Program F — Multi-Tenancy RLS (Row-Level Security):
alembic 20260417_0002_add_rls.py: Enables RLS on 23 tenant-scoped tables.
database_rls.py: set_tenant_context() helpers for SET LOCAL app.tenant_id.
middleware/tenant_rls.py: Extracts tenant_id from JWT on every request.
Default-deny when no context. PostgreSQL only (CI safe on SQLite).
Result: OWASP A01:2025 — access control enforced at DB layer.
Program G — Idempotency Standard:
models/idempotency_key.py: IdempotencyKey table with TTL + SHA256 hash.
services/idempotency_service.py: get_existing/store with request fingerprint.
middleware/idempotency.py: HTTP middleware on POST/PUT/PATCH.
Result: Duplicate side effects prevented on retry.
Program E — Persistent Durable Execution:
models/durable_checkpoint.py: DurableCheckpoint with sequence_num + status.
services/durable_runtime.py: start_run/checkpoint/complete/resume/list_incomplete.
Result: Workflows survive crashes — resume from last persisted checkpoint.
Program K — OpenTelemetry:
observability/otel.py: init/span/inject_correlation_id with graceful
degradation when OTel packages absent.
openclaw/gateway.py: Wraps execute() in span, binds correlation_id to
trace_id. Bridge between business correlation and production observability.
Program J — Release Gate Hardening:
docs/governance/release-gates.md: Documents 3 mandatory gates.
.github/workflows/dealix-ci.yml: Adds release_readiness_matrix as CI step.
release_readiness_matrix.py: Updated to check 41/41 components.
Verification:
architecture_brief.py: 40/40 PASS
release_readiness_matrix.py: 41/41 PASS
https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
Trust Enforcement:
approval_bridge.py: Class B actions now FAIL if missing _correlation_id.
This is the first real trust enforcement beyond policy classification —
external/sensitive actions cannot proceed without traceability.
Executive Room Contract:
GET /api/v1/executive-room/weekly-pack — returns ExecWeeklyPack
(structured output schema) as the CANONICAL executive data source.
Includes RAG status (red/amber/green), blockers, risk summary,
actual vs target, all with Provenance.
Auto Evidence Pack on Deal Close:
deals.py update_deal_stage() now auto-calls on_deal_closed() when
stage transitions to closed_won. Assembles evidence pack from deal
data + lead data + approval records with SHA256 hash.
deal_lifecycle_hooks.py: new service for deal lifecycle automation.
Sales Pack:
revenue-activation/sales-pack/ONE_PAGER.md — Arabic one-pager
revenue-activation/sales-pack/MARKETER_HUB.md — Internal marketer
reference with approved claims, forbidden claims, ICP, objection
handling, demo scripts, proof points, and asset library.
https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
Golden Path — Partner Tier-1 verification flow:
POST /api/v1/golden-path/run — executes complete partner lifecycle:
1. PartnerDossier (structured output with Provenance)
2. EconomicsModel (revenue_upside, cost, payback, sensitivity)
3. ApprovalPacket (Class B enforcement, SLA, creates ApprovalRequest)
4. EvidencePack (auto-assembled from steps 1-3, SHA256 hash)
All steps linked by trace_id for end-to-end correlation.
This is the FIRST flow that actually uses structured_outputs.py
schemas in live code — PartnerDossier, EconomicsModel, ApprovalPacket
all enforced with Pydantic validation + Provenance fields.
correlation_id propagation:
OpenClaw gateway now generates/accepts correlation_id and injects
it into payload as _correlation_id. Returned in all responses.
This enables trace linking across decision → approval → execution.
NEXT_STEP_AND_STACK_RECOMMENDATIONS_AR.md:
Comprehensive next-step guide covering:
- 6 closure tests (truth, schema, workflow, trust, release, executive)
- Stack additions now (OTel, OIDC, attestations, OpenFGA)
- Stack additions next (Great Expectations, Unstructured, connectors)
- Backend/frontend/docs upgrade priorities
- 7-step optimal execution order
- Avoid-now list
https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
