The Trilogy Times

Implements user-owned, org-promotable secret storage backed by WorkOS Vault, with a hard walled-garden guarantee: secrets are never revealed, are decrypted only inside the ECS runner at single-use lease redemption, and never cross an org boundary.

### Screenshots

<img width="698" height="446" alt="image" src="https://github.com/user-attachments/assets/87754730-6c97-40a6-a920-5fbae5730c3b" />

<img width="1141" height="569" alt="image" src="https://github.com/user-attachments/assets/92c6d7d2-ee6f-4644-82a7-aec889b6c1d2" />

<img width="1481" height="695" alt="image" src="https://github.com/user-attachments/assets/0627488b-0d74-4ccf-89d7-f8b72689d563" />

<img width="646" height="889" alt="image" src="https://github.com/user-attachments/assets/f5727411-4835-4237-a609-cbeefa969179" />

### Storage — real WorkOS Vault (convex/vault.ts)

- Action-only fetch client (mirrors the convex/users.ts Management-API pattern: WORKOS_API_KEY → Bearer, AbortSignal.timeout). create/read/update/list/delete against /vault/v1/kv.

- Per-context KEK gives a genuine cryptographic org/user wall at rest (BYOK-capable). But Vault read is by object id only — it is not an authorization boundary, so Convex enforces all authz *before* any Vault call. {owner, capability} is encoded in the object name (list can't filter by context); enumeration is driven off Convex rows.

- credentialBindings.secretRef:string is replaced by vaultRef:{ objectId, keyContext }; plaintext never touches the DB and is never returned.

### Ownership & roles (three-tier, permission-based)

- Credentials are user-owned by default, promotable to org-wide. Owner model user | organization; status active | revoked | expired | needs_reauth.

- Gates read the JWT permissions[] claim (never role slugs): operator baseline (add/use/rotate/revoke own; use org creds at runtime; promote own personal → org-wide), supervisor (sindri:supervisor: create/rotate/revoke/demote any org cred), admin (sindri:admin: + user/role mgmt). No viewer tier, no approval queue.

- Promotion is direct and own-creds-only; the promoter becomes steward (retains demote/revoke on that binding). Demotion returns the credential to the steward's personal scope. Promote/demote perform a real Vault re-key (create new object under the new context → repoint → delete old), since key context is immutable.

### Runner credential lease (single-use, burn-before-resolve)

- New credentialLeaseNonces table (orgId, frozen lockedBindingRefs, SHA-256 nonceHash, ~120s TTL).

- Nonce minted in dispatchActivation after claim, passed to the container as CREDENTIAL_LEASE_NONCE + CREDENTIAL_LEASE_URL; redeemed once via POST /credential-lease, gated by a standing runner key (X-Sindri-Runner-Key vs SINDRI_RUNNER_STANDING_KEY, fails closed) plus the nonce.

- Redeem splits mutation (authz + atomic issued→burned against the frozen refs, reusing the session-less resolveAuthorizedBinding) / action (Vault read). Mid-flight promotion → authority_invalid without burning → clean re-dispatch. stopEcsTasks kill switch on revoke. Resolved bundle exists only in the runner over TLS — never persisted or logged; redaction covers nonce/lease/material/token key patterns.

### UI (/credentials)

- Ungated route, My / Organization sections. Never-reveal entry dialog (ephemeral value state, cleared on close, autofill suppressed). Amber promote-warning dialog with explicit checkbox confirm; demote dialog. Affordances are disclosure-only — the backend remains the authority.

### Tests

- 323 convex tests (vault orchestration, walled-garden authz-before-Vault, re-key on promote/demote, lease mint/burn/expire/revoke, session-less claim re-auth regression, redaction canary) + frontend suite green; tsc/biome clean.

### External dependency (not in this PR)

The standing runner key must be provisioned in AWS Secrets Manager and wired into the ECS task-definition secrets block, with the same value set as SINDRI_RUNNER_STANDING_KEY in Convex env. The lease route fails closed (401) until it is set; live end-to-end runner leasing depends on it. A live vault.listObjects() probe to confirm the WorkOS Vault entitlement is still pending (built against the documented API; the WORKOS_API_KEY path is already proven by users.ts).

Canonical spec: features/platform/secret-storage/FEATURE.md.

---

> Note (rebased branch): This PR supersedes #113. Same secrets contribution, replayed cleanly onto current main as a single squashed commit (the old branch had diverged from main via squash-merged PRs). The identity model has since cut over from the {owner, capability} scheme described above to env-var-name identity (requiredEnvVars authored on the workflow start node; vault key context is {owner, secretId}); read capability → envVarName throughout. Canonical detail in features/platform/secret-storage/FEATURE.md.

## Summary

When the Aerie chatbot is wired to the Rhodes read MCP server, the agent

needs to resolve user references like "me", "myself", and "my" to the

actual logged-in Aerie user — not to whoever owns the shared

RHODES_MCP_API_KEY. Previously the Rhodes MCP server was always

authenticated with that shared key, so any per-user identity was lost and

the write prompt had no notion of who "me" was. This PR makes the chat

route forward the logged-in user's Clerk session token to the Rhodes MCP

server and surfaces the delegated actor's name/email in the Rhodes write

prompt, so user-field writes (p1Dri, p2Dri, assignee, approver,

mention) bind to the correct person.

### Screenshots

Aerie Chat should not believe that it is read-only, and it should know who the user is that they are talking to.

<img width="896" height="1253" alt="Screenshot 2026-06-17 at 10 15 43 PM" src="https://github.com/user-attachments/assets/88113d76-9c40-4ef3-bbac-5807090aa6b7" />

### Changes

- chat/lib/agent.ts — getRhodesMcpServerConfig now accepts an

optional delegatedAuthToken and { allowApiKeyFallback } option,

preferring the delegated token over RHODES_MCP_API_KEY and returning

null (no Rhodes read tools) when delegated auth is unavailable and the

fallback is disabled. createAgentModel takes a new

CreateAgentModelOptions object (rhodesActor, rhodesMcpAuthToken,

allowRhodesMcpApiKeyFallback) — normalized so the old bare-rhodesActor

call signature still works. Adds buildAerieRhodesWritePrompt(actor) and

sanitizePromptScalar to inject the logged-in actor's identity into the

write prompt and instruct the agent to interpret "me"/"my" as that user

rather than the API-key owner.

- chat/app/(main)/api/chat/route.ts — When RHODES_MCP_URL is

configured, acquires the Clerk session token via getToken() and passes

it as rhodesMcpAuthToken, with allowRhodesMcpApiKeyFallback: false so

an in-app session never silently falls back to the shared key. Token

acquisition failures are logged and degrade gracefully (Rhodes read tools

disabled for that request).

### Design Decisions

- No silent API-key fallback for in-app sessions — If we can't get a

per-user delegated token, we disable Rhodes read tools rather than

authenticating as the shared key owner, which would make "me" resolve to

the wrong person.

- Backward-compatible signature — createAgentModel's fourth argument

accepts either the legacy RhodesDelegatedActor or the new options

object, so existing callers are untouched.

- Sanitize prompt scalars — actor name/email are stripped of newlines

before interpolation to avoid prompt-structure injection.

## Test Plan

- [x] pnpm biome check clean on changed files (lefthook pre-commit)

- [x] typecheck-chat passes (lefthook ran tsc on every commit)

- [ ] pnpm --filter @bran/chat test chat/lib/__tests__/agent.test.ts —

delegated-token preference, fallback-disabled, actor identity prompt

- [ ] pnpm --filter @bran/chat test chat/app/(main)/api/chat/__tests__/route.test.ts —

route forwards delegated actor + Clerk session token

- [ ] Manual: with RHODES_MCP_URL set, send a chat as a logged-in user

and confirm Rhodes MCP is authed with the session token (not the

shared key) and that "assign p1Dri to me" resolves to the logged-in

user

## Problem

The openai-cost, openai-usage, and cursor-usage-events AI-spend pipelines were stopping one day earlier than necessary — their newest captured day was T-2 (day before yesterday), not T-1 (yesterday).

I verified via live provider API calls that yesterday's (T-1) data is fully available at the daily 06:00 UTC run time, so the lag was a code artifact, not a provider data-availability limit:

| Pipeline | Endpoint | June 17 (T-1) available at run time? |

|---|---|---|

| openai-cost | /v1/organization/costs | ✅ 523 results, $10,041 (one BU) |

| openai-usage | /v1/organization/usage/completions | ✅ 148 results, 7.06B tokens |

| cursor-usage-events | /teams/filtered-usage-events | ✅ full day, events through 23:59:47 |

## Fix

- openai-cost / openai-usage: end_date default yesterday → today. The Costs/Usage API end_time is exclusive, so an end of today's midnight now includes all of yesterday. Added a _get_today() helper.

- cursor-usage-events: end_date default T-2 → T-1 (_get_yesterday(), which already existed but was unused). The handler's existing +1 day exclusive-boundary logic then covers through end of yesterday.

start_date stays at T-2 in all three, so each run re-pulls the prior day idempotently (delete-then-insert / COPY keyed by date) as a self-heal. Explicit start_date/end_date params still override for backfills.

## Testing

- Unit tests updated and passing: openai-cost 111, openai-usage 100, cursor 19.

- Read-only end-to-end verification using the real client code + new default helpers (stops before the Redshift write):

- openai-cost: 1,046 rows → June 16: 523, June 17: 523 ✅

- openai-usage: 296 rows → June 16: 148, June 17: 148 ✅

- cursor: 30,998 events → June 16: 14,331, June 17: 16,667 ✅

## Not covered locally (by design)

The Redshift delete-then-insert/COPY write and the scheduled Lambda invocation mutate prod, so they're left to the next scheduled run (idempotent, so safe to re-run).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

Reworks the Klair production-release workflow and restructures it as a self-contained skill. Validated against the Ash Test Space before raising the PR.

### 1. Command → skill

Moved the workflow into a skill folder so its supporting files have a natural home:

| Before | After |

|---|---|

| .claude/commands/prod-release.md | .claude/skills/prod-release/SKILL.md |

| .claude/scripts/prod-release-finalize.py | .claude/skills/prod-release/prod-release-finalize.py |

| — | .claude/skills/prod-release/gchat.sample.json (new) |

Still invoked as /prod-release. The finalize-script invocation now resolves via git rev-parse --show-toplevel, so it works from any cwd in the repo.

### 2. Headline card redesign (Step 6a)

- Header subtitle packs Prod Release: <date> (<N> commits) | Release Captain: @<captain> on one line; the separate "Released by" line is gone.

- Backup, What's shipping, Commits from, and the Open PR button move into a single collapsible section, so the resting card is just the header and the rest sits behind GChat's native Show more toggle.

### 3. Committer @-mentions (self-sustaining)

- The announcement now carries a text body that @-mentions the release's committers — the only place GChat delivers a real notification (mentions inside card widgets don't notify).

- The GitHub-login → Chat-user-ID map ships in the repo at .claude/skills/prod-release/gchat.sample.json (real values for the AI Builders space), so tagging works from a fresh clone with no personal or external config. It no longer reads the operator's personal gchat skill config.

- Fallback: a committer not in the map degrades to a plain-text @<login> (named, not notified).

## Platform constraints documented

- Card v2 headers are title + subtitle only — that's why Backup is a widget, not a header line.

- The collapse toggle text (Show more / Show less) is owned by GChat and can't be relabeled; webhook-posted cards can't handle interactive button callbacks.

- A mentioned user is only notified if they're a member of the space.

## Notes

- The webhook secret still lives in the operator's own ~/.claude/config/ping.json (documented in first-time setup) — that's the skill's own config, not the gchat skill, and a secret that can't be committed.

- No change to the backup/PR/merge/deploy flow or the threaded "Included commits" reply (Step 6b).

## Test

Posted the redesigned card (collapsed + expanded, all four committers tagged) to the Ash Test Space and iterated on layout/copy there until approved. Verified the in-repo map resolution end-to-end: mapped committers resolve to real <users/ID> mentions, an unmapped login falls back to @handle.

[KLAIR-2900](https://linear.app/builder-team/issue/KLAIR-2900)

## Summary

Reconciles the AI Renewals → Contract Term Length table (/renewals?tab=fionn) with Fionn's own agent dashboard, and makes the AI-vs-Traditional comparison readable at a glance. Driven by the AIOps reconciliation meeting (2026-06-18) and follow-up feedback from Chintan.

All changes are scoped to the CONTRACT TERM LENGTH table; no other surface is touched.

## What changed

1. Reconciled the headline 37-vs-18 discrepancy. Klair's Opps counts *resolved* deals (Closed Won + Lost); Fionn's "Closed" cards count *wins only*. Added an explicit Won column (closed_won_count) so both reconcile — 37 resolved = 20 won + 17 lost. Opps stays the win-rate denominator.

2. Reclassified 2yr → 3yr and 4yr → 5yr term buckets. A 2-/4-year term is a mid-cycle renewal re-cut to the next standard tier, so it belongs with 3yr/5yr rather than "Other" (Chintan's rule).

3. Added Won ARR (AI Won ARR / Trad. Won ARR). Per Chintan, this is the new ARR signed on the wins (arr_in_usd, post-renewal contract value incl. upsell) — the value coming in, *not* the prior book. 1yr AI Won ARR = $800.5K (matches the deal-level export). It is intentionally a different basis than the ARR column (prior book at stake), and the copy says so.

4. Added a Win Rate Δ column = AI win rate − Traditional win rate (signed pp; green = AI ahead, red = behind; neutral within ±0.5pp). Thin AI buckets (< 10 resolved deals) render greyed + tooltip-flagged so a small-sample gap isn't over-trusted. "—" when either side has no closed deals.

## Backend

- klair-api/renewals/fionn_handling.py: _TERM_MONTHS_TO_BUCKET adds 24→3yr / 48→5yr; _compute_metrics adds won_renewed_arr (SUM of arr_in_usd over won rows). Flows through the breakdown/merge to the term rows.

## Frontend

- useFionnHandling.ts: KpiRow gains optional won_renewed_arr.

- TermBreakdownTable.tsx: Won, Won ARR, and Win Rate Δ columns; tooltips + bulleted footnote; 2/4yr reclass copy. The Δ reuses the existing formatPctDelta + accent-success/warning idiom from BreakdownTable / FionnVsTrilogyComparison.

## Verification

- Backend: ruff + pyright clean; 120 fionn tests pass. Live Redshift render confirmed (1yr: 37 opps / 20 won / $800.5K won ARR / $1.09M at-stake).

- Frontend: eslint + tsc clean; 78 FionnHandling tests pass (incl. Won column, reclass, Won ARR, and Δ positive/negative/thin/em-dash cases).

## Notes for review

- The table is now 12 columns — functional with horizontal scroll, but wide for an SVP/C-level view. Open to trimming (e.g. folding Win Rate now that Δ exists) if preferred.

- 5yr Won ARR can slightly exceed its at-stake ARR — correct (upsell), not a bug.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

Aerie's Rhodes-style site events (dri.assigned, milestone.completed, note.mention) were log-only: they wrote audit rows into notificationDispatchLog and never reached a user. This PR adds an Aerie-native notification system — an in-app inbox surfaced from a bell in the global shell, per-user/per-channel preferences, site subscriptions, and a Google Chat delivery channel built on the existing Rhodes Chat app credentials.

The design follows an outbox event → fanout → delivery split. Producer mutations enqueue a small notificationEvents row and return; an async processor resolves and de-dupes recipients (direct recipients plus active site subscribers), applies preferences, writes notifications inbox rows, updates bounded per-user inbox state, and enqueues notificationDeliveries for enabled external channels. Delivery dispatch uses an indexed queue state (ready / leased / terminal) with a 5-minute cron backstop so retries do not scan terminal rows. Missing or unverified Chat setup is recorded as non-retryable blocked_config rather than looping forever. Actor self-notifications are intentionally allowed and de-duped like any other recipient.

### Testing

Currently, in the [Rhodes GChat Config](https://console.cloud.google.com/apis/api/chat.googleapis.com/hangouts-chat?project=locationos-487316&supportedpurview=project) the

HTTP endpoint URL points to https://quiet-shrimp-950.convex.site/sync/google-chat/events, which is my Aerie Convex Dev environment. It will need to be switched with https://oceanic-pika-463.convex.site/sync/google-chat/events after prod is deployed.

GOOGLE_CHAT_PROJECT_NUMBER and GOOGLE_CHAT_SERVICE_ACCOUNT_KEY need to be in your Convex environment variables, accessible here: [Convex Dev](https://dashboard.convex.dev/t/ai-builder-team/bran-chat/quiet-shrimp-950/settings/environment-variables)

First-time Google Chat setup: in Google Chat, start a chat with the "Rhodes" app and send Link. This creates the verified Chat identity/DM-space connection needed for delivery.

<img width="296" height="98" alt="Screenshot 2026-06-16 at 6 57 55 PM" src="https://github.com/user-attachments/assets/831e0733-e0a2-4787-8107-c2f5974fbe59" />

1. @mention yourself in a note on Alpha School Test Site 59. (e.g. : Add a note to Alpha School Test Site 60 that mentions: \@Yibin Long HVAC Broken)

2. Assign yourself p1Dri/p2Dri

3. Complete a milestone for a site in which you're the p1Dri

All 3 should result in notifications on both GChat and in-app notifications

### Screenshots

<img width="1233" height="541" alt="Screenshot 2026-06-16 at 6 52 41 PM" src="https://github.com/user-attachments/assets/7f574a0e-c287-4ca0-88c6-3a9ff45f3484" />

<img width="430" height="528" alt="Screenshot 2026-06-16 at 6 52 52 PM" src="https://github.com/user-attachments/assets/2013c2e7-5fbb-4a91-b4f5-17f2fa2649e7" />

<img width="717" height="483" alt="Screenshot 2026-06-16 at 6 58 36 PM" src="https://github.com/user-attachments/assets/43275236-ee37-4422-aca0-b9b571c7287f" />

<img width="1004" height="275" alt="Screenshot 2026-06-16 at 7 06 00 PM" src="https://github.com/user-attachments/assets/c03e6015-ef9c-4227-8f49-705ed0cb40da" />

### Changes

Schema

- chat/convex/notifications/schema.ts *(new)* — notifications (inbox), notificationInboxState (bounded unread count/read watermark), notificationEvents (transactional outbox), notificationDeliveries (per-channel attempts + indexed queue state), notificationPreferences, siteNotificationSubscriptions, and verified notificationChannelConnections.

- chat/convex/schema.ts — Registers notificationsSchema in the root schema.

Backend — inbox, preferences, subscriptions

- chat/convex/notifications/inbox.ts *(new)* — Current-user queries/mutations: listMine (All/Unread/Archived), unreadCount, markRead, markAllRead, archive, unarchive. All scoped to the caller.

- chat/convex/notifications/preferences.ts *(new)* — listMine / setPreference, with in-app and Google Chat defaulting to enabled when no row exists.

- chat/convex/notifications/siteSubscriptions.ts *(new)* — Subscribe/unsubscribe/list for the current user's site subscriptions.

- chat/convex/notifications/channelConnections.ts *(new)* — Current-user Google Chat connection status plus internal verified binding from signed Google Chat interactions.

Backend — events & delivery

- chat/convex/notifications/events.ts *(new)* — enqueueNotificationEvent outbox + processor: recipient resolution/de-dupe, preference gating, inbox state updates, inbox row creation, delivery row creation, and dispatch scheduling.

- chat/convex/notifications/dispatch.ts *(new)* — processPending dispatcher: bounded batch over due deliveries, Google Chat adapter (service-account auth, verified DM-space usage/discovery/caching, message send), bounded retry with backoff, and blocked_config/retryable: false for user-actionable config failures.

- chat/convex/notifications/dispatchState.ts *(new)* — Indexed delivery queue helpers (ready / leased / terminal), leasing, context reads that require verified Chat connections, and result recording.

- chat/convex/notifications/googleChatInteractions.ts *(new)* — Signed Google Chat/Workspace add-on interaction endpoint. Users connect delivery by messaging Rhodes Link; the handler verifies Google, extracts chat.user, and stores the verified Chat user/DM-space connection.

- chat/convex/crons.ts — Adds 5-minute fallback drains for notification event processing and external delivery dispatch.

- chat/convex/_generated/api.d.ts — Regenerated to register the new notifications/* modules.

Producers

- chat/convex/rhodes/runtime/writes/siteWrites.ts — Enqueues dri.assigned on DRI assignment and milestone.completed on milestone completion.

- chat/convex/rhodes/runtime/writes/noteWrites.ts — Enqueues note.mention for mentioned users.

- chat/convex/rhodes/dashboard.ts — Enqueues dri.assigned / milestone.completed on the dashboard field-edit paths that mirror the runtime writes.

UI

- chat/components/notifications/notification-bell.tsx *(new)* — Bell with unread badge and a popover (All/Unread/Archived tabs, mark-all-read, per-row read/navigate/archive, inline preferences). Queries are skipped until Convex auth is ready.

- chat/components/notifications/site-subscription-button.tsx *(new)* — Subscribe/unsubscribe control for a site.

- chat/components/shell/top-bar.tsx / mobile-top-bar.tsx — Mount the bell before the theme picker in both shells.

- chat/components/dashboards/portfolio/site-detail-page.tsx — Adds the subscription button to the site header.

Tests

- chat/convex/notifications/notifications.test.ts *(new)* — Event outbox/fanout, preference gating, subscriber resolution/de-dupe, actor self-notifications, read/archive scoping, inbox-state mark-all-read, verified Google Chat binding, and dispatcher success/failure/blocked/retry behavior.

- chat/components/notifications/__tests__/* *(new)* — Bell rendering/tabs/badge/auth-skip and subscription-button behavior.

- chat/components/shell/__tests__/top-bar.test.tsx / mobile-top-bar.test.tsx — Assert the bell renders before the picker in both shells.

### Design Decisions

- New inbox tables, not notificationDispatchLog — The legacy log is audit-shaped (no createdAt/readAt/archivedAt, no unread indexes), so it stays for audit and the new notifications table becomes the inbox source of truth. No historical rows are migrated.

- Enqueue alongside, not replacing, the audit log — Producers keep calling logNotificationDispatch and additionally enqueue notification events, so audit behavior is unchanged and the new path is additive.

- Google Chat identity is verified, not client-supplied — Browser code cannot bind arbitrary Chat IDs. A user must message Rhodes Link; the signed Google Chat interaction creates a verified connection row. GChat delivery requires that one-time setup.

- Actor self-notifications are allowed — If the actor is also the direct recipient or an active site subscriber, they remain in the recipient set. This supports self-mentions and lets users verify actions they triggered.

- blocked_config is non-retryable — A user who has not completed the one-time Rhodes Link setup has no verified DM space; that's a user-actionable config gap, recorded once rather than retried into an infinite failure loop.

- Outbox + cron backstops — Product writes enqueue notification events rather than doing full fanout inline. Event processing and delivery dispatch are both kicked quickly and backed by 5-minute crons. A failed external delivery never rolls back the product mutation or the in-app row.

- Defaults without preference rows — In-app and Google Chat default to ON, so no backfill of preference rows is required for existing users.

## Test Plan

- [x] pnpm biome check clean on changed files (lefthook pre-commit, every commit)

- [x] typecheck-chat passes (lefthook ran tsc -p chat/tsconfig.json on every commit)

- [x] check-convex-paths passes

- [ ] pnpm --filter @bran/chat test — notifications, top-bar, and notification component suites

- [ ] Manual: assign a DRI / complete a milestone / mention a user, confirm the recipient gets an in-app notification and the badge increments

- [ ] Manual: subscribe to a site as a non-DRI and confirm relevant site notifications arrive

- [ ] Manual: after messaging Rhodes Link, confirm a Google Chat DM is delivered; without the one-time Link setup, confirm the delivery is blocked_config and not retried

- [ ] Manual: verify the bell popover (All/Unread/Archived, mark-all-read, archive, row navigation) and preference toggles in desktop and mobile viewports

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/a2c6ddf2-7cca-4ebf-93ac-1db6e0d0c4f7" />

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/10c2f97e-168c-4fe9-8a4d-757f5f8eccf6" />

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/030e3fae-4bc3-4564-a01e-53d1a0a84d90" />

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/bad2e619-f7ea-45ef-b28c-4bed84c34e66" />

## Overview

This branch is an integration of a batch of Financials-dashboard work — features, data-integrity fixes, and sync/tooling improvements — built up over several sub-PRs (#417–#428) targeting ash/2026-06-17. Each discrete change is tracked by its own Linear ticket; the table below maps every workstream to its ticket, sub-PR, and key commits.

45 files changed, +4,778 / −752. Backend actual.dollars (QB) basis and the P&L reconciliation invariants are preserved except where a change explicitly re-bases display (HeadCount → XO) or intentionally drops a role from a rollup (noted inline).

## Consolidated HeadCount table

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-406](https://linear.app/builder-team/issue/AERIE-406) | Re-base Current-$ onto each XO contractor's loaded annual package (weekly × 52 × 1.35), reconciled person → role → school → network. New Redshift→Convex pipeline (xoContractorPackage table + reader + refresh + worker wiring). Per-person rounded to $10 before rollup; tooltip shows exact + rounded; QB run-rate dropped from the XO tooltip. | 43b57b3d, deb365e0 |

| [AERIE-407](https://linear.app/builder-team/issue/AERIE-407) | Price Forecast/Capacity @ model $ on the rounded whole-person count so $ matches the No. column (round(heads) × baseSalary × XO_FACTOR). | #427 · 0a819573 |

| [AERIE-408](https://linear.app/builder-team/issue/AERIE-408) | Render only Lead Guides + Guides (drop Coordinators / Head of School from the drilldown, rollups, deltas, CSV). Intentionally no longer ties to the P&L Headcount-section total. | 7cdeca0e |

| [AERIE-409](https://linear.app/builder-team/issue/AERIE-409) | Match the "Hide No model" / "Hide no-enrolment" filter toggles to the Facilities/Programs text-pill style, inline beside Export CSV. | c5b7b4c7 |

## Run-rate correctness

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-410](https://linear.app/builder-team/issue/AERIE-410) | Annualise consolidated run-rate (Headcount/Programs/Facilities) off closed months only — an in-progress month was diluting 12/monthsLoaded and understating run-rate ~15–20%. New runtime-free monthsOfQuarter / closedMonthsOfQuarter helpers in @bran/contracts + closedMonthGate in financial.ts, applied to all 6 query sites. | #425 · 39eac286 |

## Unitemized / P&L data quality

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-399](https://linear.app/builder-team/issue/AERIE-399) | Split netted Unitemized into separate overage / underage magnitudes (consolidated + per-school), so offsetting gaps no longer collapse to a misleading ~$0. | 03b69032 |

| [AERIE-411](https://linear.app/builder-team/issue/AERIE-411) | Clickable Unitemized strip → in-flow per-school breakdown side panel attributing the network total to contributing schools (frontend-only; reuses the existing fan-out; failed reads flagged as lower bounds). | #426 · b05a1bb2 |

## Sync / data integrity

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-397](https://linear.app/builder-team/issue/AERIE-397) | Parallelize financial-worker upserts (bounded-concurrency drain for pl-transactions & financial-monthly). | #420 · 057dea97, 5b15f6f3, fe6eb3ef, a6e40bcd |

| [AERIE-403](https://linear.app/builder-team/issue/AERIE-403) | Prune orphaned plTransactions via natural-key set-difference (additive-only sync left phantom itemized detail → persistent Unitemized underage). | #417 · f7343d2c, 592bb01d |

| [AERIE-404](https://linear.app/builder-team/issue/AERIE-404) | Skip unchanged-row writes in worker upserts (+ batch/index tuning) — cut the dominant write cost on the ~175k-row mirror. | 82a9520f |

| [AERIE-412](https://linear.app/builder-team/issue/AERIE-412) | Prune orphaned plMonthlyRecords via natural-key set-difference — a QB class rename was double-counting (Alpha Lake Forest Q1 $93,458; all 4 alias-merged campuses). Ports AERIE-403's sweep to the monthly table. | #424 · e37750be |

## Operational tooling

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-413](https://linear.app/builder-team/issue/AERIE-413) | On-demand out-of-band refresh runner scripts for plTransactions and campus → QB entity mappings (reflect Redshift corrections immediately, no worker restart). | #428 · 964fcc83, 13e8706e |

| [AERIE-414](https://linear.app/builder-team/issue/AERIE-414) | Escape the two raw NUL (0x00) delimiter bytes in financial.ts to explicit JS unicode escapes (runtime byte-identical) so grep/rg stop treating the file as binary. | #418 · 47777b80 |

## Enrollment card

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-415](https://linear.app/builder-team/issue/AERIE-415) | Remove the SCENARIO/DECK/GAP/FILL table from the Schools – Actual vs Model Enrollment card (keep header + Confirmed/QS/Capacity chips). | #423 · 2502bceb |

## Unit economics models

| Ticket | Change | PR / commits |

|---|---|---|

| [AERIE-416](https://linear.app/builder-team/issue/AERIE-416) | Add two non-alpha tiers (gt-25k, low-dollar-15k) to MODEL_HEADCOUNT_TABLE / MODEL_INPUTS_TABLE in @bran/contracts (+ version-controlled CSV source docs) so the dashboard renders model comparisons for the GT and Low-Dollar schools instead of "—". Modeled as standard tiers (no parser changes); 3 approximations documented inline. | #429 · 1cd5d2e8 |

## Testing

- New test suites: financialContractorPackage.test.ts, financialPrunePlMonthly.test.ts, financialPrunePlTransactions.test.ts, financialUpsertPlTransactions.test.ts, upsertDiff.test.ts, unitemized-breakdown-side-panel coverage, unit-economics-headcount.test.ts, plus expanded financial-monthly-refresh / pl-transactions-refresh sync tests.

- Each sub-PR landed with pnpm typecheck and pnpm biome check clean and the financials test suites green; orphan-prune fixes (AERIE-403/404/412) were additionally verified live on dev (prune counts and post-prune $0 residuals recorded in the respective ticket/commit).

## Summary

- Add a scoped platform automation runner for FO Buildout deferral, including durable run and run-item audit tables.

- Add an Admin Automations surface with list, automation detail, scoped validation, and run drilldown views.

- Wire admin automation capabilities, navigation, cron scheduling, and focused tests.

## Why

Portfolio/DDR FO dates are best estimates from when work can actually begin. When Acquire Property is not complete yet, the Executing Buildout due date needs to move forward one calendar day per daily automation run while remaining idempotent and auditable.

## Business Value

Operators can safely manage and inspect this automation from Admin, validate a single site before applying, and drill into run history to understand which sites changed, skipped, or were deduped.

## Breaking changes

None.

## Test plan

- [x] pnpm --dir chat exec vitest run convex/automations/platform.test.ts

- [x] pnpm --dir chat typecheck

- [x] pnpm exec biome check chat/app/\(main\)/admin/automations chat/convex/automations chat/components/admin packages/contracts/src/capabilities.ts packages/contracts/src/capabilities.test.ts chat/convex/crons.ts chat/convex/schema.ts chat/convex/users/roles.ts

- [x] Browser verified Admin Automations list, focused automation detail, scoped preview/apply flow, run drilldown, and run-item search filtering.

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/745ef2b0-175b-4501-8fce-e4efaeb417ae" />

## What

Round the two Student : Guide ratio columns (Actual and Model) in the Consolidated HeadCount table to whole numbers. They previously rendered with one decimal (e.g. 4.6, 10.9); they now show 5, 11.

## Why

Requested for a cleaner read on the Headcount dashboard — the sub-decimal precision on the student-load ratio wasn't adding value.

## How

Both columns render through the single shared fmtRatio helper, so the change is one line:

// before
export function fmtRatio(value: number | null): string {
return value == null ? "—" : value.toFixed(1);
}
// after
export function fmtRatio(value: number | null): string {
return value == null ? "—" : Math.round(value).toString();
}

- File: chat/components/dashboards/financials/consolidated-headcount-table.tsx

- null still renders the em-dash placeholder (—).

## Reviewer note

fmtRatio also feeds the CSV export's Student:Guide Actual / Student:Guide Model columns, so the export now rounds to whole numbers too — intentional, to keep the export consistent with the on-screen table.

## Tests

Updated the colocated fmtRatio test (now asserts 12.5 → "13", 17.857 → "18", 20 → "20", 12.4 → "12"). Full file passes (44/44), and pre-commit biome + chat typecheck are green.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Demo

<img width="2624" height="1636" alt="image" src="https://github.com/user-attachments/assets/b88ab687-8220-46bf-a915-453f994efe26" />

## Summary

Reworks the segregated view of the ARR & Retention Reports tables so they group Business Unit → Class → End User/Customer under a single, de-duplicated hierarchy column. Covers all four Snowball Variance tables (Churn, Downsell, New Business, Upsell) plus Unplanned Churn and Late Renewals.

Landed over the session:

1. Swapped the End User and Class column order on the Snowball tables → Business Unit · Class · End User · Amount.

2. Added a Class grouping level so leaves nest under their Class (was BU → leaf).

3. Merged Business Unit and Class into one indented Business Unit / Class column, since the BU name was repeating on every child row.

4. Applied the same BU → Class → Customer pattern to Unplanned Churn and Late Renewals.

## Why

In segregated mode the Business Unit name was repeated on every child row (e.g. "IgniteTech" on each Class and customer), which was noisy. Grouping by Class first and collapsing BU + Class into one indented hierarchy column makes the tree read cleanly and adds a useful intermediate roll-up by Class.

## What changed

### Snowball Variances (Churn, Downsell, New Business, Upsell)

- utils.ts — new shared buildBuClassEndUserRows(groups, direction) helper builds the BU → Class → End User row tree once and is reused by all four tables. It emits a single GroupLabel per row: BU name at level 0, Class name at level 1 (indented), blank at the leaf (End User name lives in its own column). Direction controls by-amount ordering: asc (most-negative-first) for churn/downsell, desc (largest-first) for upsell/new business.

- Churn.tsx, Downsell.tsx, NewBusiness.tsx, Upsell.tsx — segregated transformedRows now call the helper; the separate BusinessUnit and Class columns are replaced by one Business Unit / Class column; pagination moved from level 1 to level 2 (10 End Users per page within each Class).

- Churn specifically: row-click (open renewal details) and the insights icon now apply only to End User leaf rows (level 2) — Class group rows just expand/collapse (isRowClickable guard changed from level === 0 to level < 2). Leaf rows keep their full record via spread, so renewal matching is unaffected.

### Unplanned Churn & Late Renewals

- UnplannedChurn.tsx, LateRenewals.tsx — segregated tables now build the same BU → Class → Customer tree inline. BU + Class share one indented Business Unit / Class column; the customer name moves to its own Customer column (the previous Class subtitle under each customer is dropped, since Class is now the parent group row).

- Class field: Company for Unplanned Churn, ClassWise for Late Renewals.

- Customer/class counts render on the group rows ("N customers · M classes" on the BU row, "K customers" on each Class row); ARR amounts roll up at each level (Current/Projected ARR for churn, Expiring ARR for late renewals).

- Per-customer columns (Renewal Date / Team / Pending Since) and the renewal-details icon render only on the customer leaf; group rows leave them blank.

- Pagination moved to level 2 (customers paginate under each Class); the renewal side-modal opens only from customer leaf rows (level < 2 rows just expand/collapse).

### Resulting layout

BUSINESS UNIT / CLASS      END USER / CUSTOMER          AMOUNT
▾ IgniteTech               39 customers · 11 classes        $-3.54M
▾ Khoros                 10 customers                     $-2.84M
Rogers Communications Inc.                            $-575.13K
Alteryx                                               $-558.90K

## Scope / not touched

- Flat (non-segregated) tables, comparison mode, and the charts are unchanged — they group by BU only, where there's no hierarchy to dedupe.

## Reviewer notes

- The per-BU class count ("M classes") is folded into the End User/Customer cell on the BU row, alongside the customer count.

- Group-vs-leaf rendering keys off the table's level arg (level !== 2) rather than sentinel field checks.

## Test plan

- [x] pnpm tsc --noEmit — clean

- [x] pnpm lint on all changed files — clean

- [x] LateRenewals.spec.tsx — 13/13 pass (no render tests cover the other components)

- [ ] Visual check in segregated mode for all six tables: expand a BU → Class groups appear; expand a Class → leaves with 10/page pagination; renewal drill-down opens only from leaf rows

Linear: https://linear.app/builder-team/issue/KLAIR-2899/nest-unplanned-churn-and-late-renewals-tables-by-class-bu-class

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

Reworks the Klair production-release workflow and restructures it as a self-contained skill. Validated against the Ash Test Space before raising the PR.

### 1. Command → skill

Moved the workflow into a skill folder so its supporting files have a natural home:

| Before | After |

|---|---|

| .claude/commands/prod-release.md | .claude/skills/prod-release/SKILL.md |

| .claude/scripts/prod-release-finalize.py | .claude/skills/prod-release/prod-release-finalize.py |

| — | .claude/skills/prod-release/gchat.sample.json (new) |

Still invoked as /prod-release. The finalize-script invocation now resolves via git rev-parse --show-toplevel, so it works from any cwd in the repo.

### 2. Headline card redesign (Step 6a)

- Header subtitle packs Prod Release: <date> (<N> commits) | Release Captain: @<captain> on one line; the separate "Released by" line is gone.

- Backup, What's shipping, Commits from, and the Open PR button move into a single collapsible section, so the resting card is just the header and the rest sits behind GChat's native Show more toggle.

### 3. Committer @-mentions (self-sustaining)

- The announcement now carries a text body that @-mentions the release's committers — the only place GChat delivers a real notification (mentions inside card widgets don't notify).

- The GitHub-login → Chat-user-ID map ships in the repo at .claude/skills/prod-release/gchat.sample.json (real values for the AI Builders space), so tagging works from a fresh clone with no personal or external config. It no longer reads the operator's personal gchat skill config.

- Fallback: a committer not in the map degrades to a plain-text @<login> (named, not notified).

## Platform constraints documented

- Card v2 headers are title + subtitle only — that's why Backup is a widget, not a header line.

- The collapse toggle text (Show more / Show less) is owned by GChat and can't be relabeled; webhook-posted cards can't handle interactive button callbacks.

- A mentioned user is only notified if they're a member of the space.

## Notes

- The webhook secret still lives in the operator's own ~/.claude/config/ping.json (documented in first-time setup) — that's the skill's own config, not the gchat skill, and a secret that can't be committed.

- No change to the backup/PR/merge/deploy flow or the threaded "Included commits" reply (Step 6b).

## Test

Posted the redesigned card (collapsed + expanded, all four committers tagged) to the Ash Test Space and iterated on layout/copy there until approved. Verified the in-repo map resolution end-to-end: mapped committers resolve to real <users/ID> mentions, an unmapped login falls back to @handle.