> **Deferred from POC scope.** Per [feedback from @abdwdd](https://gitlab.com/gitlab-org/gitlab/-/issues/590009#note_3126470745), the POC scope was cut to essentials. Background write path auditing and guards are deferred to follow-up work post-POC. ## Summary Identify and block internal processes (Sidekiq workers, cron jobs, PG triggers) that write to namespace data independently of HTTP requests. These bypass the Rack middleware and need separate enforcement. ## Dependencies - **Depends on**: Step 1 (#591688) — needs state machine for guard checks - **Audit can start in parallel** with Steps 2-3 (no code dependency for the investigation portion) - **Guard implementation depends on**: Step 1 ## Context Parent issue: https://gitlab.com/gitlab-org/gitlab/-/issues/590009 The issue description specifically calls out: *"areas where writes happen independently of HTTP requests from users"*. This is the most open-ended phase and a key output of the POC is documenting the scope of this work. ## Tasks ### Audit - [ ] Identify Sidekiq workers that write to group/project data scoped to a namespace (e.g., `Groups::UpdateStatisticsWorker`, CI pipeline workers, repository cleanup, storage recalculation) - [ ] Identify PG triggers and sync events (e.g., `Namespaces::SyncEvent`, push rule sync triggers) that fire on namespace changes - [ ] Identify cron/scheduled jobs that may write to namespaced resources - [ ] Document findings in a list categorized by risk level (high: data mutation, medium: metadata update, low: cache/stats refresh) ### Guard Implementation - [ ] Create `Namespaces::MaintenanceGuard` concern that workers can include to check namespace state before writing ```ruby module Namespaces module MaintenanceGuard def namespace_in_maintenance?(namespace) namespace.root_ancestor.effective_state == :maintenance end def skip_if_maintenance!(namespace) raise NamespaceMaintenanceError if namespace_in_maintenance?(namespace) end end end ``` - [ ] Apply guard to highest-risk workers identified in the audit - [ ] Decide on behavior: skip silently, re-enqueue with delay, or raise error? - [ ] Add specs for the guard concern and key worker integrations ## Effort Estimate Large (ongoing — audit is 2-3 days, guard implementation is incremental)