The Trilogy Times

## Summary

- Collapse active workflow execution around agent nodes, Output Format, Quality Bar, durable Outcome Attempts, and Improvement Suggestions.

- Remove Script/Webhook workflow primitives, workflow-level evaluation compatibility, and legacy QC vocabulary from active runtime, UI, schema, and tests.

- Move internal research/spec docs under research/ and refresh the Lightpost around Sindri as a UI-neutral control plane.

## Why

The Outcomes/flywheel model had too many overlapping concepts: agent outcomes, workflow criteria, node overrides, script/webhook nodes, and legacy QC compatibility. This made the platform harder to explain, harder to inspect, and riskier to expose beyond the UI. This PR commits to the simpler agent-first model so future API/MCP/control-plane work has one clean foundation.

## Business Value

Users get a clearer, more durable model: agents define what good looks like, workflows compose agents, runs expose the evidence, and improvement suggestions remain reviewable rather than hidden. The same foundation can now be driven by UI, API, MCP, or agent sessions without carrying old workflow-quality concepts forward.

## Breaking changes

- Active Script/Webhook workflow primitives and Forge script authoring surfaces are removed.

- Workflow-level success criteria/evaluation contracts and legacy QC compatibility fields are removed from active platform contracts.

## Test plan

- [x] pnpm check

- [x] pnpm test

- [x] pnpm --dir agent-runner check

- [x] pnpm --dir agent-runner test

- [x] Retired-contract search audit for active code/docs

## Summary

- Add a synchronous school_opening agent answers endpoint at POST /v1/agent/answers

- Add the school-opening matrix/profile contracts, Buildout session-start resolution, and structured answer/QC runtime

- Document the endpoint in OpenAPI and cover public API, matrix, provider-failure, and output-quality paths with tests

## Why

We need a deployable short-term API surface for the first Agent-in-a-Box use case without taking on the larger durable agent hosting migration in this PR. The endpoint answers one bounded school-opening question using the configured prompt, skill rules, Buildout session start, inspected milestone data, and a QC pass.

## Business Value

External or internal agents can now ask Aerie for a structured school-opening answer that includes the direct answer, selected matrix cell, parent message, underlying data, methodology/worked example, evidence, and the brainlift/config context used to produce it.

## Breaking changes

None. This adds a new authenticated public API route and new contract exports.

## Test plan

- [x] PNPM_STORE_DIR=/Users/alghurab/Library/pnpm/store/v10 pnpm --filter @bran/chat lint

- [x] PNPM_STORE_DIR=/Users/alghurab/Library/pnpm/store/v10 pnpm --filter @bran/chat typecheck

- [x] PNPM_STORE_DIR=/Users/alghurab/Library/pnpm/store/v10 pnpm --filter @bran/contracts typecheck

- [x] PNPM_STORE_DIR=/Users/alghurab/Library/pnpm/store/v10 pnpm --filter @bran/chat exec vitest run lib/__tests__/agent-answer-school-opening.test.ts convex/publicApi/agentAnswersHttp.test.ts lib/public-api/__tests__/openapi.test.ts convex/publicApi/operationsHttp.test.ts convex/publicApi/admissionsDomainsHttp.test.ts convex/publicApi/financialsHttp.test.ts convex/publicApi/ontologyHttp.test.ts convex/publicApi/http.test.ts

- [x] PNPM_STORE_DIR=/Users/alghurab/Library/pnpm/store/v10 pnpm --filter @bran/contracts test -- src/school-opening-matrix.test.ts

- [x] Live dev API sweep: 5/5 answered across Austin, Houston, Edmond, Boca Raton, plus Spring 27 session-start override; bad generic scheduled-opening phrasing count was 0

Live response artifacts are saved locally at /tmp/aerie-school-opening-pr-gate-2026-06-19T05-56-49-894Z.

## What & why

Mercy (the @mercy PR-review bot) produces rich per-review data — verdict, findings, downgrade reasons, and (in the Claude CLI envelope) token usage + dollar cost — but today it all evaporates into 7-day GitHub artifacts. There's no way to answer "how many reviews ran, what did they cost, what's the approval/block rate, which repos use mercy."

This adds durable telemetry end-to-end and a Surtr /mercy dashboard to visualize it.

## How it works

mercy workflow (any repo)              Surtr (ECS) + AWS
emit_telemetry.py  ──POST(Bearer)──▶  /internal/mercy/telemetry (Hono, bearer-auth)
(fail-open, ./.trusted)                 └─ PutItem → DynamoDB surtr_mercy_telemetry
▲
/mercy page ◀── tRPC mercyStats/listMercyReviews ───────┘

- Emit (scripts/pr-review/emit_telemetry.py): fail-open, stdlib-only, runs from ./.trusted so a PR author can't tamper. Assembles one record from decision.json / review_output.json / the raw CLI envelope + github.* context and POSTs it as the workflow's last step. Never blocks a review.

- Ingest (/internal/mercy/telemetry): bearer-auth Hono route mirroring the existing observer-sweep route. Idempotent on a deterministic review_id so re-runs upsert.

- Storage: new CDK-owned DynamoDB surtr_mercy_telemetry (PK review_id; GSI per-repo; GSI global by month bucket; PITR + deletion-protection).

- Dashboard (/mercy): stat cards (reviews, approval/block rate, cost, latency p50/p95, active repos), reviews-/cost-per-day charts, findings-by-category, a per-repo table, and recent reviews with a drill-down drawer. Hand-rolled SVG charts — no new dependency.

## Multi-repo by design

Identity comes entirely from github.* context and the emit step lives in the workflow, so it drops unchanged into the future central/reusable mercy workflow — any adopting repo emits automatically once its two repo-level settings are present.

## Config already applied (this repo)

- SURTR_PROD_KEYS.MERCY_TELEMETRY_TOKEN added in Secrets Manager (us-east-1).

- Repo-level (not org-level) secrets.MERCY_TELEMETRY_TOKEN + vars.MERCY_TELEMETRY_URL set on AI-Builder-Team/Surtr.

## Still required to go live

1. cdk deploy SurtrApp-prod — creates the table, grants the ECS task role, injects the token/table env into the container.

2. Merge this PR — emit runs from the trusted (default-branch) checkout, so telemetry only starts flowing after merge (this PR itself emits nothing; fail-open). Same self-activation pattern as decide_review --ci-status.

## Test plan

- 6 new Python tests (test_emit_telemetry.py), 16 new Vitest tests (stats aggregation + ingest route auth/validation).

- 451 existing unit tests still green; tsc (src + infra) clean; cdk synth confirms the table with both GSIs + PITR + deletion-protection.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

- Enable the five Surtr-owned SIS staging schedules after production validation.

- Disable the direct sis-core-tables clock schedule so core refreshes only after sis-staging-ready confirms all staging inputs are fresh.

- Update the SIS handoff doc with the 2026-06-19 validation evidence.

## Why

PR #484 intentionally landed the new SIS staging runners with schedules disabled while we validated them manually in production. That validation is now complete: all five staging runners refreshed Redshift with fresh sync_timestamp values, sis-staging-ready returned ready=true, and sis-core-tables rebuilt the expected core outputs.

The readiness gate is the correct handoff point. Leaving the old sis-core-tables clock schedule enabled would let core run at midnight UTC before the full staging set is guaranteed fresh.

## Business Value

Moves SIS refreshes onto observable, independently retryable Surtr schedules while preserving the safety gate that prevents partial-staging core rebuilds.

## Breaking changes

None. Operationally, sis-core-tables is now expected to run from the SIS readiness gate rather than its own clock schedule.

## Test plan

- [x] Manual production validation after deploy run 27802954039

- [x] staging_education.students: 16,407 rows, max sync_timestamp 2026-06-19 03:25:54, 0 null timestamps

- [x] staging_education.teacher_student_assignments: 25,924 rows, max sync_timestamp 2026-06-19 03:41:53, 0 null timestamps

- [x] staging_education.teachers: 396 rows, max sync_timestamp 2026-06-19 03:27:29, 0 null timestamps

- [x] staging_education.teacher_class_assignments: 732 rows, max sync_timestamp 2026-06-19 03:27:56, 0 null timestamps

- [x] staging_education.organizations: 129 rows, max sync_timestamp 2026-06-19 03:27:30, 0 null timestamps

- [x] sis-staging-ready: ready=true, triggered sis-core-tables

- [x] core_education.fct_student: 16,370 rows, snapshot 2026-06-19, 0 null snapshots

- [x] core_education.fct_staffing_assignment: 579 rows, snapshot 2026-06-19, 0 null snapshots

- [x] core_education.student_contacts: 9,851 rows, snapshot 2026-06-19, 0 null snapshots

- [x] git diff --check

- [x] jq empty on changed SIS pipeline.json files

- [x] npm run build in pipelines/cdk

- [x] npm test -- --runTestsByPath test/real-pipeline-configs.test.ts in pipelines/cdk

## Summary

Adds a daily per-team AI-spend leaderboard email — a scheduled job that ranks the members of a team/BU by their AI spend and emails the stack-rank to configurable recipients. First target: the Superbuilders team (Tech Super Builders).

Built across four increments (each brainstormed → spec → plan → TDD → reviewed):

1. Core leaderboard email — roster-first membership, per-provider split (OpenAI/Cursor + Anthropic key-name recovery), stats, fuzzy empty-group guard.

2. Branded email — Klair design system (dark bands, stat cards, rank-badge table), <$1 sub-dollar formatting.

3. Per-subscription Cc/Bcc — additive send_basic_email Cc/Bcc + config columns.

4. Single-day window — new default preceding_day (yesterday); --date for explicit day (testing/backfill); --window trailing_7d retained; global-max freshness guard skips the run when the target day isn't loaded.

## Architecture

- Standalone ECS cron (crons/ai_spend_rank_cron.py) on the existing klair-scheduled-jobs infra — deliberately decoupled from the deprecating digest/report_subscriptions engine.

- Data: reads mart_saas_metrics.fct_ai_spend + staging_gsheets.esw_people_accounts (directory). Window computed by a resolve_window helper; build_leaderboard takes explicit bounds.

- Config: standalone mart_alerts.ai_spend_rank_subscriptions table (group_by + value + recipients/cc/bcc + cadence).

- Send: reuses SES send_basic_email (extended additively with cc/bcc).

## Files (21)

klair-api/services/ai_spend_rank/ (models, config, leaderboard, render), crons/ai_spend_rank_cron.py, database/scripts/Alerts/ai_spend_rank/…create.sql, utils/email_service.py (additive cc/bcc), tests, and docs/superpowers/ (specs, plans, deploy runbook). No klair-client changes.

## Testing

- 60 unit tests pass (full feature + crons regression); ruff + pyright clean.

- Live Redshift integration test passes (Tech Super Builders).

- Validated in prod ECS: built/pushed an isolated dated image tag (not :latest), ran a --dry-run and a real send task on the klair-scheduled-jobs cluster — both exit 0, sent=1; :latest untouched, temp task-def revisions cleaned up.

## Deployment status (NOT yet live)

The EventBridge rule klair-ai-spend-rank-prod is already created but DISABLED (cron(45 12 * * ? *), 12:45 UTC daily). The config table exists with test recipients only (To = me, Bcc = a test address). Go-live steps (see docs/superpowers/ai-spend-rank-deploy-runbook.md):

1. Merge this PR.

2. Rebuild + push :latest from main.

3. Set real recipients in the config table.

4. aws events enable-rule --name klair-ai-spend-rank-prod.

Send-time caveat: 12:45 UTC must be after the daily raw+mart refresh; otherwise the freshness guard skips (safe, no email) or the global-max guard could let a provider-incomplete day through.

## Screenshot of Mail

<img width="1034" height="761" alt="image" src="https://github.com/user-attachments/assets/462da13b-6a27-4859-a7bf-1a5fa6faaaef" />

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

The P&L transaction drill-down was surfacing phantom overage because balance-sheet accounts leaked into plTransactions. queryPlTransactions (sync/src/redshift/pl-transactions.ts) UNIONs four source arms, each joining a coa CTE — the set of distinct (account_id, company_id, account_name) tuples derived from quickbooks_pl_monthly, i.e. accounts that actually appear on the QB P&L report. The journal-entry and vendor-credit arms used INNER JOIN coa (correctly dropping accounts not on the P&L), but the purchases and bills arms used LEFT JOIN coa with a COALESCE(coa.coa_name, <src>.account_name) fallback. Balance-sheet accounts (zero rows in quickbooks_pl_monthly, so absent from coa) survived the LEFT join via the COALESCE fallback and leaked through.

Because those leaked rows have no P&L line total to net against in the drill-down, they surfaced as phantom overage — first observed as a ~$93K Q1'26 overage for Alpha Lake Forest, including a +$25,798 capex bill whose offsetting vendor credit had already (correctly) been dropped by the vendor-credit arm's INNER JOIN.

Fix: switch the purchases and bills arms to INNER JOIN coa and read coa.coa_name AS account_name directly, making all four arms consistent. Genuine P&L purchases/bills are unaffected (they exist in coa); only balance-sheet accounts drop out — the already-intended behavior.

## Join consistency (before → after)

| UNION arm | Join to coa (before) | Join to coa (after) | account_name projection |

|---|---|---|---|

| Purchases | LEFT JOIN coa | INNER JOIN coa | COALESCE(coa.coa_name, qp.account_name) → coa.coa_name |

| Bills | LEFT JOIN coa | INNER JOIN coa | COALESCE(coa.coa_name, qb.account_name) → coa.coa_name |

| Journal entries | INNER JOIN coa | INNER JOIN coa (unchanged) | coa.coa_name (unchanged) |

| Vendor credits | INNER JOIN coa | INNER JOIN coa (unchanged) | coa.coa_name (unchanged) |

JE and VC were already INNER; purchases and bills now match, so all four arms gate on the same "appears on the QB P&L" allow-list.

## Spec

- [07-balance-sheet-leak-inner-join](features/dashboards/pl-transaction-drilldown/specs/07-balance-sheet-leak-inner-join/spec.md) — Drop balance-sheet account leakage by making the purchases and bills arms INNER JOIN coa (consistent with the JE/VC arms) and removing the now-dead COALESCE(coa.coa_name, <src>.account_name) fallback. Balance-sheet accounts confirmed leaking: 11510 Tangible Assets, 16500 Inter Company Loan, and the unnumbered Inter Company Loan.

## Implementation

- File changed: sync/src/redshift/pl-transactions.ts

- Purchases arm: LEFT JOIN coa → INNER JOIN coa (same ON coa.account_id = qp.account_id AND coa.company_id = qp.company_id predicate).

- Bills arm: LEFT JOIN coa → INNER JOIN coa (same ON ... = qb.account_id AND ... = qb.company_id predicate).

- COALESCE cleanup: with both arms now INNER-joined, coa.coa_name is guaranteed non-null, so the COALESCE(coa.coa_name, <src>.account_name) AS account_name fallbacks are dead. Replaced both with coa.coa_name AS account_name, matching the JE/VC arms.

- The unrelated COALESCE(qp.net_amount, qp.line_amount) AS amount defensive guard on the purchases arm, the coa CTE definition, and the JE/VC arms are untouched.

## Test coverage

3 new SQL-shape regression guards in sync/src/redshift/pl-transactions.test.ts (file now 14 tests, all passing):

1. No LEFT JOIN coa anywhere in the generated SQL.

2. Exactly 4 INNER JOIN coa (one per arm).

3. Exactly 4 coa.coa_name AS account_name projections; the dead COALESCE(coa.coa_name, ...) is gone, while the unrelated COALESCE(qp.net_amount, qp.line_amount) amount guard is asserted to remain.

## Self-review

No issues found. Two risks were explicitly assessed:

- Over-drop risk: the coa CTE is global/unscoped, so the INNER JOIN drops *only* accounts with zero rows in quickbooks_pl_monthly — exactly the balance-sheet accounts we intend to exclude. No genuine P&L purchase/bill is removed.

- Fan-out / duplicate risk: any multi-match fan-out is a pre-existing property of the coa join (LEFT and INNER fan out identically on a multi-match); this PR does not introduce or change it.

- No NULL account_name slip-through: coa.coa_name is non-null on an INNER join, so dropping the COALESCE fallback cannot emit NULL labels.

## Manual verification (for reviewer / post-merge)

This change could not be exercised in CI — there is no live database in CI. To confirm end-to-end:

1. Re-run the Redshift → Convex sync so plTransactions is regenerated with the new INNER joins.

2. Confirm the Alpha Lake Forest Q1'26 drill-down overage drops from ~$93K to ~$0.

3. Confirm no P&L expense line loses transactions (genuine purchases/bills on accounts present in coa are retained unchanged).

## Linear

AERIE-418

---

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

- Route Rhodes Worker MCP calls through canonical api.rhodes.mcp.* refs and add a regression guard for stale Convex API paths.

- Add request IDs across delegated Rhodes mutation routes and preserve upstream error/request context.

- Harden Drive upload approval lifecycle with idempotent completion, terminal-state-safe failure handling, and MCP elicitation guard tests.

## Why

A user was blocked adding a note after the Worker hit a stale Convex public function path and surfaced an opaque server error. The note had actually saved, but retry behavior produced duplicate proposals and poor traceability. During the incident audit we also found upload edge cases where approval-card upload routes could corrupt or misreport pending mutation state after ambiguous completion/failure paths.

## Business Value

Users get clearer request IDs for support/debugging, note/add mutation approvals no longer fail due to stale Worker API refs, and Drive upload approvals are less likely to show false failures or corrupt completed upload state.

## Deployment

Production CD does not currently deploy chat/rhodes-worker to Cloudflare. After Convex deploy, explicitly deploy the location-os-mcp Worker from chat/rhodes-worker before expecting this to fix prod Worker behavior.

## Test plan

- [x] pnpm --dir chat/rhodes-worker typecheck

- [x] pnpm --dir chat/rhodes-worker test

- [x] pnpm --dir chat typecheck

- [x] pnpm --dir chat lint

- [x] pnpm --dir chat exec vitest run 'app/(main)/api/rhodes/mutations/upload-failed/__tests__/route.test.ts' 'app/(main)/api/rhodes/mutations/upload-complete/__tests__/route.test.ts' convex/rhodesMcpMutationParity.test.ts components/__tests__/tool-call.test.tsx

- [x] pnpm --dir chat exec vitest run lib/__tests__/agent.test.ts

- [x] targeted Rhodes mutation route/delegation tests

- [x] git diff --check

## Follow-up

MCP clients without elicitation support remain a broader product/design issue. This PR confirms Aerie chat writes use approval-card proposals instead of SDK elicitation, and the remote Worker rejects unsupported elicitation instead of approving silently. A separate branch should tackle the client-compatibility UX more directly.

## Why

Follow-up to #495 (PARTIAL throttle). On the standup, Benji flagged that the alerts channel is too noisy — "I can only ever see one, maybe one-and-a-half notifications at a time." The ask: render alerts as collapsible cards (like the @mercy PR-review notifications) so the top line is glanceable and the error detail is hidden away behind a "show more" toggle.

This implements that for both notification paths: failure/partial alerts and observer alerts.

## What changed

Failure / partial — pipelines/cdk/lambdas/gchat-notifier/handler.py

- Was plain text; now a cardsV2 card.

- Glance line = header: ⚠️ <pipeline> — PARTIAL / 🚨 <pipeline> — FAILED, subtitle [ENV] · Run <id>.

- Collapsible "Details" section: the one-line context (Consecutive failures: N / the throttle line) stays pinned (uncollapsibleWidgetsCount: 1); the verbose error/detail collapses behind Chat's native "Show more" toggle.

- Reuses existing card conventions — red #D93025 (FAILED) / amber #F9AB00 (PARTIAL), matching emoji, View in Surtr button. HTML-escapes pipeline-supplied text (tag-injection guard). Detail budget 500→1500 chars (it's hidden by default).

Observer — Surtr/src/lib/gchat.ts

- Already cardsV2; made the Findings section collapsible (uncollapsibleWidgetsCount: 0) — it's the bulk of the card height. Findings (N) is the teaser; verdict header + summary stay visible as the at-a-glance line.

## Design note

Collapsed the *findings* (observer) and the *error/detail body* (failure/partial), but kept the observer summary and the one-line context visible — that's the most useful "why" at a glance, and the noise Benji flagged is the multi-widget findings list + verbose traces. Flipping the summary to collapse too is a one-liner if preferred.

⚠️ Chat's toggle label is Google-rendered "SHOW MORE / SHOW LESS" — not customizable to the literal "show more details" wording, but identical behavior to the @mercy cards.

## Tests

- Notifier (Python): 10/10 — card shape, collapsible section, pinned context, color, escaping, truncation, routing. ruff format + ruff check clean.

- Observer (TS): 19/19 (+ collapsible-findings & summary-stays-expanded cases); trigger test 8/8; biome clean; tsc --noEmit 0 errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Demo

<img width="1259" height="1170" alt="image" src="https://github.com/user-attachments/assets/8bc158bc-77b4-4470-9cf9-a177339717ed" />

## Summary

Adds a /prod-release skill for Surtr at .claude/skills/prod-release/, ported from Klair's existing release workflow and adapted to Surtr's deploy model. It runs the full production release end-to-end with three human gates.

Files:

- SKILL.md — the 10-step workflow

- prod-release-finalize.py — the atomic, deterministic finalize step (merge + CD monitor + GChat reply)

- gchat.json — committer GitHub-login → GChat user-ID map (AI Builders space)

## What the flow does

1. Backup origin/production → release/<UTC-stamp>-backup (e.g. release/2026-06-18-1430-backup), pushed straight from the remote-tracking ref so a divergent local branch can't contaminate it

2. PR main → production (Prod Release: YYYY-MM-DD)

3. Ping GChat (AI Builders space, reusing ~/.claude/config/ping.json) — a collapsible headline card with committer @-mentions + a threaded "Included commits" reply

4. Gate: wait ~30 min for "no concerns"

5. Finalize (prod-release-finalize.py): merge with a merge commit → monitor the CD run to completion → post a threaded ✅ Release Complete / ❌ Release Failed reply on the same announcement thread

## Key adaptation vs Klair (for reviewers)

Klair *dispatches* two deploy workflows after merge. Surtr's .github/workflows/cd.yml runs on push to production, so merging the PR auto-triggers exactly one CD run. The finalize script therefore does not dispatch anything — it merges, finds the run whose headSha == merge commit (so it never monitors a concurrent/pre-existing run), waits for the run-level conclusion (skipped deploy jobs still count as success), and reports it. Non-zero exit if the deploy didn't succeed, so the skill halts loudly.

Other Surtr-specific deltas: prod branch is production (not prod); merge strategy is --merge (matches existing Merge pull request #N from AI-Builder-Team/main history); backup naming keeps Surtr's release/…-backup prefix but adds a collision-proof UTC stamp.

## Notes for reviewers

- The GChat webhook is read at runtime from ~/.claude/config/ping.json (a local, never-committed secret) — no secret is in this PR.

- gchat.json reuses Klair's AI Builders github_logins map. Surtr contributors not in it are still named as plain @login but won't be *notified* until added.

- This PR only adds the tooling; it does not run a release.

## Verification

- python3 -m py_compile prod-release-finalize.py — clean

- gchat.json validates as JSON

- All gh JSON fields used (headSha, databaseId, url, event, status, conclusion) confirmed valid for gh run list / gh run view

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Demo

Proves SURTR-213 end-to-end: live QuickBooks Deposits are fetched, filtered to expense-account lines only, transformed with the positive-sign convention, and loaded into the new staging_education.quickbooks_deposits table — verified by reading the rows back from Redshift.

Backend — Deposit expense-line transform (reproducible, no creds)

Ran a throwaway script that imports handler._build_accounts_map + handler._transform_to_deposit_records and calls them directly on synthetic QB fixtures — a vendor-refund deposit (bank line + expense line) and a deposit with no expense lines:

[miami] deposit 2524: no Expense-account lines found, skipped account types: ['Bank', 'Other Current Asset']. Emitting no rows.
Input: 2 deposits (4 lines total) -> emitted 1 row(s)
Expected: 1 (the single Expense-account line; the all-non-expense deposit emits 0)
{"transaction_id": "2798", "txn_date": "2026-03-23", "account_id": "104", "account_number": "63220", "account_name": "Workshops", "class_name": "Alpha Miami", "line_amount": "1120.0000", "line_description": "Alpha Miami-Refund"}

Only the Expense-account line is emitted; the bank "deposit-to" line and the all-non-expense deposit are dropped (the latter emits zero rows — no header-level fallback). line_amount is stored positive; account_number/account_name come from the chart of accounts.

Pipeline + Data — live run loads the new table

Ran the pipeline locally against production QuickBooks for one company (miami, Q1 2026) with a real Redshift write (date-windowed, idempotent; downstream trigger not configured locally, so skipped):

[quickbooks_deposits] Uploading 3 records to s3://.../quickbooks_deposits/miami/...jsonl
[quickbooks_deposits] Running atomic DELETE + COPY for miami (2026-01-01 to 2026-03-31)
[quickbooks_deposits] Loaded 3 records for miami
[miami] OK: 163 bills, 7 credits (7 vc lines), 100 bill payments, 55 journal entries, 42 purchases, 19 deposits (3 deposit expense lines)
No DOWNSTREAM_PIPELINE_ID configured, skipping core tables trigger

19 raw Deposits → 3 expense lines loaded. Reading them back from Redshift:

SELECT transaction_id, txn_date, account_number, account_name, class_name, line_amount, line_description
FROM staging_education.quickbooks_deposits WHERE company_id='miami' ORDER BY txn_date, account_number;
transaction_id | txn_date   | account_number | account_name | class_name  | line_amount | line_description
2208           | 2026-01-23 | 62400          | Utilities    | Alpha Miami | 0.0100      | Alpha Miami-Test
2507           | 2026-02-24 | 62400          | Utilities    | Alpha Miami | 0.0100      | Alpha Miami-Test payment
2798           | 2026-03-23 | 63220          | Workshops    | Alpha Miami | 1120.0000   | Alpha Miami-Refund

The $1,120 refund to 63220 Workshops is the exact vendor-refund credit the pre-implementation reconciliation flagged as missing — now itemized with its expense account_id.

Most at risk from this change — the new query_accounts / query_deposits fetches and the new table write sit inside the *existing* per-company AP sync loop, so the danger is regressing entities that already work. Verified they all still sync in the same run (bills, vendor_credits, bill_payments, journal_entries, purchases all loaded for miami above; 1 succeeded / 0 failed), and the scoped tests pass:

uv run pytest tests/test_handler.py tests/test_redshift_handler.py tests/test_end_of_month.py -q
92 passed in 0.23s

---

## Overview

Extends the quickbooks-ap-sync Lambda to fetch the QuickBooks Deposit entity — never fetched before — and write a new staging_education.quickbooks_deposits staging table, one row per Deposit expense-account line (vendor refunds posted back to an expense account). These refunds already net into quickbooks_pl_monthly, but no line-level table ingested them, so the Aerie "Actual vs Model" drill-down's itemized sum exceeded the net line total ("underage" cells). The new table is a structural twin of quickbooks_bills / quickbooks_vendor_credits so a downstream UNION ALL arm needs no per-source column mapping.

Linear: [SURTR-213 — QB sync: capture Deposit line items (vendor refunds) with expense account_id](https://linear.app/builder-team/issue/SURTR-213)

## Pre-implementation confirmation (live QB)

The ticket-mandated live-QB confirmation PASSED — all three diagnosed cells were verified as genuine Deposit expense lines. QB returns the refund Amount as positive, confirming the positive-store convention (downstream negates).

| Company | Cell | Confirmed amount |

|---|---|---|

| Alpha Miami | Deposit expense line | −1,120 |

| Scottsdale | Deposit expense line | −562.81 |

| Carrolton | Deposit expense line | −30 |

## Implementation summary

src/qb_client.py

- NEW query_deposits() — queries the QB Deposit entity over the same [start_date, end_date] window via the existing _query_qb() pagination + Fault-handling helper.

- NEW query_accounts() — SELECT * FROM Account ORDERBY Id (deterministic pagination) for the chart-of-accounts lookup.

src/handler.py

- NEW _build_accounts_map() — builds {account_id → name / number / type}.

- NEW _transform_to_deposit_records() — reads DepositLineDetail (AccountRef / ClassRef), emits a row ONLY for lines mapping to an AccountType == "Expense" account (skips bank / income / balance-sheet lines), stores line_amount POSITIVE (downstream negates, mirroring vendor_credits), with NO header-level fallback row.

- Wired query_accounts() + query_deposits() into the per-company loop and added quickbooks_deposits to table_writes.

src/redshift_handler.py

- Registered quickbooks_deposits in TABLE_CONFIGS (column set identical to bills / vendor_credits).

ddl/create_quickbooks_deposits.sql

- NEW staging table; PK (company_id, transaction_id, line_id); DISTKEY company_id; SORTKEY (txn_date, account_id).

Tests

- tests/test_handler.py — deposit transformer: DepositLineDetail parsing, expense-only filter, positive sign, multi-line, no-fallback.

- tests/test_redshift_handler.py — test_deposits_config_matches_bills.

- tests/test_end_of_month.py — added query_accounts / query_deposits mocks.

## Key design decisions

- DepositLineDetail, not AccountBasedExpenseLineDetail. QB Deposit lines carry a different detail type than Bills/VendorCredits/Purchases. The transformer reads DepositLineDetail.AccountRef / .ClassRef rather than reusing the existing expense-detail-type path.

- Expense-only filter via the new query_accounts(). The pipeline had no chart-of-accounts lookup. A single Deposit mixes the bank/clearing line with the expense-account refund lines, so we fetch the Account list once per company, build an {account_id → AccountType} map, and keep only lines whose account is AccountType == "Expense".

- Positive-store sign convention + reconciliation invariant. line_amount is stored as the positive raw QB Amount (mirroring quickbooks_vendor_credits); the downstream consumer negates. The full 5-way reconciliation invariant, per (account_id, company_id, month), is:

bills + purchases + journal_entries + vendor_credits(-line_amount) + deposits(-line_amount) ≈ pl_monthly.amount

within $0.50.

- No header-level fallback row. A Deposit whose lines are all bank/income/balance-sheet is legitimately not an expense transaction and emits zero rows (unlike the Bills/VendorCredit transformers); a Deposit with lines but no qualifying expense line logs a WARN.

## Test coverage

Full pipeline suite 147 passing; ruff clean.

## Self-review

No CRITICAL/IMPORTANT findings. Two MINOR items fixed: deterministic account pagination (ORDERBY Id) and a doc-notation fix in FEATURE.md's reconciliation line.

## Out of scope

- core_education.fct_expense UNION ALL arm — adding quickbooks_deposits as a negated UNION ALL source is downstream quickbooks-core-tables work, tracked separately. The table is a structural twin so that arm needs no per-source column mapping.

- Aerie pl-transactions.ts wiring — surfacing the new deposit rows in the Aerie "Actual vs Model" drill-down is a separate AERIE-repo ticket.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

- Make SIS staging syncs fail closed when the upstream list response omits count

- Add handler regression coverage for the missing-count path across organizations, teachers, teacher assignments, students, and enrollments

## Why

Mercy flagged that the existing shortfall guard only ran when the SIS API returned an expected count. If that field disappeared or changed shape, a non-empty partial fetch could still replace the full staging table without triggering the guard.

## Business Value

Protects SIS staging tables from silent shrinkage during full-refresh loads, preserving data completeness for downstream education reporting.

## Breaking changes

None.

## Test plan

- [x] /tmp/surtr-sis-test-venv/bin/python -m pytest tests in pipelines/runners/sis-organizations-sync

- [x] /tmp/surtr-sis-test-venv/bin/python -m pytest tests in pipelines/runners/sis-teachers-sync

- [x] /tmp/surtr-sis-test-venv/bin/python -m pytest tests in pipelines/runners/sis-teacher-class-assignments-sync

- [x] /tmp/surtr-sis-test-venv/bin/python -m pytest tests in pipelines/runners/sis-students-sync

- [x] /tmp/surtr-sis-test-venv/bin/python -m pytest tests in pipelines/runners/sis-student-enrollments-sync