TenantAtlas/specs/253-remove-findings-backfill-runtime-surfaces/data-model.md

# Data Model — Remove Findings Lifecycle Backfill Runtime Surfaces

**Spec**: [spec.md](spec.md)

This feature is subtractive. It introduces no new persisted truth and no migration. The data-model impact is the removal of one obsolete runtime family and the reaffirmation of the canonical findings workflow as the only supported path.

## Existing Canonical Entities Reused

### Finding (`findings`)

**Purpose**: Tenant-owned findings workflow truth.

**Key fields (existing)**:
- `id`
- `workspace_id`
- `tenant_id`
- `status`
- `triaged_at`
- `first_seen_at`
- `last_seen_at`
- `times_seen`
- `sla_days`
- `due_at`

**Feature use**:
- Remains the canonical workflow truth for triage, assignment, progress, resolve, risk acceptance, ownership, SLA, due-date, and reviewable behavior.
- Continues to require both `workspace_id` and `tenant_id` as non-null ownership anchors.
- Is in scope only for regression protection, not for lifecycle redesign.

### OperationRun (`operation_runs`)

**Purpose**: Existing canonical execution truth for supported long-running operations.

**Key fields (existing)**:
- `id`
- `workspace_id`
- `tenant_id`
- `type`
- `status`
- `outcome`
- `context`

**Feature use**:
- After cleanup, no supported system, tenant, CLI, or deploy/runtime path may create a new `OperationRun` with `type = findings.lifecycle.backfill`.
- Historical rows may remain stored as legacy data, but the feature does not preserve special retry, cancel, label, or alias handling for them.

### AuditLog (`audit_logs`)

**Purpose**: Existing audit truth for prior lifecycle-backfill starts, blocked starts, and completions.

**Feature use**:
- No new audit action family is introduced.
- Historical rows may remain stored without new cleanup migration or compatibility layer.
- Canonical findings workflow audit behavior remains unchanged and is protected through regression testing.

### OperationalControlActivation (`operational_control_activations`)

**Purpose**: Existing runtime-safety truth for live operational controls.

**Feature use**:
- The cleanup should not add or preserve a `findings.lifecycle.backfill` control key.
- Existing backfill-specific blocked-start branches and tests should be removed because the active control catalog already rejects the key.

## Removed Runtime Families

### FindingsLifecycleBackfillSurface (derived, non-persisted)

**Purpose**: Describes each currently productized entry point that must disappear in the cleanup.

**Runtime fields**:
- `surface_id` — unique identifier such as `system.ops.runbooks`, `tenant.findings.list`, `console.tenantpilot.findings.backfill-lifecycle`, or `console.tenantpilot.run-deploy-runbooks`
- `entry_type` — `runbook`, `header_action`, `command`, `deploy_hook`, `operation_label`, `capability_trace`, or `test_trace`
- `operator_label` — current visible product label such as `Rebuild Findings Lifecycle` or `Backfill findings lifecycle`
- `owner_path` — current source file that makes the surface real
- `start_seam` — shared service or registry seam that currently powers the entry point

**Feature use**:
- Drives removal planning so the cleanup deletes the source of truth for each surface instead of only hiding one page affordance.

### FindingsLifecycleBackfillExecutionCluster (derived, non-persisted)

**Purpose**: The dedicated runtime chain that currently starts, queues, and finalizes lifecycle backfill.

**Current members**:
- `FindingsLifecycleBackfillRunbookService`
- `TenantpilotBackfillFindingLifecycle`
- `TenantpilotRunDeployRunbooks`
- `BackfillFindingLifecycleJob`
- `BackfillFindingLifecycleWorkspaceJob`
- `BackfillFindingLifecycleTenantIntoWorkspaceRunJob`

**Lifecycle rule**:
- The cluster is deleted in the same slice. No dormant flag, replacement command, or service shim is retained.

### FindingsLifecycleBackfillTrace (derived, non-persisted)

**Purpose**: Registry, catalog, seed, test, and doc references that still advertise lifecycle backfill as supported behavior.

**Trace fields**:
- `trace_type` — `capability`, `seeder`, `operation_type`, `operation_alias`, `triage_support`, `control_branch`, `test`, `guard`, or `doc`
- `identifier` — exact key such as `platform.runbooks.findings.lifecycle_backfill` or `findings.lifecycle.backfill`
- `owner_path` — file that currently carries the trace
- `removal_reason` — why the trace must disappear with the runtime surface

**Feature use**:
- Ensures cleanup removes registry and test ballast in the same slice instead of leaving the repo to advertise deleted behavior indirectly.

## Data Ownership Notes

- No new tables, settings, or persisted aliases are introduced.
- No migration, historical data rewrite, or archival compatibility layer is planned.
- Historical `OperationRun` and `AuditLog` rows are tolerated legacy data and do not justify preserving the removed runtime path.
- Findings remain tenant-owned and continue to require both `workspace_id` and `tenant_id` as canonical ownership anchors.
- Operational-control truth remains bounded to currently supported controls only; this slice should not keep a removed backfill control key alive through hidden test fixtures or service branches.

## Removal Invariants

- No supported path may create a new `OperationRun` with `type = findings.lifecycle.backfill`.
- No supported page, command catalog, or deploy/runtime hook may advertise lifecycle backfill as an available operator action.
- No compatibility shim, no-op command shell, or fallback alias may remain for the removed path.
- Canonical findings workflow behavior remains unchanged and continues to operate on the existing `Finding` truth.