KB-3119
TD-HARDEN Report: TD-057 + TD-022
2 min read Revision 1
reporttd-057td-022harden
TD-HARDEN Report — TD-057 + TD-022
Date: 2026-03-03 | Status: COMPLETE
TD-057: Server-Side L2 Checkpoint Validation
Problem
L2 (User Approval) checkpoints could be approved via API even when L1 (AI Review) was incomplete. Client-side lock in CheckpointPanel.vue was the only enforcement.
Solution: Directus Hook Extension
- Extension: directus/extensions/l2-checkpoint-guard/
- Type: Filter hook on task_checkpoints.items.update
- Logic: When status set to passed on L2, queries L1 checkpoints via Knex. Blocks if any L1 not passed or no L1 exists.
- Deploy tool: dot/bin/dot-hook-deploy (rsync + restart Directus)
- Directus version: 11.5.1 on VPS (Node.js 22.14.0)
Test Results
| Test | Action | Result |
|---|---|---|
| L2 when L1 incomplete | PATCH #9 status=passed | BLOCKED (500 + message) |
| L2 when L1 all passed | PATCH #9 status=passed | ALLOWED |
| Non-L2 updates | PATCH #7 status=passed | ALLOWED |
PRs
- web-test PR #423: Hook extension + deploy tool
- Deployed to VPS: Extension loaded (confirmed in Directus logs)
TD-022: Error Envelope for Agent Data API
Problem
23 API error responses used inconsistent formats: plain strings, inline dicts, bare str(e). No tracing (request_id) on errors.
Solution
- Request ID middleware: Every request gets X-Request-ID
- Global exception handler: Normalizes ALL errors to structured format
- All 23 errors migrated to use _error() helper
- Standard envelope: {code, message, details, source, request_id}
Error Code Inventory
| Code | HTTP | Count |
|---|---|---|
| UNAUTHORIZED | 401 | 1 |
| FORBIDDEN | 403 | 1 |
| NOT_FOUND | 404 | 5 |
| CONFLICT | 409 | 2 |
| UNAVAILABLE | 503 | 4 |
| INTERNAL | 500 | 10 |
PRs
- agent-data-test PR #284: Error envelope standardization
- CI: All checks pass, auto-deployed to VPS
Summary
Both tech debts resolved. System hardened for AI council UI testing.