Capture the rationale and execution plan for replacing serde_yml (a
single-maintainer republish of the abandoned serde-yaml on top of
libyml) with serde-saphyr — actively maintained, pure Rust, no FFI,
with rustc-style snippet errors for parse failures. The v1 plan
review (90/100, proceed with changes) is included; its read/parse
formatting concern is folded into the plan as deliberately intentional.

Co-authored-by: Claude Opus 4.7 <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

serde_yml is a single-maintainer republish of the abandoned
serde-yaml on top of libyml (a fork of unsafe-libyaml), with the
maintenance and supply-chain concerns that come with any forked
parser. serde-saphyr is actively developed pure Rust with no FFI,
and its from_str produces rustc-style snippet errors that are
strictly better than serde_yml's for operators debugging malformed
configs. The swap is verified behaviour-preserving against the
authoritative config templates and components/ceph/cbs.component.yaml.

Co-authored-by: Claude Opus 4.7 <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

v1 reviewed the pre-amend implementation (b477f5e) and surfaced a
single defect — a stale plan progress table — that was resolved by
amending the implementation commit. v2 re-reviewed the post-amend tip
(d608516) and approved unconditionally. Both are kept to anchor the
audit trail for plan 018 alongside its design and plan documents.

Co-authored-by: Claude Opus 4.7 <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Add design document, implementation plan, and design review for
OpenAPI integration (seq 018). Covers utoipa + Scalar UI serving
the spec at /api/docs with compile-time generation.

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Tatjana Dehler <[email protected]>

Derive ToSchema on all REST-facing proto types for OpenAPI spec
generation (design 018). WebSocket-only types and WorkerToken are
excluded — they are internal protocol types, not part of the
documented REST API surface.

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Tatjana Dehler <[email protected]>

Derive ToSchema on all server request/response types for OpenAPI
spec generation (design 018). Adds explicit schema attributes for
serde_json::Value fields so the spec documents them as structured
objects rather than opaque strings.

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Tatjana Dehler <[email protected]>

Annotate all REST handlers with #[utoipa::path] and convert
route modules to OpenApiRouter for automatic spec collection.
This enables compile-time OpenAPI spec generation (design 018).
Rate-limited auth routes stay on plain Router.

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Tatjana Dehler <[email protected]>

Add openapi.rs module with security schemes (bearer PASETO +
session cookie), spec assembly, and Scalar UI. Serves browsable
API docs at /api/docs and JSON spec at /api/docs/openapi.json
for future TypeScript type stub generation (design 018).

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Tatjana Dehler <[email protected]>

Signed-off-by: Joao Eduardo Luis <[email protected]>

Seq 019 captures the worker control plane hardening (WCP v11) and security
audit remediation (audit-rem v8) designs, the unified implementation plan
v2 they share, and the iterative review trail that shaped them. These are
the authoritative baseline for the 21-commit implementation that follows.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Per WCP D4, a build returning to `queued` after a failed or abandoned
dispatch must shed every assignment-provenance column so the requeued
row cannot leak stale state from the abandoned attempt. The dedicated
`rollback_dispatch_to_queued` operation owns the reset list; the three
in-process callsites (ack timeout, transient reject, idle-reconnect /
dead-worker requeue) move to a unified extracted helper. The reconnect
Building handler now records the new connection on the active entry
before the `dispatched -> started` transition runs, closing gap G10.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Per WCP D1/D2, every owned worker lifecycle message must be authorised
against the active assignment for the reporting connection. The new
`authorize_lifecycle_message` helper does the ownership check under the
queue lock and replies with a non-fatal `UnauthorizedBuildAction` (and,
for execution-evidence messages — `build_started`, `build_output` — a
reporter-directed `BuildRevoke`) on mismatch. The new
`ActiveAssignmentReceipt` enum tracks whether the worker has proved
delivery; owned messages advance it from `AwaitingReceipt` to
`ReceivedByWorker` and cancel the dispatch-ack timer. Closes audit F1
and F2.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Per WCP D3 and audit F3, a reconnecting worker can no longer rewrite an
active assignment's `connection_id` without first proving — via the
persisted `builds.worker_id` — that it actually owns the build. The
reconnect Building handler now runs the two-phase ownership check
(snapshot under lock, DB query, decide) before swapping the connection.
Idle reconciliation is scoped to the reporter's own persisted builds
and uses the new `ActiveAssignmentReceipt` state to decide whether to
roll back dispatched assignments whose previous connection is still
live, closing gap G8.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Per WCP D5, every ingress path that accepts a build descriptor (REST
`submit_build`, periodic task create and update, scheduler trigger)
now routes through a single `components::validator::validate_descriptor`
helper that rejects empty `components` arrays and unknown component
names. The scheduler trigger uses the validator defensively at fire
time and classifies failures as `Fatal`, which disables the task with
`last_error` set rather than retrying. Closes the empty-components
gap (G4) called out in the original review.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

The previous `logs/tail` endpoint read the entire build log into memory
before slicing the last N lines, which scaled with total log size and
was exploitable by workers emitting unbounded output. Per WCP D7, the
new `logs::tail::read_tail` helper scans backwards from EOF within a
fixed 4 MiB budget, drops partial leading/trailing lines, and respects
UTF-8 code-point boundaries. The endpoint caps `n` at 1000 and returns
a richer response shape (`returned`, `requested`, `truncated`,
`bytes_scanned`, `max_tail_bytes`); the `total_lines` field is removed.
`cbc logs tail` defaults to 50 lines and renders the new fields.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

A websocket reconnect must not lose a running build. Move active-build
state (executor handle, component dir, phase, pending terminal result,
bounded local output spool) into a process-level supervisor that
outlives any single websocket connection, and turn the connection
handler into a thin transport client. The supervisor derives reconnect
status truthfully — `Building` when any non-terminal local state exists,
`Idle` only when nothing is pending — and a disconnect no longer kills
the subprocess. Closes gap G6 ("Worker-Side Active Build State") of the
WCP soundness review.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Captures the v1-v4 adversarial reviews of Phase 1 (WCP security audit
remediation) and lifts the v4 review's deferred finding NB1 into the
Phase 2 plan so it survives rebases. NB1 (no end-to-end test for
`try_dispatch` send-failure) was explicitly deferred by user decision
after a scope-budget check; all other findings are closed by fixups
landed in this branch.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>

Some google accounts issue id_tokens without a 'picture' claim or
without a usable 'name' claim, which made GoogleOAuthUserInfo
validation fail and locked those users out with an opaque 401. Make
'picture' optional, fall back to 'email' when 'name' is missing, and
stop suppressing the underlying ValidationError so future shape
mismatches are diagnosable from the route log.

Co-authored-by: Claude Opus 4.7 <[email protected]>
Signed-off-by: Joao Eduardo Luis <[email protected]>