Read/Write/Subscribe paths, LdapGroupRoleMapping, per-session cache
docs/v2/implementation/phase-6-3-redundancy-runtime.md — Dynamic ServiceLevel, ServerUriArray, mid-apply dip, operator-driven role transition
docs/v2/implementation/phase-6-4-admin-ui-completion.md — UNS drag-reorder + impact preview, CSV import, 5-identifier search, draft-diff enhancements, OPC 40010 Identification exposure

Each plan follows the existing phase-*.md template (Entry Gate, Streams A-E, Compliance Checks, Risks, Completion Checklist).

Adversarial review

Codex ran read-only-sandbox reviews against each plan with explicit focus on decision-log conflicts, unbounded blast radius, under-specified state transitions, wrong primitives, and testing holes.

Real issues surfaced (each has an adjustment in the plan):

6.1 — Auto-retry conflicting with decisions #44-45 no-auto-write-retry; per-instance pipeline breaking #35 per-device isolation; Tier A/B recycle breaching #73-74 Tier-C-only; watchdog formula ignoring #70
6.2 — LdapGroupRoleMapping conflated with data-plane ACLs; Browse enforcement missing entirely; HistoryRead using wrong permission flag; subscription re-auth policy unresolved
6.3 — ServiceLevel=0 colliding with OPC UA Part 5 Maintenance; ServerUriArray missing self; Kepware/Aveva cutover unverified hearsay; apply-window race on cancellation
6.4 — Stale UNS impact preview overwriting concurrent drafts; identifier contract drifting from canonical decision #117 set; CSV atomicity contradictory; OPC 40010 fields not matching decision #139

Each finding documented in the plan's Adversarial Review section with severity / verdict / adjustment so the next session executes against the corrected plan rather than the original draft.

Validation

Pure documentation — no code
Codex thread IDs cited in each plan for reproducibility
Plans remain DRAFT status; each becomes its own implementation phase with Entry/Exit gates when prioritized

Test plan

Each plan has all required sections per the phase-*.md template
Every finding has an explicit verdict (ACCEPT / REJECT) + concrete adjustment
Cross-references to plan.md decisions use decision numbers

## Summary After drivers paused, audited `plan.md` + `driver-stability.md` + `acl-design.md` + `admin-ui.md` for features documented-but-unshipped. Four coherent tracks had no implementation plan at all. This PR drafts them + runs each through a Codex adversarial review + bakes the findings into each plan. ### Plans drafted - `docs/v2/implementation/phase-6-1-resilience-and-observability.md` — Polly pipelines, Tier A/B/C runtime enforcement, health endpoints, structured logging + correlation IDs, LiteDB fallback - `docs/v2/implementation/phase-6-2-authorization-runtime.md` — ACL permission-trie evaluator on Read/Write/Subscribe paths, `LdapGroupRoleMapping`, per-session cache - `docs/v2/implementation/phase-6-3-redundancy-runtime.md` — Dynamic `ServiceLevel`, `ServerUriArray`, mid-apply dip, operator-driven role transition - `docs/v2/implementation/phase-6-4-admin-ui-completion.md` — UNS drag-reorder + impact preview, CSV import, 5-identifier search, draft-diff enhancements, OPC 40010 Identification exposure Each plan follows the existing `phase-*.md` template (Entry Gate, Streams A-E, Compliance Checks, Risks, Completion Checklist). ### Adversarial review Codex ran read-only-sandbox reviews against each plan with explicit focus on decision-log conflicts, unbounded blast radius, under-specified state transitions, wrong primitives, and testing holes. **Real issues surfaced** (each has an adjustment in the plan): - **6.1** — Auto-retry conflicting with decisions #44-45 no-auto-write-retry; per-instance pipeline breaking #35 per-device isolation; Tier A/B recycle breaching #73-74 Tier-C-only; watchdog formula ignoring #70 - **6.2** — LdapGroupRoleMapping conflated with data-plane ACLs; Browse enforcement missing entirely; HistoryRead using wrong permission flag; subscription re-auth policy unresolved - **6.3** — ServiceLevel=0 colliding with OPC UA Part 5 Maintenance; ServerUriArray missing self; Kepware/Aveva cutover unverified hearsay; apply-window race on cancellation - **6.4** — Stale UNS impact preview overwriting concurrent drafts; identifier contract drifting from canonical decision #117 set; CSV atomicity contradictory; OPC 40010 fields not matching decision #139 Each finding documented in the plan's `Adversarial Review` section with severity / verdict / adjustment so the next session executes against the corrected plan rather than the original draft. ## Validation - Pure documentation — no code - Codex thread IDs cited in each plan for reproducibility - Plans remain `DRAFT` status; each becomes its own implementation phase with Entry/Exit gates when prioritized ## Test plan - [x] Each plan has all required sections per the `phase-*.md` template - [x] Every finding has an explicit verdict (ACCEPT / REJECT) + concrete adjustment - [x] Cross-references to `plan.md` decisions use decision numbers

dohertj2 added 1 commit 2026-04-19 03:17:13 -04:00

Phase 6 — Draft 4 implementation plans covering v2 unimplemented features + adversarial review + adjustments. After drivers were paused per user direction, audited the v2 plan for features documented-but-unshipped and identified four coherent tracks that had no implementation plan at all. Each plan follows the docs/v2/implementation/phase-*.md template (DRAFT status, branch name, Stream A-E task breakdown, Compliance Checks, Risks, Completion Checklist). docs/v2/implementation/phase-6-1-resilience-and-observability.md (243 lines) covers Polly resilience pipelines wired to every capability interface, Tier A/B/C runtime enforcement (memory watchdog generalized beyond Galaxy, scheduled recycle per decision #67 , wedge detection), health endpoints on :4841, structured Serilog with correlation IDs, LiteDB local-cache fallback per decision #36 . phase-6-2-authorization-runtime.md (145 lines) wires ACL enforcement on every OPC UA Read/Write/Subscribe/Call path + LDAP-group-to-admin-role grants per decisions #105 and #129 -- runtime permission-trie evaluator over the 6-level Cluster/Namespace/UnsArea/UnsLine/Equipment/Tag hierarchy, per-session cache invalidated on generation-apply + LDAP-cache expiry. phase-6-3-redundancy-runtime.md (165 lines) lands the non-transparent warm/hot redundancy runtime per decisions #79-85: dynamic ServiceLevel node, ServerUriArray peer broadcast, mid-apply dip via sp_PublishGeneration hook, operator-driven role transition (no auto-election -- plan remains explicit about what's out of scope). phase-6-4-admin-ui-completion.md (178 lines) closes Phase 1 Stream E completion-checklist items that never landed: UNS drag-reorder + impact preview, Equipment CSV import, 5-identifier search, draft-diff viewer enhancements, OPC 40010 _base Identification field exposure per decisions #138-139. Each plan then got a Codex adversarial-review pass (codex mcp tool, read-only sandbox, synchronous). Reviews explicitly targeted decision-log conflicts, API-shape assumptions, unbounded blast radius, under-specified state transitions, and testing holes. Appended 'Adversarial Review — 2026-04-19' section to each plan with numbered findings (severity / finding / why-it-matters / adjustment accepted). Review surfaced real substantive issues that the initial drafts glossed over: Phase 6.1 auto-retry conflicting with decisions #44-45 no-auto-write-retry rule; Phase 6.1 per-driver-instance pipeline breaking decision #35 's per-device isolation; Phase 6.1 recycle/watchdog at Tier A/B breaching decisions #73-74 Tier-C-only constraint; Phase 6.2 conflating control-plane LdapGroupRoleMapping with data-plane ACL grants; Phase 6.2 missing Browse enforcement entirely; Phase 6.2 subscription re-authorization policy unresolved between create-time-only and per-publish; Phase 6.3 ServiceLevel=0 colliding with OPC UA Part 5 Maintenance semantics; Phase 6.3 ServerUriArray excluding self (spec-bug); Phase 6.3 apply-window counter race on cancellation; Phase 6.3 client cutover for Kepware/Aveva OI Gateway is unverified hearsay; Phase 6.4 stale UNS impact preview overwriting concurrent draft edits; Phase 6.4 identifier contract drifting from admin-ui.md canonical set (ZTag/MachineCode/SAPID/EquipmentId/EquipmentUuid, not ZTag/SAPID/UniqueId/Alias1/Alias2); Phase 6.4 CSV import atomicity internally contradictory (single txn vs chunked inserts); Phase 6.4 OPC 40010 field list not matching decision #139 . Every finding has an adjustment in the plan doc -- plans are meant to be executable from the next session with the critique already baked in rather than a clean draft that would run into the same issues at implementation time. Codex thread IDs cited in each plan's review section for reproducibility. Pure documentation PR -- no code changes. Plans are DRAFT status; each becomes its own implementation phase with its own entry-gate + exit-gate when business prioritizes. 4695a5c88e

dohertj2 merged commit 81a1f7f0f6 into v2

2026-04-19 03:17:17 -04:00

dohertj2 referenced this issue from a commit

2026-04-19 03:17:19 -04:00

Merge pull request 'Phase 6 — Four implementation plans for unplanned v2 features, each with codex adversarial review' (#76) from phase-6-plans-drafts into v2

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dohertj2/lmxopcua#76