TenantAtlas/specs/253-remove-findings-backfill-runtime-surfaces/data-model.md

Data Model — Remove Findings Lifecycle Backfill Runtime Surfaces

Spec: spec.md

This feature is subtractive. It introduces no new persisted truth and no migration. The data-model impact is the removal of one obsolete runtime family and the reaffirmation of the canonical findings workflow as the only supported path.

Existing Canonical Entities Reused

Finding (findings)

Purpose: Tenant-owned findings workflow truth.

Key fields (existing):

• id
• workspace_id
• tenant_id
• status
• triaged_at
• first_seen_at
• last_seen_at
• times_seen
• sla_days
• due_at

Feature use:

• Remains the canonical workflow truth for triage, assignment, progress, resolve, risk acceptance, ownership, SLA, due-date, and reviewable behavior.
• Continues to require both workspace_id and tenant_id as non-null ownership anchors.
• Is in scope only for regression protection, not for lifecycle redesign.

OperationRun (operation_runs)

Purpose: Existing canonical execution truth for supported long-running operations.

Key fields (existing):

• id
• workspace_id
• tenant_id
• type
• status
• outcome
• context

Feature use:

• After cleanup, no supported system, tenant, CLI, or deploy/runtime path may create a new OperationRun with type = findings.lifecycle.backfill.
• Historical rows may remain stored as legacy data, but the feature does not preserve special retry, cancel, label, or alias handling for them.

AuditLog (audit_logs)

Purpose: Existing audit truth for prior lifecycle-backfill starts, blocked starts, and completions.

Feature use:

• No new audit action family is introduced.
• Historical rows may remain stored without new cleanup migration or compatibility layer.
• Canonical findings workflow audit behavior remains unchanged and is protected through regression testing.

OperationalControlActivation (operational_control_activations)

Purpose: Existing runtime-safety truth for live operational controls.

Feature use:

• The cleanup should not add or preserve a findings.lifecycle.backfill control key.
• Existing backfill-specific blocked-start branches and tests should be removed because the active control catalog already rejects the key.

Removed Runtime Families

FindingsLifecycleBackfillSurface (derived, non-persisted)

Purpose: Describes each currently productized entry point that must disappear in the cleanup.

Runtime fields:

• surface_id — unique identifier such as system.ops.runbooks, tenant.findings.list, console.tenantpilot.findings.backfill-lifecycle, or console.tenantpilot.run-deploy-runbooks
• entry_type — runbook, header_action, command, deploy_hook, operation_label, capability_trace, or test_trace
• operator_label — current visible product label such as Rebuild Findings Lifecycle or Backfill findings lifecycle
• owner_path — current source file that makes the surface real
• start_seam — shared service or registry seam that currently powers the entry point

Feature use:

• Drives removal planning so the cleanup deletes the source of truth for each surface instead of only hiding one page affordance.

FindingsLifecycleBackfillExecutionCluster (derived, non-persisted)

Purpose: The dedicated runtime chain that currently starts, queues, and finalizes lifecycle backfill.

Current members:

• FindingsLifecycleBackfillRunbookService
• TenantpilotBackfillFindingLifecycle
• TenantpilotRunDeployRunbooks
• BackfillFindingLifecycleJob
• BackfillFindingLifecycleWorkspaceJob
• BackfillFindingLifecycleTenantIntoWorkspaceRunJob

Lifecycle rule:

• The cluster is deleted in the same slice. No dormant flag, replacement command, or service shim is retained.

FindingsLifecycleBackfillTrace (derived, non-persisted)

Purpose: Registry, catalog, seed, test, and doc references that still advertise lifecycle backfill as supported behavior.

Trace fields:

• trace_type — capability, seeder, operation_type, operation_alias, triage_support, control_branch, test, guard, or doc
• identifier — exact key such as platform.runbooks.findings.lifecycle_backfill or findings.lifecycle.backfill
• owner_path — file that currently carries the trace
• removal_reason — why the trace must disappear with the runtime surface

Feature use:

• Ensures cleanup removes registry and test ballast in the same slice instead of leaving the repo to advertise deleted behavior indirectly.

Data Ownership Notes

• No new tables, settings, or persisted aliases are introduced.
• No migration, historical data rewrite, or archival compatibility layer is planned.
• Historical OperationRun and AuditLog rows are tolerated legacy data and do not justify preserving the removed runtime path.
• Findings remain tenant-owned and continue to require both workspace_id and tenant_id as canonical ownership anchors.
• Operational-control truth remains bounded to currently supported controls only; this slice should not keep a removed backfill control key alive through hidden test fixtures or service branches.

Removal Invariants

• No supported path may create a new OperationRun with type = findings.lifecycle.backfill.
• No supported page, command catalog, or deploy/runtime hook may advertise lifecycle backfill as an available operator action.
• No compatibility shim, no-op command shell, or fallback alias may remain for the removed path.
• Canonical findings workflow behavior remains unchanged and continues to operate on the existing Finding truth.