feat: Milestone 4 - Voting & Final Publish Flow

.githooks/commit-msg

@@ -1,6 +1,14 @@
 #!/usr/bin/env bash
 msg_file="$1"
 pattern='^(revert: )?(feat|fix|docs|style|refactor|perf|test|build|ci|chore|ops|sec)(\(.+\))?: .+'
+merge_pattern='^Merge (branch|pull request|remote-tracking branch)'
+
+# Allow merge commits (auto-generated messages like "Merge branch ...")
+# by checking the message content rather than repository state.
+if grep -Eq "$merge_pattern" "$msg_file"; then
+  exit 0
+fi
+
 if ! grep -Eq "$pattern" "$msg_file"; then
   echo "✖ Commit message must follow Conventional Commits" >&2
   exit 1

.github/workflows/ci.yml

@@ -42,9 +42,28 @@ jobs:
         run: |
           npm ci --prefix web || (echo "web npm ci failed; retrying clean install" && rm -rf web/node_modules web/package-lock.json && npm --prefix web install)
 
+      - name: Detect path changes
+        id: changes
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            web:
+              - 'web/**'
+              - 'public/**'
+              - 'eslint.config.js'
+              - 'web/package.json'
+              - 'web/package-lock.json'
+
       - name: Lint
         run: npm run lint
 
+      - name: Build Web (Next.js)
+        if: github.event_name == 'push' || steps.changes.outputs.web == 'true'
+        env:
+          NODE_ENV: production
+          NEXT_TELEMETRY_DISABLED: '1'
+        run: npm --prefix web run build
+
       - name: DB setup
         env:
           PGURL: postgresql://postgres:test@localhost:54329/db8_test

.github/workflows/db-tests.yml

@@ -0,0 +1,69 @@
+name: db-tests
+on:
+  # Manual trigger remains available
+  workflow_dispatch:
+  # Run weekly for drift detection
+  schedule:
+    - cron: '0 6 * * 1'  # weekly Monday 06:00 UTC
+  # Run automatically on PRs when DB‑related files change
+  pull_request:
+    paths:
+      - 'db/**'
+      - 'server/rpc.js'
+      - 'server/journal.js'
+      - 'server/watcher.js'
+      - 'server/schemas.js'
+      - 'bin/db8.js'
+      - 'server/test/**'
+    types: [opened, synchronize, reopened]
+jobs:
+  db-integration:
+    # Avoid duplicate concurrent runs for the same PR/branch
+    concurrency:
+      group: db-tests-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        ports: ['5432:5432']
+        env:
+          POSTGRES_PASSWORD: test
+          POSTGRES_USER: postgres
+          POSTGRES_DB: postgres
+        # NOTE: Do not include shell line-continuation backslashes here; the
+        # options string is passed directly to `docker create`.
+        options: >-
+          --health-cmd="pg_isready -U postgres"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npm ci
+      - name: Install web dependencies
+        run: npm ci --prefix web
+      - name: Create test database
+        env:
+          PGPASSWORD: test
+        run: |
+          until pg_isready -h localhost -p 5432 -U postgres; do sleep 2; done
+          psql -h localhost -U postgres -c 'CREATE DATABASE db8_test;'
+      - name: Prepare schema/RPC/RLS
+        env:
+          DATABASE_URL: postgresql://postgres:test@localhost:5432/db8_test
+          DB8_TEST_OUTPUT: quiet
+        run: node scripts/prepare-db.js
+      - name: Run lint (server/db only)
+        run: |
+          # Limit lint to non-web paths for this DB-focused job to avoid resolver noise
+          npx eslint server bin scripts eslint.config.js vitest.config.js
+      - name: Run DB-gated tests (glob)
+        env:
+          DB8_TEST_PG: '1'
+          DB8_TEST_DATABASE_URL: postgresql://postgres:test@localhost:5432/db8_test
+        run: |
+          npx vitest run "server/test/**/*.db.*.js" server/test/journal.byidx.test.js --reporter verbose

.markdownlintignore

@@ -6,3 +6,4 @@ web/.next/
 
 # generated assets or external
 public/
+docs/debates/

AGENTS.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: 2025-10-06
+lastUpdated: 2025-10-08
 ---
 
 # AGENTS.md
@@ -147,6 +147,66 @@ Working style
   the worker.
 - Deterministic behavior: prefer stable hashing, canonical JSON, advisory locks.
 
+Neo4j Shared Memory (Context & Notes)
+
+When to use (simple rules)
+
+- At session start: query memory for James’s profile/interests and active topics.
+- On topic switch: append a short “insight” with what changed and why.
+- After major events: PRs opened/merged, CI status changes, architectural decisions.
+- Before answering complex or longitudinal questions: skim recent links around “James” to maintain continuity.
+
+How to use (quick commands)
+
+- Connection (local dev):
+  - Host: <http://localhost:7474>
+  - User/Pass: neo4j / password123 (override via env if available)
+  - DB: neo4j (default)
+
+- Read (curl examples):
+
+```bash
+# Interests
+curl -s -u neo4j:password123 -H 'Content-Type: application/json' \
+ -X POST http://localhost:7474/db/neo4j/query/v2 \
+ -d '{"statement":"MATCH (j:User {name: \"James\"})-[:INTERESTED_IN]->(i) RETURN i.name,i.category"}'
+
+# Active topics
+curl -s -u neo4j:password123 -H 'Content-Type: application/json' \
+ -X POST http://localhost:7474/db/neo4j/query/v2 \
+ -d '{"statement":"MATCH (t:Topic {status: \"active\"}) RETURN t.name,t.description"}'
+
+# Local context around James
+curl -s -u neo4j:password123 -H 'Content-Type: application/json' \
+ -X POST http://localhost:7474/db/neo4j/query/v2 \
+ -d '{"statement":"MATCH (n)-[r]-(m) WHERE n.name=\"James\" OR m.name=\"James\" RETURN n.name,type(r),m.name LIMIT 10"}'
+```
+
+- Write (append an insight):
+
+```bash
+INSIGHT='Short insight about the session (what changed / decisions / PR links)'
+curl -s -u neo4j:password123 -H 'Content-Type: application/json' \
+ -X POST http://localhost:7474/db/neo4j/query/v2 \
+ -d "{\"statement\": \"MATCH (j:User {name: \\\"James\\\"}) CREATE (x:Insight {content: \\\"${INSIGHT//\"/\\\\\"}\\\", added_by: \\\"Codex\\\", confidence: 0.9, timestamp: datetime()}) CREATE (j)-[:HAS_INSIGHT]->(x) RETURN x\"}"
+```
+
+- Tip: JSONL flow (bulk): write one JSON object per line to /tmp and POST; or prefer the agent-collab CLI in `/Users/james/git/agent-collab/` for cleaner UX.
+
+Private session notes (~/Codex)
+
+- Also keep a parallel Markdown note per session/day:
+  - Path: `~/Codex/YYYY-MM-DD-<topic>.md`
+  - Frontmatter: `lastUpdated: YYYY-MM-DD` (ISO date only)
+  - Include: summary, links (Issues/PRs), CI status, Mermaid diagrams for flows, and “Next”.
+
+Style & guardrails
+
+- Keep insights short and factual; no sensitive tokens.
+- Prefer links to Issues/PRs/Commits for traceability.
+- Use Mermaid/SVG in ~/Codex notes for visual learners.
+- This memory is additive: never delete; append new context as it evolves.
+
 Guardrails (enforced by repo config)
 
 - Node 20+. See .nvmrc.
@@ -960,3 +1020,56 @@ On each change: bump docs `lastUpdated`, update Agent Log, and sync the Project
 - [M6: Research Tools](https://github.com/flyingrobots/db8/milestone/7)
 - [M7: Hardening & Ops](https://github.com/flyingrobots/db8/milestone/8)
 - [M2: Provenance](https://github.com/flyingrobots/db8/milestone/16)
+
+---
+
+### Event — 2025-10-07 | M2 closed, README roadmap, DB tests workflow
+
+#### Summary
+
+- Closed both M2 milestones and verified acceptance with green tests. Added CLI journal verify tests, corrected error labels, cleaned temp ignores, and hardened SSH parsing. Rewrote README with a weighted milestone progress bar and added milestone focus descriptions. Introduced a manual/weekly GitHub Actions workflow to run DB‑gated integration suites; ensured lint runs before tests.
+
+#### References
+
+- Issues: closed/moved — #67, #68, #70, #30, #117, #121, #9, #10 (closed); #11, #12, #29, #7 (→ M3); #31, #15 (→ M6); #32, #13, #14 (→ M7)
+- PRs: #144 (CLI SSH verify + docs), #145/#146/#142 (deps alignment), #148 (db‑tests workflow + README milestone focus)
+- Files: `server/test/cli.journal.verify.test.js`, `docs/Provenance.md`, `.gitignore`, `server/rpc.js`, `.github/workflows/db-tests.yml`, `README.md`
+
+#### Key Decisions
+
+- M2 is done; provenance/journals shipped with tests and docs.
+- Keep DB‑gated suites behind a dedicated workflow (manual + weekly); lint must run first in that job.
+- README carries a simple, weighted progress bar plus a concise “Milestone Focus” section.
+- No force‑push; resolve forward with additive commits.
+
+#### Action Items
+
+- Monitor the new db‑tests workflow; stabilize if any flakes appear.
+- Kick off M3 (Verification): open issues, define schema/RPCs, add tests and endpoints (see next plan).
+- Keep board hygiene: set new M3 issues to Status=Todo/Workflow=Todo and link them to the project.
+
+#### Notes
+
+- Added `/.tmp*` to `.gitignore` and removed tracked temp files.
+- Corrected docs to use `unsupported_signature_kind`; pinned JCS in SSH tests.
+
+#### Next Moves (Plan — M3 Verification)
+
+- Schema/RPC (DB)
+  - `verification_verdicts` (id, round_id, submission_id/claim_id, verdict enum, rationale, reporter_id, created_at) + indexes + RLS; secure read views.
+  - RPCs: `verify_submit(...)`, `verify_aggregate(...)` with idempotency + bounds.
+  - pgTAP invariants for tables/uniques/RLS and RPC contracts.
+- Server/CLI/UI
+  - Server endpoints: `POST /rpc/verify.submit`, `GET /verify/summary`.
+  - CLI: `db8 verify submit` and `db8 verify summary`.
+  - Web: minimal verification view on the room page.
+- Tests/CI
+  - Unit tests for endpoints/CLI; DB‑gated integration for RPCs end‑to‑end; keep lint first in all jobs.
+- Docs/Board
+  - `docs/Verification.md` guide; README link; track under milestone “M3: Verification”.
+    {"date":"2025-10-08","time":"19:14","summary":"Shipped M3 Verification: added verification verdicts across DB/Server/CLI/Web, made pgTAP + Docker DB suite green, and opened a draft PR.","topics":[{"topic":"Verification DB & RLS","what":"Added verification_verdicts table, RLS policies, and views","why":"M3 requires recording per-claim/per-submission verdicts","context":"Existing M1/M2 schema with submissions/votes and RLS groundwork","issue":"Design idempotency and enforce role/membership for reporters","resolution":"Unique on (round,reporter,submission,claim); verify_submit enforces judge/host and round phase","future_work":"Consider richer claim structure and cross-round carryover","time_percent":25},{"topic":"Server & CLI endpoints","what":"POST /rpc/verify.submit, GET /verify/summary; CLI verify submit/summary","why":"Expose verdict write/read paths to clients","context":"Express RPCs with Zod validation and in-memory fallback patterns","issue":"Consistent validation + idempotency and friendly CLI UX","resolution":"Zod schema + RPC upsert; CLI flags validated; helpful errors","future_work":"Add --json rich summary and grouping in CLI","time_percent":20},{"topic":"pgTAP + Docker DB suite","what":"Installed pgTAP, added invariants, fixed tests for portability","why":"Gate DB invariants and RPC contracts in CI and locally","context":"Manual/weekly db-tests workflow; local docker compose on :54329","issue":"RLS tests under superuser; pgtap version differences; missing seeds","resolution":"Used reader role, relrowsecurity checks, seeded rows; corrected plans; all green","future_work":"Promote more DB-gated tests and stabilize timings","time_percent":30},{"topic":"Flags view pre-publish leakage","what":"Adjusted submissions_with_flags_view to restrict to published","why":"Ensure zero flags appear before publish even with base-table access","context":"submission_flags RLS + aggregated view consumed by server/web","issue":"Pre-publish aggregate showed 1 due to join behavior","resolution":"Join flags through submissions/rounds and filter rr.phase='published'","future_work":"Revisit if we add moderator preview paths","time_percent":10},{"topic":"Repo hygiene & PR","what":"Merged origin/main, created branch, opened Draft PR, created Issue","why":"Follow AGENTS.md discipline (issues, milestones, project, draft PRs)","context":"Project 'db8 Roadmap', milestone 'M3: Verification'","issue":"Ensure board fields, labels, and milestone are set","resolution":"Issue #149, Draft PR #150 with labels/milestone; project updated","future_work":"Kick off db-tests workflow and request reviews","time_percent":15}],"key_decisions":["Use judge/host roles for verify_submit and require published/final rounds","Keep verdict visibility reporter-only until publish; aggregate via view","Adopt JSONL debrief entries appended to AGENTS.md","Open Draft PR and track via Project/Milestone before merge"],"action_items":[{"task":"Run GitHub 'db-tests' workflow and attach results to PR #150","owner":"james"},{"task":"Request reviewers and iterate on feedback for PR #150","owner":"james"},{"task":"Enhance UI with per-claim verdict badges in transcript","owner":"james"}]}
+
+
+---
+
+{"date":"2025-10-08","time":"21:35","summary":"Merged PR #151 feedback to tighten verification UPSERT keys, clean ESLint resolver config, harden room poller abort handling, and refine commit hook guardrails.","topics":[{"topic":"Verification UPSERT","what":"Removed client_nonce from verification_verdicts conflict target","why":"Deduplicate on substantive identifiers and keep nonce as metadata","resolution":"Conflict now keys on (round,reporter,submission,coalesce(claim,'')) while updating verdict/rationale","time_percent":25},{"topic":"ESLint Resolver","what":"Dropped import/core-modules bypass and fixed resolver paths","why":"Ensure import/no-unresolved runs against actual node_modules","resolution":"Expanded node resolver moduleDirectory and reran lint successfully","time_percent":20},{"topic":"Web Verify Poller","what":"Abortable fetch loop prevents setState after unmount","why":"Avoid memory leaks and React warnings during navigation","resolution":"Added AbortController per-iteration and guarded error handling","time_percent":30},{"topic":"Repo Guardrails","what":"Hardened commit-msg hook and in-memory verify summary parsing","why":"Enforce Conventional Commits precisely and skip malformed cache keys","resolution":"Hook now matches merge message patterns; mem aggregation ignores short keys","time_percent":25}],"key_decisions":["Use message pattern to allow auto merge commits instead of MERGE_HEAD bypass","Abort summary polling fetches on cleanup to prevent stale updates"],"action_items":[{"task":"Monitor room verify summary polling after deployment","owner":"james"}]}