The Trilogy Times

## What & why

Klair's /ai-adoption Budget-vs-Actuals dashboard shows ~\$272K/month of OpenAI spend mislabeled "Central Engineering" because core_finance.ai_spend_openai_cost_reports.user_email is NULL for 100% of rows (240,437 verified) — the pipeline fetched cost grouped by line_item only, so the finest grain available was project_id, and ~93% of that "Central Engineering" total sits in one shared org-wide project that no project-level override can split.

This PR makes the pipeline fetch cost grouped by user_id and populate user_email, giving downstream the join key it needs to re-attribute spend to the real consuming teams.

## The change

1. group_by: line_item → user_id in openai_client.py. Verified live: this keeps line_item (model) populated on every row, so model-level cost detail is retained; only project_id goes NULL. Per-(bu, date) totals are unchanged (reattribution, not double-count).

2. New fetch_org_users(api_key) resolver — the Costs API does not return user_email; it must be resolved separately via GET /v1/organization/users (paginated). Returns a user_id → email map.

3. Per-key enrichment in the handler — the OpenAI-Usage-Keys secret spans ~20 distinct OpenAI orgs, and /v1/organization/users is org-scoped, so the resolver map is built per API key (not once per run) and applied to that key's rows. Verified: a user_id from one org does not resolve against another org's key.

## Behavior (verified live)

- user_email populates for ~92% of spend (dollar-weighted) in the sampled BU.

- Unresolved user_ids (slug ids, service keys) → user_email stays NULL but bu is retained — same attribution as today, no worse. No rows dropped.

- Resolver failure is non-fatal: if /users errors for a key, that key proceeds with an empty map (cost rows still load, user_email NULL) and the run still reports success. A /users outage never drops successfully-fetched cost data.

- project_id is NULL on new rows — intentional and accepted. All downstream project_id consumers are handled by a separate klair-api re-key (out of scope here).

## Scope

- Only pipelines/runners/openai-cost-pipeline/ is touched. redshift_handler.py is unchanged — the user_id/user_email columns already existed in the INSERT.

- Design + plan docs included under docs/superpowers/.

## Tests

uv run pytest → 110 passed. ruff format + ruff check clean. New coverage: resolver (map build, pagination cursor, skip-missing, missing-id loop guard), per-key enrichment, unresolved→NULL+keep-bu, non-fatal resolver failure. Fixtures updated to the real user-grouped API shape.

## Reviewer notes

- Verify the invariant on a backfill day: per-(bu, date) grand total should match before/after the grouping change.

- Known follow-up (not blocking): the resolver makes one /users call per API key; for a BU with multiple keys in the *same* org this re-fetches the identical user list. Bounded and correct; an org-id cache would be a future optimization.

- This is PR 1 of 2. PR 2 adds the esw-people-accounts-sync pipeline (the email → canonical BU directory) that consumes this user_email key.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---

## Local validation harness

scripts/dryrun_user_grain.py — read-only dry-run that exercises the real fetch_org_users + fetch_cost_report + handler enrichment against the live OpenAI API and prints exactly what would be inserted, without calling insert_cost_records (no Redshift writes). Run:

cd pipelines/runners/openai-cost-pipeline
uv run python scripts/dryrun_user_grain.py --bu Trilogy-Central-Engineering --start 2026-05-01 --end 2026-05-02

Validated on live data (Central-Engineering, 2026-05-01): 92% of spend resolves to user_email, model line_item retained, project_id NULL, and the per-(bu,date) total matches the old line_item grouping exactly ($5,184.3760 == $5,184.3760) — confirming reattribution, not double-count.

## What

Flip schedule.enabled from false → true for esw-people-accounts-sync.

## Why now

The pipeline intentionally landed enabled: false pending two things, both now done:

1. VPC connectivity (#268, merged + deployed to prod): the Lambda is attached

to the CN-Production VPC (CNA + CNB private subnets), so it can reach the

VPN-only pods_ods MySQL DB. Verified on the live function.

2. Verified production run: a manual invoke succeeded and loaded **1,556

fresh rows** into staging_gsheets.esw_people_accounts (single loaded_at

stamp → clean full-refresh; ~the expected ~1,550; 36 distinct business_units;

emails lowercased, email_local/BU populated).

With both confirmed, enable the existing cron(0 5 * * ? *) (05:00 UTC daily)

so the directory refreshes itself.

## Scope

One-line config change. The cron expression is unchanged; the schedule rule only

arms in the prod environment (schedule.enabled && env === 'prod' in the

Pipeline construct). No code changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

This PR advances the Rhodes → Aerie migration by making Aerie own the Rhodes operational data model and business logic, rather than delegating writes back to Rhodes. The MCP write path no longer hand-rolls behavior inside mcp.ts; instead it dispatches to a new set of canonical Rhodes mutation runtime modules in Aerie Convex, which encode the authoritative write semantics (authorization, ID rewriting, derived state, audit logging, milestone/lifecycle handling). On top of that, dual-write and read-source paths are hardened to fail closed, due-diligence writeback is mirrored into Aerie's migrated sites, and the bulk-baseline + migration importers gain retained-graph handling, placeholder users, and serialized-ID rewriting so a re-runnable import reconciles cleanly. Extensive parity tests assert the new Aerie runtime matches Rhodes behavior across MCP mutations, the dashboard, and dual-write.

### Changes

Canonical Rhodes mutation runtime (new core)

- chat/convex/rhodes/runtime/mutationDispatcher.ts *(new)* — Central dispatch from MCP tool calls to canonical write modules.

- chat/convex/rhodes/runtime/mutationAuthorization.ts *(new)* — Authorization checks for Rhodes mutations.

- chat/convex/rhodes/runtime/actors.ts *(new)* — Resolves the acting user/actor for writes and audit attribution.

- chat/convex/rhodes/runtime/audit.ts *(new)* — Audit-log helpers for site writes.

- chat/convex/rhodes/runtime/ids.ts *(new)* — ID resolution/rewriting between Rhodes legacy IDs and Aerie IDs.

- chat/convex/rhodes/runtime/derivedState.ts, milestones.ts, pendingLifecycle.ts, constants.ts, siteReadModels.ts, documentGapReadModels.ts *(new)* — Derived stage/quality-bar status, milestone due-date logic, pending-mutation lifecycle, shared constants, and read models.

- chat/convex/rhodes/runtime/writes/*.ts *(new)* — Per-entity canonical write behavior: siteWrites, taskWrites, noteWrites, documentWrites, costBreakdownWrites, changeLogWrites, workUnitWrites, workUnitGroupWrites.

- chat/convex/rhodes/mcp.ts — Reduced from ~1300 lines to a thin dispatcher; MCP writes now delegate to the runtime modules instead of containing inline logic.

- chat/convex/rhodes/functions.ts, dashboard.ts, dualWrite.ts, migration.ts, pendingMutations.ts, userRefs.ts — Wire the dashboard, dual-write, and migration paths to the new runtime; gate DRI assignment to Clerk users; derive stage/quality-bar status via triggers.

Due diligence

- chat/convex/portfolio/dueDiligence.ts — Audit-log Aerie DD site writes with the acting user; mirror DD writeback and cron into Aerie migrated sites.

- chat/app/api/portfolio-sites/[slug]/fields/route.ts — Route phasing and security saves to Aerie.

Read source / cache hardening

- chat/lib/school-site-read-source.ts — Fail closed on missing or invalid SCHOOL_SITE_READ_SOURCE.

- chat/lib/rhodes-portfolio-cache.ts — Bypass the process cache for Aerie Convex reads.

- chat/lib/aerie-rhodes-dashboard-server.ts *(new)* — Server-side Aerie dashboard reads.

Migration / bulk baseline (sync)

- sync/src/scripts/rhodes-migration.ts, rhodes-bulk-baseline.ts — Retained graph, placeholder users for missing Rhodes users, serialized JSON ID rewriting, reconcile hardening, and ignore-missing-email handling.

- chat/convex/migrations/resetRhodesBulkBaselineTables.ts *(new)* — Reset baseline tables for re-runnable imports.

- chat/convex/migrations/rhodesBackfill.ts — Backfill adjustments.

MCP repoint / worker config

- chat/scripts/rhodes-mcp-repoint-check.mjs — Validate the MCP handshake and required tools; drop runDriveAudit from the allowlist.

- chat/rhodes-worker/wrangler.jsonc, .dev.vars.example, .env.example — Document the Aerie shared secret and permission-lookup vars.

Dependencies

- chat/package.json, pnpm-lock.yaml — Add convex-helpers for Convex triggers.

Tests *(new)* — rhodesMcpMutationParity.test.ts, rhodesDashboardParity.test.ts, rhodesDualWrite.test.ts, rhodesMcpParity.test.ts, plus runtime write-parity coverage and additions to dueDiligence.test.ts, rhodesBackfill.test.ts, rhodes-migration.test.ts, rhodes-bulk-baseline.test.ts.

Docs

- features/rhodes-migration/RUNTIME_WRITE_PARITY_GAPS.md *(new)* — Tracks behavioral gaps between Rhodes and the new Aerie runtime.

- features/rhodes-migration/RHODES_DEV_TO_AERIE_DEV_GOAL_PROMPT.md *(new)*, PLAN.md — Migration plan/goal updates.

### Design Decisions

- Aerie owns the write behavior. Rather than continuing to delegate MCP writes to Rhodes /aerie/mutations/*, the canonical mutation logic is reimplemented in Aerie's rhodes/runtime/* modules so Rhodes can eventually be archived. mcp.ts becomes a dispatcher.

- Fail closed everywhere. Dual-write and read-source resolution error out rather than silently drifting or falling back, consistent with the migration's non-negotiable decisions.

- Legacy IDs are mapped, not preserved. Aerie generates its own document IDs and rewrites embedded/serialized Rhodes IDs via the legacyIdMap and the runtime ids helpers.

- DRI assignment gated to Clerk users; stage and quality-bar status are derived via Convex triggers (hence the convex-helpers dependency) instead of being set manually.

## Test Plan

- [ ] pnpm typecheck

- [ ] pnpm biome check

- [ ] Parity test suites pass (rhodesMcpMutationParity, rhodesDashboardParity, rhodesDualWrite, rhodesMcpParity, runtime write-parity)

- [ ] Reviewer: confirm MCP repoint check passes against the Aerie worker (chat/scripts/rhodes-mcp-repoint-check.mjs)

- [ ] Reviewer: validate bulk-baseline + migration dry run reconciles cleanly on dev data

- [ ] Reviewer: verify DD writeback + cron land on Aerie migrated sites with correct actor attribution

## Summary

Re-attributes OpenAI AI-spend on /ai-adoption to the real consuming Business Unit by joining ai_spend_openai_cost_reports.user_email to the new ESW directory (staging_gsheets.esw_people_accounts, email→business_unit), replacing the project_id-keyed attribution that produced the ~$272K/month "Central Engineering (OpenAI)" misattribution (one shared org-wide project, ~99% not Central Engineering).

A single 4-layer effective-BU precedence is applied identically in the live API service and the fct_ai_spend mart:

COALESCE(override, directory_exact, directory_local_guarded, secret_label_bu)

- services/ai_costs_service.py — directory-join helper + constants; OpenAI override join re-keyed project_id→user_email; directory join + 4-layer BU applied in get_summary, get_time_series, get_by_bu, get_top_drivers, prior-period. Project drill-downs / top-drivers / filter facet now keyed on user_email. get_by_model unchanged (uses line_item, which survives).

- services/ai_spend_bu_overrides_service.py — /admin/ai-spend-bu entity list now lists OpenAI by user_email; inert legacy proj_* override rows hidden.

- database/scripts/mart_saas_metrics/022_fct_ai_spend.sql — OpenAI entity → user; directory layer added; cost↔token join dropped (NULL tokens on OpenAI rows, by design); UNION alignment preserved across all provider CTEs. Verified semantically identical to the service.

Local-part fallback is collision-guarded (HAVING COUNT(DISTINCT business_unit) = 1); unresolved users fall back to the existing secret-label bu (no worse than today).

## Dependencies / rollout

Downstream half of a 3-part effort. Safe to merge ahead of its data dependencies — until both land, every directory join yields NULL and attribution falls back to today's bu label (no behavior change, no errors):

- Surtr #249 — populates ai_spend_openai_cost_reports.user_email (group_by=user_id)

- Surtr #253 — creates/loads staging_gsheets.esw_people_accounts (currently enabled:false, pending VPC)

No visible effect until those are live. Inert proj_* override rows were intentionally left in place (ignored by the user_email join).

## Test Plan

- [x] pytest tests/test_ai_costs_service.py tests/test_ai_spend_bu_overrides_service.py → 139 passed

- [x] ruff format + ruff check clean; no new pyright issues (1 error + 6 warnings are pre-existing, verified against baseline)

- [ ] Post-deploy verification (after Surtr #249 + #253 live): see docs/superpowers/plans/2026-06-09-klair-openai-rekey-VERIFY.md — grand-total invariant (reattribution, not double-count), directory coverage (~98% expected), Central-Engineering line drops, live API ↔ mart agreement.

Design spec: docs/superpowers/specs/2026-06-09-klair-openai-rekey-design.md

## Screenshot

- The /ai-adoption page continues to load as expected

<img width="1447" height="830" alt="image" src="https://github.com/user-attachments/assets/a4db50a3-2a85-4103-81d4-8cd20c99a57a" />

- The data fixes will come in after this is merged and then will be tested in depth.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

> Stacked on feat/cost-movement-qoq-a3 (#2983). This PR's base is the A3 branch, not main. Review/merge A3 first.

Linear: [KLAIR-2857 — QoQ A4 — Frontend: drill-down + escalation badges + inc/dec toggle + CSV export](https://linear.app/builder-team/issue/KLAIR-2857)

This is the final ready-for-review state of the A4 frontend slice, completing the Phase-A UX of the Cost Movement (QoQ) tab on top of the A3 detail page.

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/239eebf0-20bc-42f9-a7ea-44579c1146c6" />

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/b0a1cb5d-a6db-420c-bda2-022ff0c3eade" />

## What was built

- Lazy hierarchical drill-down on CostMovementTable.tsx — BU → Class → Account → Service — via UnifiedTable's LazyLoadConfig. Each level is fetched on demand when its parent row is expanded, consuming the A2 drill endpoints (/cost-movement/by-class, /by-account, /by-service).

- Shared cell renderers reused at every depth — an escalation-tier badge, a signed-delta cell with heatmap tinting, and a "NEW" pill for movers that have spend in quarter_b but none in quarter_a (backend isNew field).

- Increases / Decreases / All sign toggle in the table header that filters rows by sign(annualizedDiff) at every level.

- CSV export enabled on the table.

- No backend changes — the A2 by-class / by-account / by-service endpoints were already merged and contract-verified.

## Files changed

Created (3 drill hooks):

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByClass.ts

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByAccount.ts

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByService.ts

Modified:

- klair-client/src/services/awsSpendApi.ts — three new drill item types (CostMovementClassItem / CostMovementAccountItem / CostMovementServiceItem) + three client fns (getCostMovementByClass / ByAccount / ByService).

- klair-client/src/screens/AWSSpend/components/CostMovementTable.tsx — converted FLAT → hierarchical lazy drill-down; wired the badge / signed-delta heatmap / NEW-pill renderers, the sign toggle, and CSV export.

Docs:

- features/aws-spend/cost-movement-qoq/specs/04-frontend-cost-movement-drill-down/spec.md — marked Completed.

- features/aws-spend/cost-movement-qoq/FEATURE.md — changelog synced (spec 04 → Completed).

## Tests

- 49 new A4 tests: CostMovementTable.spec.tsx rewritten (21) + the three drill-hook specs (10 + 9 + 9).

- Full cost-movement suite (including the A3-merged CostMovementPage and awsSpendApi.costMovement specs) = 63 tests, all passing.

- tsc --noEmit clean; eslint --max-warnings 0 clean.

## Self-review

- 1 finding found & fixed (IMPORTANT): the signed-delta TEXT color was inverted (green for increases). Flipped so increases render red / decreases green, matching the heatmap tint and spec FR3.

## Stacking note

The updated A3 base (feat/cost-movement-qoq-a3, advanced by review-fix commit 3f0eb046f) was merged into this branch. The only conflict was an obsolete JSDoc comment, resolved in favor of A4's hierarchical version. The PR is now mergeable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->

## Summary

Adds drones export-otel to translate local runs/, events/, and traces/ artifacts into OTLP-compatible spans. Supports --run <id> or --pr <N> (mutually exclusive), --format jsonl|protobuf (default jsonl), stdout or --output <file>, and a best-effort --endpoint OTLP HTTP upload.

## Why It's Needed

Trilogy-drones already persists per-turn trace JSONL (D1) and waterfall reports (AI-59), but observability backends expect standard OpenTelemetry payloads. This command closes AI-62 so operators can pipe drone traces into Datadog, Honeycomb, W&B Weave, or any OTLP collector without custom JSONL readers.

## Changes

- src/eval/otel.ts — deterministic W3C trace/span id generation (SHA-256), run → turn → tool-call span hierarchy, service.* / genai.* attributes, OTLP JSON serialization, and a minimal protobuf encoder for ExportTraceServiceRequest.

- src/export-otel.ts — orchestration: run/PR discovery (reuses exported findRunsForPr), graceful degradation on missing artifacts, optional endpoint upload.

- src/cli.ts — new export-otel subcommand with argument validation.

- src/report-traces.ts — export findRunsForPr for shared PR discovery.

- src/eval/otel.test.ts, src/export-otel.test.ts — mapping, id shape, selector, and format coverage.

- README.md — quickstart examples for single-run and PR export.

## Breaking Changes

None. New CLI command only; existing report and trace persistence behavior is unchanged.

## Test Plan

- [x] pnpm typecheck → clean

- [x] pnpm test → 305 vitest + 14 python tests passed (including src/eval/otel.test.ts and src/export-otel.test.ts)

- [x] Unit tests verify 32-hex trace ids, 16-hex span ids, run→turn→tool parent chain, service.name / genai.request.model / genai.tool.name attributes, mutual exclusion of --run and --pr, and protobuf byte output

- [ ] Reviewer-side: with a local run that has traces/<run-id>.jsonl, run pnpm drones export-otel --run <id> and confirm one valid OTLP JSON line on stdout; repeat with --pr <N> for a PR with known runs

## Verification Artifact

pnpm test src/eval/otel.test.ts src/export-otel.test.ts
# ✓ 16 tests passed (id shape, hierarchy, jsonl/protobuf export, selector validation)
pnpm typecheck
# ✓ no errors

Example local export (after a run with trace data):

pnpm drones export-otel --run <run-id>
pnpm drones export-otel --pr 42 --output /tmp/pr-42-traces.jsonl

<!-- CURSOR_AGENT_PR_BODY_END -->

<div><a href="https://cursor.com/agents/bc-3c9bfcc7-73e3-441d-b066-931e0908f686"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a href="https://cursor.com/background-agent?bcId=bc-3c9bfcc7-73e3-441d-b066-931e0908f686"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>

## Problem

The new esw-people-accounts-sync Lambda reads the pods_ods MySQL DB at

aurora11.aureacentral.com, which resolves to a private IP (10.69.26.171) reachable only via VPC peering to the Aurea/ESW network. A no-VPC Lambda has no route there, so the first production run failed:

OperationalError: (2003, "Can't connect to MySQL server on 'aurora11.aureacentral.com' (timed out)")

This was a known design-time blocker (see the "⚠️ DEPLOY BLOCKER — VPC required"

section in docs/superpowers/specs/2026-06-09-openai-user-attribution-design.md).

## Fix

Add an opt-in network field to pipeline.json that attaches a Lambda

pipeline to a named VPC + subnets. esw-people-accounts-sync uses

"network": "cn-production", which lands its ENIs in the CN-Production VPC,

CNA + CNB Production-Private subnets (2-AZ: us-east-1c / us-east-1d).

Both subnets share route table rtb-0f34efa69ff5a5135, verified to provide:

- 10.69.0.0/16 → peering pcx-0200951cc98173cef — reaches the DB, and

- 0.0.0.0/0 → NAT nat-0c443910ef6e9ba4f — keeps Secrets Manager + Redshift

Data API egress (so no interface endpoints needed).

CDK auto-attaches AWSLambdaVPCAccessExecutionRole for the ENI permissions.

## Changes

| File | Change |

|---|---|

| pipelines/cdk/lib/network-config.ts *(new)* | Named-network registry. Maps cn-production → VPC + the two private subnets via static fromVpcAttributes/fromSubnetAttributes (no context lookup → hermetic synth/tests). IDs documented with their route-table evidence. |

| pipelines/cdk/lib/schema/pipeline-config.ts | Optional network enum + superRefine rejecting it on compute: ecs (ECS already runs in a VPC). |

| pipelines/cdk/lib/constructs/pipeline.ts | When network is set, create a dedicated egress SG and attach vpc/vpcSubnets/securityGroups to both primary and secondary Lambdas. No-network pipelines synth byte-for-byte unchanged. |

| pipelines/runners/esw-people-accounts-sync/pipeline.json | "network": "cn-production". |

| tests | VPC wiring (VpcConfig present/absent, SG, managed policy) + schema accept/reject cases. |

## Scope / blast radius

Only esw-people-accounts-sync opts in. Every other pipeline computes an empty

VPC-props object → identical synthesized template. Confirmed via cdk synth:

the esw stack renders the VpcConfig (both subnets) + SG in CN-Production + the

VPC-access role, while e.g. anthropic-cost-pipeline synthesizes with

VpcConfig = NONE.

## Manual step required before this can run (not in this PR & needs to be tested after first deployment)

The Lambda's new security group must be allowed inbound on port 3306 by the Aurea Aurora cluster's security group. That rule lives in the peered account, so the route existing does not by itself grant access. Until that's

done, a deployed invoke will still probably time out.

The pipeline stays schedule.enabled: false. Recommended rollout:

1. Deploy (lands disabled).

2. Confirm the Aurea-side 3306 SG allowance.

3. Manual invoke → CloudWatch should show no (2003) timeout.

4. SELECT count(*), max(loaded_at) FROM staging_gsheets.esw_people_accounts

→ expect ~1,550 rows, fresh timestamp; spot-check a few emails → expected BUs.

5. Flip schedule.enabled: true.

## Testing

- tsc --noEmit: exit 0.

- Full CDK jest suite (Docker running): 519/519, 14/14 suites.

- cdk synth Pipeline-esw-people-accounts-sync-prod: VpcConfig + SG + VPC-access

role render correctly; Docker bundle of src/ succeeds (confirms

src/requirements.txt resolves — the CLAUDE.md bundling rule).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

# Consolidated HeadCount table — Financials › Schools – Actual vs Model (All-Schools view)

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/5e377063-4d92-48e0-b70b-8e40f02123cf" />

Adds a network-wide Consolidated HeadCount table to the All-Schools (consolidated) view of *Financials › Schools – Actual vs Model*, rendered directly below <ConsolidatedPLTable />. The table is school-major with a three-level School → Role → Person drilldown and a pinned network TOTAL row, comparing each school's actual staffing (the proven QB Contracted-Labor path — plMonthlyRecords $ + plTransactions→xoContractorIdentity heads) against the model's implied need at forecast and capacity enrollment. The model side is a new continuous per-student ratio derived per role (modelRoleCount ÷ referenceStudents), applied as required = E × ratio and $ = required × baseSalary × XO_FACTOR. All operating schools are listed; the ~33 campuses without a parseable tier · scale model show actuals only and carry a no-model badge with — for the model/vs cells.

Linear: https://linear.app/builder-team/issue/AERIE-362

### Specs (all Completed)

| Spec | Description |

|------|-------------|

| [06 — Model role per-student ratios](features/dashboards/school-pl-unit-economics/specs/06-model-role-per-student-ratios/spec.md) | getModelRolePerStudentRatios(model) deriving a continuous per-student ratio per role (modelRoleCount ÷ referenceStudents) returning { ratio, baseSalary }. Lives in the new runtime-free @bran/contracts/unit-economics-headcount module, re-exported by unit-economics-model.ts. |

| [07 — Consolidated headcount query](features/dashboards/school-pl-unit-economics/specs/07-consolidated-headcount-query/spec.md) | Eager getConsolidatedHeadcountByRole({ period }) (actual $ reconciling to the getConsolidatedPL Headcount section) + lazy getConsolidatedHeadcountSchoolDetail({ school, period }) per-school heads/person drilldown. |

| [08 — Consolidated headcount table UI](features/dashboards/school-pl-unit-economics/specs/08-consolidated-headcount-table-ui/spec.md) | ConsolidatedHeadcountTable UI (School → Role → Person drilldown, coral/sage vs chips, no-model badge, network TOTAL row, CSV export) wired into the isConsolidated branch of financials-view.tsx, with a compile-time _ConsolidatedHeadcountParity guard. |

### Implementation

- New contracts module packages/contracts/src/unit-economics-headcount.ts holds the shared ratio math (getModelRolePerStudentRatios, referenceStudents, resolveTierScale) so both the React surface and the Convex backend consume one runtime-free contract. Re-exported by chat/components/dashboards/financials/unit-economics-model.ts.

- Two new Convex queries in chat/convex/finance/dashboards/financial.ts: the eager getConsolidatedHeadcountByRole (one row per operating school + network TOTAL; actual $ from plMonthlyRecords by_quarter) and the lazy getConsolidatedHeadcountSchoolDetail fired on row expand.

- New UI component chat/components/dashboards/financials/consolidated-headcount-table.tsx, wired below <ConsolidatedPLTable /> in financials-view.tsx. The hand-written ConsolidatedHeadcountData interface is held assignable from the query return type by a compile-time AssignableTo parity guard (_ConsolidatedHeadcountParity).

### Reconciliation & performance guarantee

- Reconciliation: Σ (per-role actual $) + residual == the getConsolidatedPL cost.sections Headcount-section total, byte-for-byte. The eager query is gated on sectionGroup to match the P&L exactly, and the residual accumulator captures non-folded contracted-labor prefixes (60200/60210/60213/… common in production) so nothing is dropped and the TOTAL ties out. Asserted in a query test.

- Eager-cheap / lazy-heads design: the eager query reads only plMonthlyRecords (by_quarter, all schools — cheap) and never touches plTransactions, staying within Convex's 32k-doc read budget. Actual heads and the per-contractor person breakdown — which require plTransactions (no by_quarter index, only by_schoolDisplayName_year) — are served lazily per school by getConsolidatedHeadcountSchoolDetail on row expand.

### Test coverage — 82 tests, all green

- unit-economics-model.test.ts — 63 (incl. getModelRolePerStudentRatios per-tier ratio math, alpha-anywhere @ 2000, unknown/blank → null, the Alpha-Miami worked example)

- financialConsolidatedHeadcount.test.ts — 8 (incl. reconciliation with sectionGroup exclusion + residual + UNITEMIZED)

- consolidated-headcount-table.test.ts — 11 (vs-chip tone, — for no-model rows, TOTAL aggregation)

### Self-review — 5 findings found and all fixed (c840fee3)

1. Honest actual-heads presentation — school/TOTAL actual heads render — until the lazy detail loads, instead of a false 0 / bogus Δ.

2. sectionGroup gate so the eager actual $ matches the P&L headcount section byte-for-byte.

3. residual accumulator so non-folded contracted-labor prefixes (60200/60210/60213/… common in production) aren't dropped and the TOTAL reconciles.

4. UNITEMIZED bucket in the person drilldown so person rows sum to the role $.

5. First-match program-code resolver mirroring getSnapshotEnrollment.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

> Stacked on feat/cost-movement-qoq-a3 (#2983). This PR's base is the A3 branch, not main. Review/merge A3 first.

Linear: [KLAIR-2857 — QoQ A4 — Frontend: drill-down + escalation badges + inc/dec toggle + CSV export](https://linear.app/builder-team/issue/KLAIR-2857)

This is the final ready-for-review state of the A4 frontend slice, completing the Phase-A UX of the Cost Movement (QoQ) tab on top of the A3 detail page.

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/239eebf0-20bc-42f9-a7ea-44579c1146c6" />

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/b0a1cb5d-a6db-420c-bda2-022ff0c3eade" />

## What was built

- Lazy hierarchical drill-down on CostMovementTable.tsx — BU → Class → Account → Service — via UnifiedTable's LazyLoadConfig. Each level is fetched on demand when its parent row is expanded, consuming the A2 drill endpoints (/cost-movement/by-class, /by-account, /by-service).

- Shared cell renderers reused at every depth — an escalation-tier badge, a signed-delta cell with heatmap tinting, and a "NEW" pill for movers that have spend in quarter_b but none in quarter_a (backend isNew field).

- Increases / Decreases / All sign toggle in the table header that filters rows by sign(annualizedDiff) at every level.

- CSV export enabled on the table.

- No backend changes — the A2 by-class / by-account / by-service endpoints were already merged and contract-verified.

## Files changed

Created (3 drill hooks):

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByClass.ts

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByAccount.ts

- klair-client/src/screens/AWSSpend/hooks/useCostMovementByService.ts

Modified:

- klair-client/src/services/awsSpendApi.ts — three new drill item types (CostMovementClassItem / CostMovementAccountItem / CostMovementServiceItem) + three client fns (getCostMovementByClass / ByAccount / ByService).

- klair-client/src/screens/AWSSpend/components/CostMovementTable.tsx — converted FLAT → hierarchical lazy drill-down; wired the badge / signed-delta heatmap / NEW-pill renderers, the sign toggle, and CSV export.

Docs:

- features/aws-spend/cost-movement-qoq/specs/04-frontend-cost-movement-drill-down/spec.md — marked Completed.

- features/aws-spend/cost-movement-qoq/FEATURE.md — changelog synced (spec 04 → Completed).

## Tests

- 49 new A4 tests: CostMovementTable.spec.tsx rewritten (21) + the three drill-hook specs (10 + 9 + 9).

- Full cost-movement suite (including the A3-merged CostMovementPage and awsSpendApi.costMovement specs) = 63 tests, all passing.

- tsc --noEmit clean; eslint --max-warnings 0 clean.

## Self-review

- 1 finding found & fixed (IMPORTANT): the signed-delta TEXT color was inverted (green for increases). Flipped so increases render red / decreases green, matching the heatmap tint and spec FR3.

## Stacking note

The updated A3 base (feat/cost-movement-qoq-a3, advanced by review-fix commit 3f0eb046f) was merged into this branch. The only conflict was an obsolete JSDoc comment, resolved in favor of A4's hierarchical version. The PR is now mergeable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

### Summary

This change enables comment chips on the Book Value Bridge tab of the Monthly Financial Reporting view, which were previously suppressed to avoid duplicate threads. Each Bridge table now carries its own table key (bv-bridge for the left/main table and bv-perf-bridge for the right/performance table), so comment anchors stay distinct from the Report tab (bv-report-triple). The column keys also differ between tabs (cur_sw/pri_sw/chg_sw vs software/investments/total), so no anchor can collide across tabs. Additionally, formatCellLabel now drops the empty parenthetical from cell labels so single-column tables (like the Software Performance Bridge) read EBITDA instead of EBITDA ().

### Business Value

Finance reviewers can now leave and read comment threads directly on the Book Value Bridge, closing a gap where the Bridge view was the only Book Value tab without commenting. This keeps reviewer context anchored to the exact bridge figures being discussed, improving the auditability and collaboration of the monthly close process.

### Changes

- Enabled comment support on both Bridge tab tables in [BookValueView.tsx](vscode-webview://15qdonnjjcq9q3pcmufmg5fa0asnqc6qnceup60m8cm6igoedkcj/klair-client/src/features/monthly-financial-reporting/components/BookValueView.tsx), passing commentSupport={{ tableKey: 'bv-bridge' }} (left) and commentSupport={{ tableKey: 'bv-perf-bridge' }} (right); replaced the suppression comment with an explanation of why anchors no longer collide.

- Updated formatCellLabel in [FinancialStatementTable.tsx](vscode-webview://15qdonnjjcq9q3pcmufmg5fa0asnqc6qnceup60m8cm6igoedkcj/klair-client/src/features/monthly-financial-reporting/components/FinancialStatementTable.tsx) to trim the column header and omit the parenthetical when the header is empty, producing Row Label instead of Row Label ().

- Added the bv-bridge → Book Value Bridge mapping to HARD_CODED in [humanizeTableKey.ts](vscode-webview://15qdonnjjcq9q3pcmufmg5fa0asnqc6qnceup60m8cm6igoedkcj/klair-client/src/features/monthly-financial-reporting/components/comments/humanizeTableKey.ts).

- Added a test in [FinancialStatementTable.spec.tsx](vscode-webview://15qdonnjjcq9q3pcmufmg5fa0asnqc6qnceup60m8cm6igoedkcj/klair-client/src/features/monthly-financial-reporting/components/FinancialStatementTable.spec.tsx) verifying the empty column-header parenthetical is omitted from the anchor label.

- Added a test in [humanizeTableKey.spec.ts](vscode-webview://15qdonnjjcq9q3pcmufmg5fa0asnqc6qnceup60m8cm6igoedkcj/klair-client/src/features/monthly-financial-reporting/components/comments/humanizeTableKey.spec.ts) for the new bv-bridge label.

### Testing

#### Prerequisites

- pnpm install (from klair-client/)

### Steps

1. From klair-client/, start the dev server with pnpm dev and open the link below.

2. Navigate to the Monthly Financial Reporting Book Value view and select the Bridge tab.

3. Hover a cell in the left (Book Value Bridge) table and click its comment chip; confirm a thread opens anchored to that cell.

4. Repeat on a cell in the right (Performance Bridge) table, including the single-column EBITDA row.

5. Switch to the Report tab and open a comment on a cell in the same row; confirm it is a separate thread from the Bridge tab.

6. Run the unit tests with pnpm test -- FinancialStatementTable humanizeTableKey.

### Expected Result

- Comment chips are present and clickable on both Bridge tab tables.

- The performance bridge anchor label reads EBITDA, not EBITDA ().

- Bridge tab and Report tab threads on the same row do not merge (distinct table/column keys).

- New unit tests pass.

#### Link

- http://localhost:3001/monthly-financial-reporting

#### Pages Affected

- Monthly Financial Reporting — Book Value (Bridge tab): http://localhost:3000/monthly-financial-reporting

https://github.com/user-attachments/assets/5e9a9f32-ecce-413e-a3a4-cbac9712f5f3

## Demo — proof the IAM change is applied

Captured live from AWS on 2026-06-10 06:54 UTC, account 479395885256, identity …/RAM-AWS-Int-CentralFunctions-CentralFinance-Admin/ashwanth.r.

1. Reconciler applied the expansion — uv run python scripts/reconcile_cost_explorer_policy.py --apply:

Diff vs live: +9 added, -0 removed
+ arn:aws:iam::157147590138:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::286233338944:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::362938602689:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::428226229991:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::452270531324:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::540235812892:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::637422716207:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::730335654448:role/ESW-CO-ReadOnly-P2
+ arn:aws:iam::764203154397:role/ESW-CO-ReadOnly-P2
Applied.

2. Live iam get-role-policy on klair-api-cost-explorer-role / AssumeESWCOReadOnlyP2 — now grants sts:AssumeRole on all 10 master payers (annotated with payer names):

$ aws iam get-role-policy --role-name klair-api-cost-explorer-role \
--policy-name AssumeESWCOReadOnlyP2 --query 'PolicyDocument.Statement[0].Resource'
arn:aws:iam::572481847476:role/ESW-CO-ReadOnly-P2   # VDI
arn:aws:iam::730335654448:role/ESW-CO-ReadOnly-P2   # ESW-Master1
arn:aws:iam::540235812892:role/ESW-CO-ReadOnly-P2   # EY Master 1
arn:aws:iam::157147590138:role/ESW-CO-ReadOnly-P2   # EY Master 2
arn:aws:iam::428226229991:role/ESW-CO-ReadOnly-P2   # EY Master 3 (Internal)
arn:aws:iam::362938602689:role/ESW-CO-ReadOnly-P2   # EY Add-ons
arn:aws:iam::637422716207:role/ESW-CO-ReadOnly-P2   # Wine Cellar
arn:aws:iam::286233338944:role/ESW-CO-ReadOnly-P2   # TotogiMaster0
arn:aws:iam::764203154397:role/ESW-CO-ReadOnly-P2   # Umbrella (Khoros)
arn:aws:iam::452270531324:role/ESW-CO-ReadOnly-P2   # Khoros ESW (new #2)

3. Drift check — re-running the reconciler (dry-run) confirms committed JSON == live policy:

Diff vs live: +0 added, -0 removed
(in sync)

---

## Summary

B0 of Cost Movement (QoQ) Phase B ([KLAIR-2860](https://linear.app/builder-team/issue/KLAIR-2860)). Makes the cross-account Cost Explorer access durable, reviewable, and drift-checkable instead of a one-shot console/CLI bootstrap buried in a spec.

The deployed klair-api reaches Cost Explorer by assuming ESW-CO-ReadOnly-P2 in a master payer, via the bridge role klair-api-cost-explorer-role (479395885256). Its inline policy AssumeESWCOReadOnlyP2 was hard-scoped to VDI only — blocking the Phase B "Explain this mover" drill (B1) from reaching the other 9 payers. This PR expands it to all 10, and turns the IAM state into committed, idempotent code.

## What changed

- services/cost_explorer_master_payers.json — canonical source of truth for the 10-payer fleet (id + name), bridge/policy names, and a consumers registry of every endpoint that uses the role. Edit payers here only.

- services/cost_explorer_master_payers.py — loader the app imports (MASTER_PAYERS, all_target_role_arns()). B1 imports this instead of duplicating the list.

- scripts/reconcile_cost_explorer_policy.py — declarative + idempotent reconciler. put_role_policy is a full replace, so re-running converges to exactly the JSON. Dry-run (default) prints the desired policy + diffs vs live; --apply writes. Re-running is also the drift check.

- Carry-forward comment "stamp" on both CE-consuming endpoints in routers/saas_budgeting_router.py + a pointer in services/cost_explorer_service.py. Convention (not CI-enforced, by deliberate choice): any new endpoint that assumes the role copies the block and appends itself to consumers.

## Why this shape (not Terraform / not a bootstrap script)

The bridge role isn't IaC anywhere; it was created once via CLI documented in a spec, which can't answer "what are the 10 ARNs right now?" without git archaeology. JSON-as-source-of-truth + an idempotent reconciler gives a reviewable diff per payer change, converges on re-run, and is the natural migration source if this ever moves to CloudFormation. Least-privilege is preserved — the capability stays isolated in the dedicated bridge role; the broad klair-api execution role is untouched.

## Applied

The reconciler has been run with --apply against account 479395885256:

Diff vs live: +9 added, -0 removed   (VDI-only -> all 10 master payers)
...
Applied.

Re-running dry-run now reports (in sync).

## Verification done

- ruff format + ruff check clean; pyright on the loader: 0 errors.

- Verified live (as CentralFinance-Admin) that all 10 master payers admit a direct assume from a 479395885256 assumed-role identity.

- Reconciler dry-run/apply/re-check confirms idempotent convergence.

## Notes / scope

- No runtime behavior change: cost_explorer_service.py still targets VDI only. Multi-payer wiring + the /cost-movement/explain drill is B1 ([KLAIR-2861](https://linear.app/builder-team/issue/KLAIR-2861)), which will import the loader and carry the comment stamp onto the new endpoint.

- The offline pipeline (aws-saas-budget-scripts) keeps its own MASTER_PAYERS (separate deploy bundle) — out of scope here; worth unifying later.

## Test plan

- [x] Reconciler dry-run shows the correct +9 diff

- [x] --apply succeeds; re-run reports in-sync

- [x] lint + typecheck clean

- [ ] Reviewer sanity-check the carry-forward convention wording

🤖 Generated with [Claude Code](https://claude.com/claude-code)