From 6f6d032ca9c0a723ca9954024fa3564ef892f6e7 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Thu, 14 May 2026 00:48:23 +0800
Subject: [PATCH] fix(mcp): grant rollout verifier read tool

---
 ...i_mcp_rollout_verifier_seed_2026-05-13.sql | 77 +++++++++++++++++++
 ..._rollout_verifier_seed_2026-05-13_down.sql | 24 ++++++
 2 files changed, 101 insertions(+)
 create mode 100644 apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13.sql
 create mode 100644 apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13_down.sql

diff --git a/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13.sql b/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13.sql
new file mode 100644
index 00000000..abd5e733
--- /dev/null
+++ b/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13.sql
@@ -0,0 +1,77 @@
+-- T16 verifier gap: allow rollout status evidence through AwoooP MCP Gateway.
+-- Boundary: read-only scope only; no restart/delete/scale grant is added here.
+
+SELECT set_config('app.project_id', 'awoooi', FALSE);
+
+WITH upsert_tool AS (
+    INSERT INTO awooop_mcp_tool_registry (
+        project_id,
+        tool_name,
+        tool_type,
+        description,
+        allowed_scopes,
+        environment_tags,
+        is_active,
+        updated_at
+    )
+    VALUES (
+        'awoooi',
+        'k8s_watch_rollout',
+        'mcp_server',
+        'Kubernetes deployment rollout status read',
+        '["read"]'::jsonb,
+        '{"env": "prod"}'::jsonb,
+        TRUE,
+        NOW()
+    )
+    ON CONFLICT (project_id, tool_name)
+    DO UPDATE SET
+        description = EXCLUDED.description,
+        allowed_scopes = EXCLUDED.allowed_scopes,
+        environment_tags = EXCLUDED.environment_tags,
+        is_active = TRUE,
+        updated_at = NOW()
+    RETURNING tool_id
+),
+grant_agents(agent_id) AS (
+    VALUES
+        ('pre_decision_investigator'),
+        ('post_execution_verifier')
+),
+upsert_grants AS (
+    INSERT INTO awooop_mcp_grants (
+        project_id,
+        agent_id,
+        tool_id,
+        granted_by,
+        granted_scopes,
+        expires_at,
+        is_revoked,
+        revoked_at,
+        revoked_by
+    )
+    SELECT
+        'awoooi',
+        grant_agents.agent_id,
+        upsert_tool.tool_id,
+        'migration:t16_rollout_verifier_seed',
+        '["read"]'::jsonb,
+        NULL,
+        FALSE,
+        NULL,
+        NULL
+    FROM upsert_tool
+    CROSS JOIN grant_agents
+    ON CONFLICT (project_id, agent_id, tool_id)
+    DO UPDATE SET
+        granted_scopes = EXCLUDED.granted_scopes,
+        expires_at = NULL,
+        is_revoked = FALSE,
+        revoked_at = NULL,
+        revoked_by = NULL
+    RETURNING grant_id
+)
+SELECT
+    'k8s_watch_rollout_read_grants' AS seed,
+    (SELECT count(*) FROM upsert_tool) AS tool_rows,
+    (SELECT count(*) FROM upsert_grants) AS grant_rows;
diff --git a/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13_down.sql b/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13_down.sql
new file mode 100644
index 00000000..740aa042
--- /dev/null
+++ b/apps/api/migrations/awooop_awoooi_mcp_rollout_verifier_seed_2026-05-13_down.sql
@@ -0,0 +1,24 @@
+-- Roll back T16 rollout verifier read grant seed.
+
+SELECT set_config('app.project_id', 'awoooi', FALSE);
+
+UPDATE awooop_mcp_grants
+SET
+    is_revoked = TRUE,
+    revoked_at = NOW(),
+    revoked_by = 'migration:t16_rollout_verifier_seed_down'
+WHERE project_id = 'awoooi'
+  AND agent_id IN ('pre_decision_investigator', 'post_execution_verifier')
+  AND tool_id IN (
+      SELECT tool_id
+      FROM awooop_mcp_tool_registry
+      WHERE project_id = 'awoooi'
+        AND tool_name = 'k8s_watch_rollout'
+  );
+
+UPDATE awooop_mcp_tool_registry
+SET
+    is_active = FALSE,
+    updated_at = NOW()
+WHERE project_id = 'awoooi'
+  AND tool_name = 'k8s_watch_rollout';