v0.7.0 — B1 schema-level provenance check for validation_attempts (deferred from !2900)

What

Implement Cause B1 from !2900 (pr-reviewer quality). The skill-text fixes (Causes A/C/D/E) shipped in !188 (merged) / v0.6.0 — but the structural enforcement that makes the protocol unforgeable was deferred because it needs a v2→v3 schema migration.

Why this matters

Without B1, the pr-reviewer protocol is enforced only by reviewer discipline. The !2900 incident showed that rubber-stamp/fabricated rows pass the current validation_attempts.feedback CHECK constraint (which only validates the literal MCP-availability prefix). The schema accepts:

  • agent='pr-reviewer' + verdict='pass' + valid prefix → row stored
  • Whether the reviewer actually did review work → unchecked

We saw 3 rows fabricated this way in the !2900 remediation (rows 7-8-9, deleted) before strict re-spawn caught them. The skill text now says "don't do that" — but nothing prevents it at the DB layer.

The fix — B1 (lightweight, recommended)

Add constraints to validation_attempts:

  1. subagent_session_id NOT NULL.
  2. CHECK that subagent_session_id is not empty AND not a placeholder (e.g., reject 'retroactive-*', 'bro-fallback-*', '<stub>', etc.).
  3. Optionally: cross-reference check that subagent_session_id matches a row in a new agent_spawns ledger table (proper provenance tracking — heavier; might escalate to v0.7.0).

Minimum viable: NOT NULL + reject placeholder patterns via CHECK.

Schema migration plan (v2→v3)

  1. Add migration migrateV2toV3 in db.ts parallel to existing migrateV1toV2.
  2. Backfill: for existing rows with NULL subagent_session_id, populate with a deterministic anchor 'pre-v3-migration-task<task_id>-attempt<n>' so the NOT NULL constraint can apply.
  3. Add NOT NULL + CHECK constraint to schema.sql.
  4. Bump TARGET_SCHEMA_VERSION to 3.
  5. Regression tests: migration test asserts rows pre-migration are backfilled correctly; post-migration writes with NULL or placeholder session_id rejected.

Files

  • mcp/trajectory-server/src/db.ts — add migrateV2toV3; bump TARGET_SCHEMA_VERSION = 3
  • mcp/trajectory-server/src/schema.sql — add NOT NULL + CHECK
  • mcp/trajectory-server/src/test/schema-upgrade.test.ts — migration regression test
  • mcp/trajectory-server/src/test/validation.test.ts — assert NULL/placeholder INSERT rejected

Acceptance

  • All existing tests pass (no regression).
  • v1→v2→v3 migration chain tested end-to-end.
  • New INSERT with NULL subagent_session_id rejected at the DB layer.
  • New INSERT with placeholder pattern (matching the regex) rejected.

Cross-references

  • !2900 (closed) — pr-reviewer quality; original analysis.
  • !2899 (closed) — workflow violation that surfaced !2900's findings.
  • Memory feedback_mcp_recovery — documents the honor-system fallback that B1 reinforces structurally.
  • v0.6.0 release notes acknowledge B1 as deferred.