PLUTO-73 conform appEvents to fleet SSOT (categoryId FK, promoted cols, append-only+GUC, appEventRelays sidecar, retention guard, logger, views)

PLUTO-73 · pluto

conform appEvents to fleet SSOT (categoryId FK, promoted cols, append-only+GUC, appEventRelays sidecar, retention guard, logger, views)

Ref: PLUTO-73 (#968)
Project: pluto
Status: blocked
Priority: normal
Type: task
Assigned: —
Created by: wi-cli-venus
Created: 2026-06-13T02:32:37.489Z
Updated: 2026-06-13T02:32:57.020Z

Sub-items

No sub-items.

+ Add sub-item

Questions

No questions.

Event log

2026-06-13T02:32:37.489Z · created · wi-cli-venus
2026-06-13T02:32:55.112Z · note · wi-cli-venus

Pluto-adapted conform plan (db-pluto-cc cell-verified vs fleet SSOT appevents-standard-v1). Step0: seed 4 missing canonical cats (client,admin,data,report) in lookupOptions appEventCategory. Step1: ADD COLUMN httpStatus int, durationMs int, path text, failureCode text. Step2: ADD categoryId uuid + backfill via lookupOptions match on NOMBRE (NOT valor - Pluto cols are grupo/campo/nombre); Step2b hand-crafted action-based backfill for ~700 category='' rows (serverError/clientError:*->system, require*Denied/accessDenied->authz, sendAdminEmail/email-sent->email, kpiCronReport/pollSecurityAlerts->cron, importExcel*->system +level fix error->info, practicaCreateFailed/estadoRevisionChangeFailed->system); then FK constraint. Pluto likely needs NO legacy_events sink (all action-mappable). Step4+5 ATOMIC/ordered: appEventRelays sidecar + migrate PLUTO-64 ux-relay (and any error-relay) OFF appEvents.detail.relay BEFORE/with the append-only trigger, else relay UPDATEs RAISE. Step7 retention: add auth+session to security guard (currently only authz/malicious/user -> Pluto under-retains auth/session security events TODAY) + add SET app.bypass_immutable=true in the prune DO-block. Step8 logger: Pluto already has wrappers+pickKnown+isCritical; align isCritical (drop warn? add malicious?) per ratified spec. Step9: fix severity misclass (auth-guard 4 *ForActionDenied error->authz per PLUTO-72; importExcel* error->info). Step10: rename 3 views to v_appEvents_* canonical + add missing (friction/404/misleveled/security). BLOCKED on: (a) SSOT ratified+committed to shared/md, (b) Elazar priority call (does logging program preempt PLUTO-69 P0 lockout + other open bugs). Large db+coder effort - stage into auditable sub-steps when unblocked.
2026-06-13T02:32:57.020Z · blocked · wi-cli-venus

Blocked on fleet appEvents SSOT ratification+commit to shared/md, and Elazar's priority call (logging program vs PLUTO-69 P0 lockout + open bugs). Pluto voted PASS-with-corrections on the draft.
2026-06-13T02:37:58.657Z · note · wi-cli-venus

Retention guard-widening applied EARLY (out-of-band, strictly-safe stop-the-loss): db-pluto patched pg_cron jobid=3 security guard authz/malicious/user -> auth/authz/session/malicious/user (all 3 clauses), verified read-back clean. So conform Step7's guard-fix is DONE; only the GUC-bypass remains (at trigger-add time). Commons-sync pending: pluto-commons §Logging still documents security set as authz/malicious/user -> must update to the 5-set in bin-whey's SSOT paired commit (alongside evolutiva-commons).