Queue — In-Flight PR Disposition

Status: Design v1 Owner: software-architect Date: 2026-05-09 UTC

This document gives a recommended action for each in-flight PR that overlaps with Queue's ownership. Actions:

• MERGE-AS-IS — merge the PR as-is; the code it ships will be refactored into Queue in Phase 2 (cutover). The work is not wasted — it becomes Queue's internal handler implementation.
• RENAME-AND-MERGE — merge after renaming the module/blueprint path to match Queue's structure. Low effort.
• CLOSE-AND-REPLACE — close this PR; file a new sub-card scoped to Queue's architecture. The logic is solid but the module location is wrong.
• HOLD-FOR-DECISION — cannot proceed until an operator decision or design question is resolved.
• ALREADY-MERGED — landed on main; disposition is how it gets refactored in Phase 2.

PRs #1500–#1508

PR #1500 — feat(rbac): RBAC V2 schema migration 0021 + audit-role seed

State: MERGED
Disposition: ALREADY-MERGED — schema lives in Console Postgres; migrated-in-place.
Phase 2 action: In Phase 3 (DB extraction), the rbac_* tables will be extracted alongside queue_* customer tables. No immediate action.
Effort to refactor into Queue: 1 dev-day (update migration path + ownership docs).

PR #1501 — feat(audit/phase0): raptor_app role separation — Phase 0 prerequisite

State: MERGED
Disposition: ALREADY-MERGED — this is Raptor's own DB role separation (infrastructure), not Queue's.
Phase 2 action: None. raptor_app role separation is a Raptor concern regardless of Queue. Stays as-is.
Effort to refactor into Queue: 0 (not Queue's concern).

PR #1502 — feat(audit/phase1): customer_audit_events + shadow tables + RLS + pg_audit

State: OPEN
Disposition: RENAME-AND-MERGE
Rationale: The schema is correct and approved. The migration file lives at backend_v2/db/migrations/016_... today. Merge as-is. In Phase 2 (cutover), move the migration file ownership to queue/db/migrations/ and update the audit writer to use Queue's service-auth. The Postgres objects live in the same DB in Phase 1-2 so there is no physical migration needed now.
Effort to refactor into Queue: 0.5 dev-days (file rename + ownership annotation).

PR #1503 — feat(auth): WebAuthn login endpoint + session mint

State: OPEN
Disposition: CLOSE-AND-REPLACE
Rationale: The logic (py-webauthn assertion, session mint, challenge store) is correct and will be ported directly into queue/api/routes/auth.py and queue/api/services/webauthn_service.py. However, the current implementation writes to customer_sessions (old table name) and lives in backend_v2/api/routes/auth.py. Porting to Queue's module under Queue's naming is cleaner than landing in the old location and immediately refactoring. File QS-3 (Queue sub-card for WebAuthn login) instead.
Effort to port into Queue: 1 dev-day (the diff is directly applicable; it's a module move + table rename).

PR #1504 — feat(rbac): grant/revoke API with pre-write audit

State: OPEN
Disposition: CLOSE-AND-REPLACE
Rationale: Implements RV-2 (grant/revoke API) in the Console Flask app. Queue now owns this surface. The endpoint logic and pre-write audit pattern (ADR-0055) are sound and will be ported to queue/api/routes/rbac.py. Filing QS-6 (Queue RBAC grants API sub-card) supersedes.
Effort to port into Queue: 1 dev-day.

PR #1505 — feat(auth): session management v2 — idle/absolute timeout + revoke

State: OPEN
Disposition: CLOSE-AND-REPLACE
Rationale: Session v2 (idle/absolute timeout, slide, revoke) is core Queue functionality. The service logic (create_session_v2, validate_session, slide_session) will be ported to queue/api/services/session_service.py against queue_sessions table. The migration (014) adds columns to customer_sessions; in Queue this lands as part of queue/db/migrations/001_queue_core_tables.sql which defines the shape from scratch.
Effort to port into Queue: 0.5 dev-days.

PR #1506 — feat(audit): writer endpoint + HMAC-SHA-256 + KMS hash chain

State: OPEN
Disposition: CLOSE-AND-REPLACE
Rationale: SC-A3 audit writer is the canonical Queue audit write path. The current implementation lives at backend_v2/api/routes/customer_audit.py and audit_writer_service.py. Queue owns this service. Port to queue/api/routes/audit.py + queue/api/services/audit_writer_service.py. The HMAC-KMS logic, service-token auth pattern, and rate-limiting are all directly applicable. Filing QS-7 (Queue audit writer sub-card).
Note: PR #1506 also includes migration 016 (from SC-A2/PR #1502). See #1502 disposition above — that migration merges via #1502. This PR's DB work is therefore already resolved.
Effort to port into Queue: 1 dev-day.

PR #1507 — feat(auth): backup recovery codes — generate + redeem

State: OPEN
Disposition: RENAME-AND-MERGE
Rationale: The implementation is correct and nearly complete. The logic lives in backend_v2/api/routes/auth.py. Merge into Raptor's auth blueprint as-is (since it is behind FLAG_AUTH_BACKUP_CODES=off). In Phase 2, the endpoints are redirected to Queue's /api/v1/auth/backup-codes/* and the Raptor implementation is disabled. This keeps the PR's work from being blocked on Queue's Phase 1 timeline.
Caveat: The queue_backup_codes table (Queue's canonical table) is a rename of the table this PR creates. Migration will handle the rename in Phase 2.
Effort to refactor into Queue: 0.5 dev-days (mount under Queue blueprint + table rename migration).

PR #1508 — feat(auth): email verification — send + verify

State: OPEN
Disposition: RENAME-AND-MERGE
Rationale: Same as #1507. Email verification is feature-flagged off. Merge into Raptor now; redirect to Queue in Phase 2. The Postmark wrapper (postmark_client.py) will be shared between Queue and Raptor or moved to Queue's services package.
Effort to refactor into Queue: 0.5 dev-days.

Design PRs #1464 and #1465

PR #1464 — design(rbac-v2): RBAC V2 — ticket-scoped grants, audit roles, grant API, migration plan

State: MERGED
Disposition: ALREADY-MERGED — design doc at docs/architecture/rbac-v2/.
Phase 2 action: Update docs/architecture/rbac-v2/design.md to note that Queue is the implementation home for the grant API (RV-2, RV-3, RV-4). File a follow-up doc update card.
Effort: 0.5 dev-days (doc update only; no code change).

PR #1465 — design(audit): v2 — operator + security feedback integration

State: MERGED
Disposition: ALREADY-MERGED — design doc at docs/architecture/customer-audit-unified/.
Phase 2 action: Update docs/architecture/customer-audit-unified/design.md §writer to note that Queue is the canonical audit writer owner. Add cross-reference to docs/architecture/queue/design.md. File a doc update card.
Effort: 0.5 dev-days (doc update only).

Summary Counts

Merged (code): 2 (#1500, #1501) Merged (design): 2 (#1464, #1465) RENAME-AND-MERGE: 3 (#1502, #1507, #1508) CLOSE-AND-REPLACE: 4 (#1503, #1504, #1505, #1506)

Impact on v1 Timeline

Closing #1503, #1504, #1505, #1506 does not lose work — those implementations are ported directly into Queue sub-cards (QS-3, QS-4, QS-5, QS-6, QS-7). The code diff from each PR is the starting point for its corresponding Queue sub-card. Estimated porting overhead per card: 0.5–1 dev-day.

Merging #1502, #1507, #1508 now unblocks their downstream sub-cards without waiting for the full Queue Phase 1 timeline.