Skip to content

Content OS — engine, Mission Control operator console, and Studio ops surfaces#85

Merged
khuepm merged 9 commits into
mainfrom
claude/lumibase-ai-cms-vision-iw5uy9
Jun 13, 2026
Merged

Content OS — engine, Mission Control operator console, and Studio ops surfaces#85
khuepm merged 9 commits into
mainfrom
claude/lumibase-ai-cms-vision-iw5uy9

Conversation

@khuepm

@khuepm khuepm commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Content OS — full vertical: engine, operator console, and ops surfaces

This branch delivers the Content OS end to end on top of main, then closes every backend-without-UI gap found in a route-by-route audit, plus security hardening surfaced along the way.

What's in here

Content OS engine (spec .kiro/specs/content-os, modules A–E — shipped earlier from this branch via #78/#88, now extended)

  • Provenance-first revisions, Law-Zero pins, content intents (SLOs), drift detection + reconciler control loop, earned-autonomy trust ledger (L0–L4) with veto window and four-scope kill switch, multi-agent role library with planner delegation and agent-as-reviewer, versioned constitution publish gates, queue-backed runs, MCP server + per-site llms.txt. All behind four per-site flags, default off.

Mission Control — operator console (spec .kiro/specs/content-os-ui, Req 1–20 complete)

  • Rollout switchboard (Req 15): toggle the four contentOs.* flags from the dashboard — two-step confirm to arm a subsystem, one-click disable; saves merge over the settings row so non-flag keys survive.
  • Phase 3 (Req 16–20): Agents sub-route (role library CRUD, enabled toggle, two-step delete); intent detail Scan now / Edit / Delete; goal tree Decompose / Settle planner actions; artifact Evaluate with inline verdict; trust-ledger promotion eligibility check.

Studio ops surfaces (new spec .kiro/specs/studio-ops-ui, Req 1–3 complete)

  • Settings → Materialized views: create (auto/cron/manual), per-row refresh, two-step drop.
  • Settings → Translation memory: entry management + fuzzy-lookup and translate-pipeline try-out panels.
  • Marketplace → Publish extension dialog completing the publish loop.

Security

  • IDOR tenant-isolation suite implemented — the 8 it.todo stubs from the IDOR guidelines are now real DB-backed tests (two tenants, same collection name; every cross-tenant op must 404/no-op and leave rows untouched). Verified green against Postgres.
  • esbuild 0.28.1 (Dependabot Mitigate SQL Injection in Materialize Service #46, high — RCE via NPM_CONFIG_REGISTRY on the install fallback path). Required unifying vite 7.3.5 across the workspace: vite 6 cannot drive esbuild 0.28's syntax lowering.

Setup & DoD hygiene

  • Setup Impact Registry rows for every spec touched (all reviewed; UI batches are n/a — no new seeds/flags/wizard steps).
  • CHANGELOG Unreleased entries for every feature; specs (requirements/design/tasks) reflect final state with all tasks ticked.

Verification

Check Result
pnpm typecheck (14 packages)
CMS suite ✅ 1249 passed
Studio suite ✅ 258 passed (42 files; +20 new component tests)
DB integration (Postgres): setup seeding, 5-way setup race, veto listing, reconcile cycle, 8× IDOR ✅ 19 passed
Studio + docs production builds (vite 7 + esbuild 0.28)

Rollout

Everything is additive. With the four contentOs.* flags off (default), behavior is identical to the pre-Content-OS baseline. Existing instances need no migration action for the setup seeds (documented in CHANGELOG upgrade steps).

khuepm added 4 commits June 13, 2026 04:21
@khuepm
feat(studio): rollout flags switchboard on the Mission Control dashboard
e0051b5 
The four contentOs flags gate every autonomous subsystem but had no UI —
operators had to hand-craft a POST /settings call. The dashboard now has
a Rollout panel: two-step confirm to enable (arming autonomy deserves
friction), one-click disable (stop controls never have friction), and
saves merge over the existing row value so non-flag keys like
agentReviewMinConfidence survive a toggle. 404 on the settings row reads
as all-OFF, mirroring getContentOsFlags on the CMS side.
@khuepm
docs(spec): content-os-ui Req 15 rollout switchboard + registry revie…
0b33da5 
…w row

Spec hygiene per DoD: requirement + tasks for the switchboard gap found
during the post-merge audit, an n/a Setup Impact Registry row for
content-os-ui (UI-only over the already-seeded contentOs row), and the
CHANGELOG entry under Unreleased.
@khuepm
chore: remove stray test-run.ts debug file
60050d5 
Leftover scratch file from the access-cli flaky-test investigation,
accidentally committed to main.
@khuepm
test(cms): implement the 8 IDOR cross-tenant isolation tests
96c712a 
The suite from the IDOR testing guidelines (docs/en/security/idor-testing.md)
shipped as it.todo stubs. Implemented as DB-backed service-level tests per
the repo's DATABASE_URL convention: both tenants carry a collection with
the same name, so isolation must come from item/revision site scoping —
not from name resolution or the permission layer (no permissionCtx on
purpose). Covers detail, patch, softDelete, bulk update/delete, revision
listing, revert, and pin release; write attempts also assert the row is
untouched afterwards. Verified green against the local Postgres.
@khuepm khuepm force-pushed the claude/lumibase-ai-cms-vision-iw5uy9 branch from 544937b to 96c712a Compare June 13, 2026 00:25
khuepm added 5 commits June 13, 2026 07:43
@khuepm
fix(security): bump esbuild past the 0.28.1 RCE advisory, unify vite 7
1f45c56 
Dependabot alert #46 (high): esbuild < 0.28.1 lacks binary integrity
verification on its install fallback path, enabling RCE via
NPM_CONFIG_REGISTRY. Raise the pnpm override from ^0.25.12 to ^0.28.1.

vite 6 cannot drive esbuild 0.28's syntax lowering (the production
transpile pass fails on destructuring for its chrome87/es2020 default
targets), so studio and docs move to vite ^7.3.5 and a workspace
override pins vitest's internal vite to the same major — vitest 3.2.6
declares ^7.0.0-0 peer support. Verified: studio + docs builds,
1249 CMS tests, 238 studio tests, full typecheck, tsx smoke.
@khuepm
docs(spec): content-os-ui Req 16-20 + studio-ops-ui — close backend-w…
699a089 
…ithout-UI gaps

Audit 2026-06-13 cross-referenced CMS routes against every api/v1 call in
Studio. Eight endpoints have no UI: agent roles CRUD, intent
update/delete/scan, goal decompose/settle, artifact evaluate, promotion
eligibility check (Content OS — Req 16-20 + tasks 16-20), plus
materialize manager, translation-memory manager and marketplace publish
(new studio-ops-ui spec).
@khuepm
feat(studio): Mission Control phase 3 — agents page, intent lifecycle…
be4728d 
…, planner actions, evaluate, promotion check

Closes the five Content OS endpoints that had no UI (content-os-ui Req
16-20):
- Agents sub-route: role library CRUD with enabled toggle and two-step
  delete; admin-gated errors surfaced instead of silent failures.
- Intent detail grows Scan now (manual reconciliation cycle with inline
  result), an inline edit form (PATCH; rules/budget as raw JSON), and a
  two-step delete that navigates back to the list.
- Goal tree nodes get Decompose (sub-goal rows assigned to roles from
  the library) and Settle for parents.
- Artifacts tab gets an Evaluate action showing the gate verdict inline.
- Trust ledger gets a promotion eligibility check that creates a real
  human-gated proposal when evidence suffices.

12 new component tests; studio suite 250 green.
@khuepm
feat(studio): materialize manager, translation-memory manager, market…
e86d571 
…place publish

Closes the three non-Content-OS backend-without-UI gaps (studio-ops-ui
Req 1-3):
- Settings → Materialized views: list/create (auto/cron/manual strategy),
  per-row Refresh now, two-step Confirm drop (dropping deletes the
  physical table).
- Settings → Translation memory: entry table with language-pair filter,
  upsert form, and try-out panels for the fuzzy lookup and the full
  TM → glossary → provider translate pipeline.
- Marketplace gains a Publish extension dialog (slug, publisher, signing
  material) completing the publish loop in the UI.

8 new component tests; studio suite 258 green.
@khuepm
docs: CHANGELOG entries + Setup Impact Registry rows for the UI batches
69fa571 
DoD closeout for content-os-ui phase 3 and studio-ops-ui: both are
UI-only over existing endpoints — registry rows 8 (updated) and 9 (new)
record the n/a review; CHANGELOG gains the two Unreleased feature
entries.
@khuepm khuepm changed the title Claude/lumibase ai cms vision iw5uy9 Content OS — engine, Mission Control operator console, and Studio ops surfaces Jun 13, 2026
@khuepm khuepm merged commit 360d4e9 into main Jun 13, 2026
6 checks passed
@khuepm khuepm deleted the claude/lumibase-ai-cms-vision-iw5uy9 branch June 13, 2026 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@khuepm