Skip to content

docs: DRR enforcement implementation plan for PB (DRR-REST5)#645

Draft
gilliankerr wants to merge 3 commits intodevelopfrom
docs/drr-enforcement-plan
Draft

docs: DRR enforcement implementation plan for PB (DRR-REST5)#645
gilliankerr wants to merge 3 commits intodevelopfrom
docs/drr-enforcement-plan

Conversation

@gilliankerr
Copy link
Copy Markdown
Contributor

@gilliankerr gilliankerr commented Apr 12, 2026

Summary

  • Draft hand-off plan for PB to implement the DRR enforcement work (umbrella ticket DRR-REST5).
  • Revises scope from the original tasks/drr-enforcement-tests-prompt.md (~30 PRs, one per artifact) down to ~16 PRs in 7 phases.
  • Front-loads the foundation (CI on develop, Postgres in CI, missing controls) before any sensor PRs.
  • Favours Django system checks > pytest > Semgrep > pre-commit, based on reliability-per-maintenance-hour.
  • Defers fuzzy rules (terminology, "DRR spirit" review) to a scheduled weekly Haiku workflow.

Why this differs from the original prompt

Four-expert panel review (Security, PHIPA Compliance, Nonprofit Sustainability, SRE) flagged:

  1. Foundation gaps — CI doesn't run on develop PRs; SQLite in CI can't support PG-role tests.
  2. Control vs sentinel conflation — some "enforcement" is actually missing production code (e.g., AuditLog instance-level overrides, two-person helper module).
  3. Maintenance cost — ~60% of the Semgrep rules in the original prompt are low-ROI for a small team.

Open questions for GK

Listed at the foot of the plan. Key ones:

  1. Does GK approve the DRR "invariant vs mechanism" framing change (Phase 4)?
  2. OK for PB to land Phase 1 control fixes without round-tripping each to GK?
  3. Explicit GK approval for adding ConsentEvent.save() override?
  4. Explicit GK approval for wiring two-person enforcement into DV flag removal?
  5. Haiku review budget (~$1–5/week) acceptable?

Status

Draft PR — not for merge until GK + PB review the approach. Kept as draft so comments happen on the plan itself.

Test plan

  • GK reviews the five open questions and signs off
  • PB reviews phase ordering and judgment-call notes; pushes back on any phase he'd restructure
  • Once approved, move out of draft and merge so Phase 0.1 (CI on develop) can start

🤖 Generated with Claude Code

gilliankerr and others added 3 commits April 12, 2026 17:43
@gilliankerr @claude
docs: implementation plan for DRR enforcement work (DRR-REST5)
7a6bdf3 
Hand-off plan for PB. Revises the scope in drr-enforcement-tests-prompt.md
from ~30 PRs down to ~16, front-loads CI/Postgres/missing-controls
foundation, favours Django system checks over tests over Semgrep, and
defers fuzzy rules to a weekly Haiku workflow.

Scope and priority revision based on a four-expert panel review
(Security, PHIPA Compliance, Nonprofit Sustainability, SRE). Open
questions for GK listed at the foot of the document.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gilliankerr @claude
docs: address review findings on DRR enforcement plan
4580965 
Fixes 11 issues flagged in the end-of-session review:

Scope gaps
- Add PR 3.7 (test_demo_isolation.py, DRR 1.5)
- Add PR 3.8 (test_terminology_substitution.py, DRR 3.2)
- Add PR 3.9 (test_stack_constraints.py, DRR 4.1)
- Add PR 3.10 (test_demo_model_coverage.py, schema-sync meta-check)

Accuracy
- Replace "~16 PRs" claim with honest count: ~21 code + 1 ops + ~9
  frontmatter = ~31 total
- Fix dangling [konote-ops](konote-ops) link in PR 1.3
- Make PR 1.3 explicitly blocking for PR 2.1; call out it's a
  separate repo
- Update Phase 5 cross-ref to PR 3.7 (no longer says "add if needed")

Safety / governance
- PII pre-flight guard in Phase 6 (refuse to send diffs containing
  *.sql/*.dump/data/ files to Anthropic — PHIPA concern)
- Reorder open questions: DV flag two-person enforcement is now #1
  and explicitly blocks Phase 3.6
- Add new OQ #6 on documenting the invariant/mechanism split as a
  DRR authoring convention
- Turn Phase 4 promotion criteria into an explicit checklist
- Specify kill-switch escalation path (Gillian first, then
  Llewelyn.ca ops)
- Update order-of-operations recap with 3.7-3.10 and blocking arrows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gilliankerr @claude
drr(two-person-safety-actions): add emergency approver (Option 2)
df6aa83 
Pre-amends the DRR per GK sign-off 2026-04-13 on the six open questions
from the implementation plan review. Adds a designated emergency
approver role so agencies that cannot always guarantee two qualified
approvers still preserve two-person semantics — a distinct second
human is always involved; only the role-match requirement is relaxed
for time-critical cases.

- Replaces the "emergency override bypass" anti-pattern with language
  that distinguishes bypass (forbidden) from named-role approver
  (permitted with audit flag + weekly review).
- Updates the enforcement pytest description to include the
  emergency-approver audit-flag assertion.
- Extends CI enforcement detail with sub-test (d) covering the
  emergency path.
- Assigns DRR-REST5 to PB in TODO.md and references PR #645.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pboachie pboachie self-assigned this Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pboachie pboachie pboachie approved these changes

Assignees

@pboachie pboachie

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gilliankerr @pboachie