fix(devlog-review): gate devlog-hour payouts behind fraud review#43
Open
EDRipper wants to merge 1 commit into
Open
fix(devlog-review): gate devlog-hour payouts behind fraud review#43EDRipper wants to merge 1 commit into
EDRipper wants to merge 1 commit into
Conversation
Devlog review (#39) mutated project.override_hours directly, which is the field pipe payouts are computed from — letting a Reviewer mint hours→pipes outside the fraud-review gate, and dual-writing a field the project-review flow also owns (risking silent overwrite). It also read the devlog's prior state outside its write transaction (TOCTOU: concurrent reviews double-count). Now devlog hours are treated like any other project hours but mint pipes ONLY at fraud review, by a Fraud Reviewer or Super Admin: - reviewDevlog no longer touches project.override_hours. It records approved/approvedHours on the devlog inside a transaction that locks the devlog row FOR UPDATE, closing the TOCTOU. - Both pipe reconciles (FraudReviewService.completeApproval and AuditService one-shot approval) now fold approved devlog hours into the earned-hours base via a separate aggregate (no JOIN fan-out into the override_hours SUM), so devlog hours pay out exactly like normal hours. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
reviewDevlog(from #39) wrote approved devlog hours straight intoproject.override_hours— the field pipe payouts are derived from. That let a Reviewer mint hours→pipes outside the fraud-review gate, dual-wrote a field the project-review flow also owns (silent-overwrite risk), and read the devlog's prior state outside its write transaction (TOCTOU → concurrent reviews double-count).Fix — devlog hours = normal hours, minted only at fraud review
reviewDevlog: no longer touchesproject.override_hours. It recordsapproved/approvedHourson the devlog inside a transaction that locks the devlog rowFOR UPDATE(closes the TOCTOU). No pipe side effects.FraudReviewService.completeApprovalandAuditServiceone-shot approval — the only two mint sites, both Fraud-Reviewer/Super-Admin gated) now fold approved devlog hours into the earned-hours base via a separate aggregate (not a JOIN into theoverride_hoursSUM, to avoid row fan-out). So devlog hours pay out exactly like normal project hours, but only at fraud clearance.Notes
identity.phone_number); no column exists, so nothing to change there.tsc --noEmitclean.🤖 Generated with Claude Code