Skip to content

fix(devlog-review): gate devlog-hour payouts behind fraud review#43

Open
EDRipper wants to merge 1 commit into
mainfrom
fix/devlog-hours-fraud-gated
Open

fix(devlog-review): gate devlog-hour payouts behind fraud review#43
EDRipper wants to merge 1 commit into
mainfrom
fix/devlog-hours-fraud-gated

Conversation

@EDRipper

@EDRipper EDRipper commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Problem

reviewDevlog (from #39) wrote approved devlog hours straight into project.override_hours — the field pipe payouts are derived from. That let a Reviewer mint hours→pipes outside the fraud-review gate, dual-wrote a field the project-review flow also owns (silent-overwrite risk), and read the devlog's prior state outside its write transaction (TOCTOU → concurrent reviews double-count).

Fix — devlog hours = normal hours, minted only at fraud review

  • reviewDevlog: no longer touches project.override_hours. It records approved/approvedHours on the devlog inside a transaction that locks the devlog row FOR UPDATE (closes the TOCTOU). No pipe side effects.
  • Both pipe reconciles (FraudReviewService.completeApproval and AuditService one-shot approval — the only two mint sites, both Fraud-Reviewer/Super-Admin gated) now fold approved devlog hours into the earned-hours base via a separate aggregate (not a JOIN into the override_hours SUM, to avoid row fan-out). So devlog hours pay out exactly like normal project hours, but only at fraud clearance.

Notes

  • Phone number is not stored — it's read live from HCA identity (identity.phone_number); no column exists, so nothing to change there.
  • Backend tsc --noEmit clean.

🤖 Generated with Claude Code

Devlog review (#39) mutated project.override_hours directly, which is the
field pipe payouts are computed from — letting a Reviewer mint hours→pipes
outside the fraud-review gate, and dual-writing a field the project-review
flow also owns (risking silent overwrite). It also read the devlog's prior
state outside its write transaction (TOCTOU: concurrent reviews double-count).

Now devlog hours are treated like any other project hours but mint pipes
ONLY at fraud review, by a Fraud Reviewer or Super Admin:

- reviewDevlog no longer touches project.override_hours. It records
  approved/approvedHours on the devlog inside a transaction that locks the
  devlog row FOR UPDATE, closing the TOCTOU.
- Both pipe reconciles (FraudReviewService.completeApproval and
  AuditService one-shot approval) now fold approved devlog hours into the
  earned-hours base via a separate aggregate (no JOIN fan-out into the
  override_hours SUM), so devlog hours pay out exactly like normal hours.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant