Finalize two-persona Sift DBRE product for submission

[d3v07]

Summary — product flow

Finalizes the two-persona Sift DBRE product for hackathon submission.

Users (Dev Trivedi, Aakash Singh) run guided read-only MongoDB workload queries from the Workload Console. Each query is captured to query_log with its shape, live explain evidence, an evidence-based slow-signal, and user attribution. The DBRE operator sees the evidence-ranked slow-query queue (blocking sort / over-scan ratio / keys — not wall-clock), selects a real captured query, and Diagnoses it. Diagnosis runs 3 Vertex Agent Engine roles over 4 read-only tools; deterministic Python selects the ESR winner, computes the evidence hash, enforces the hash-bound approval gate, and performs the backend-only index apply + verification. Sift Memory (Voyage) adds read-only DBRE retrieval context only.

Safety boundaries preserved

• EvidencePack v1 unchanged — controller/schemas.py and contracts/evidence_pack.schema.json are byte-identical to main (git blob hashes verified).
• 4 MVP tools not renamed — explain_slow_query, compare_candidate_indexes, diagnose_candidate, rationalize_recommendation (only gained a query_json parameter so they diagnose the real captured query instead of a hardcoded fixture).
• Agents have no mutation authority — read-only tools only; the deployed agent receives no apply/drop/verify tools; agents/gating.py blocks create/drop-index outside VERIFY; PackStatus.VERIFIED is set solely by the controller.
• Deterministic controller owns winner selection, pack_evidence_hash, the approval gate, backend-only apply_and_verify, and verification.
• Hash-bound approval — apply rejects a stale evidence_hash (route guard + issue_approval_ticket + _assert_ticket_allows_apply + schema validators).
• No secrets to the browser — VOYAGE_API_KEY / RUN_API_TOKEN / SESSION_SECRET / Mongo URI never appear in client source or bundle; no NEXT_PUBLIC_VOYAGE.
• /packs/{run_id}/memory is DBRE-gated — 401 no-auth · 403 user · 200 DBRE.

3 Agent Engine roles / 4 tools (confirmed in Run Review trace — "AGENT ENGINE: 4 tool events")

• Diagnose Agent → explain_slow_query (DETECT), diagnose_candidate (DIAGNOSE)
• Candidate Agent → compare_candidate_indexes (CANDIDATE)
• Rationale Agent → rationalize_recommendation (RATIONALE)
• Deterministic controller then validates: "Agent Engine proposal matched deterministic ESR validation."

Sift Memory / Voyage — read-only, out-of-band

• api/memory.py VoyageMemoryService: server-side embed + rerank; never part of EvidencePack v1; mutation_authority = False always.
• States: unconfigured / ok / empty / fallback (Voyage failure → labeled local guidance).
• Voyage key read server-side only; the dashboard fetches a sanitized MemoryResponse server-side and passes only display fields to the client.
• Run Review renders the panel below the Trace with the label: "Read-only retrieval context only. The deterministic controller still selects, applies, and verifies." System Map places it as read-only context, not deterministic authority.

Test outputs — branch feat/sift-two-persona-submission @ 94efb0a

uv run ruff format --check .   ->  80 files already formatted
uv run ruff check .            ->  All checks passed!
uv run pytest -q               ->  all pass (1 skipped)
cd dashboard && npm run lint   ->  No ESLint warnings or errors
       tsc --noEmit            ->  exit 0
       npm test -- --run       ->  28 passed (2 files)
       npm run build           ->  built (15 routes, standalone)

Browser QA (Puppeteer — desktop 1440×1100 + mobile 390×1000)

• ✓ Login page renders cleanly (Slate/Sift branding).
• ✓ Dev Trivedi login → ran a real workload query ("Blocking in-memory SORT, 50,000 docs → 20"; "Captured … attributed to Dev Trivedi").
• ✓ Aakash Singh login → ran a real workload query (captured + attributed to Aakash Singh).
• ✓ DBRE login → Slow-Query Queue shows captures with CAUSED BY attribution (Dev Trivedi / Aakash Singh), evidence-ranked.
• ✓ Run Review: 3 roles / 4 tools recorded; "Approve this evidence hash" CTA; full evidence hash visible/readable; deterministic validation shown; MUTATION BLOCKED.
• ✓ Sift Memory panel below the trace (read-only label; fallback state with local guidance verified).
• ✓ System Map shows Sift Memory as read-only retrieval context.
• ✓ Mobile 390×1000: no horizontal overflow; hashes/buttons not clipped; trace + memory readable; nav usable.
• ✓ Security: user role redirected off DBRE Run Review; /packs/{id}/memory 401 / 403 / 200; no Voyage key in client source or built bundle.

Deployment prerequisites (NOT applied — do not deploy without explicit "deploy")

Cloud Run config verified read-only (no secret values printed):

• gcrah-read-api: RUN_API_TOKEN, SESSION_SECRET (gcrah-session-secret), MONGO_SECRET_NAME, and the 3 Agent Engine resource IDs (Diagnose/Candidate/Rationale) — all present as refs.
• gcrah-dashboard: API_URL / NEXT_PUBLIC_API_URL, RUN_API_TOKEN, SESSION_SECRET — present; no Voyage key (correct).
• VOYAGE_API_KEY is ABSENT on the read API → Sift Memory shows "Not configured" in prod until set. To enable: create Secret Manager secret voyage-api-key, grant the read-API service account secretAccessor, then redeploy the read API with --update-secrets VOYAGE_API_KEY=voyage-api-key:latest --update-env-vars VOYAGE_EMBED_MODEL=voyage-4-lite,VOYAGE_RERANK_MODEL=rerank-2.5-lite. The dashboard gets no Voyage key.
• Both Cloud Run services should be redeployed from this branch to ship the current code (live revisions predate parts of it).

Known remaining risks

• VOYAGE_API_KEY not yet in prod → memory degrades to "Not configured" (safe; documented above).
• agents/mcp_backend.py (apply/drop-index) physically lives under agents/ but is the controller's Backend-Protocol implementation — not reachable by any deployed agent role; the read-only boundary holds (directory-placement caveat only).
• Live Agent Engine diagnosis depends on Vertex availability; on a parse/transport failure it falls back to the deterministic controller and the pack stays valid.

Explicit statement

No change to EvidencePack v1 or contracts/evidence_pack.schema.json. No MVP tool renamed. No secret exposed to the browser. Agents have no apply / drop / verify / approve authority — deterministic Python remains the sole decision maker and human approval remains hash-bound.