Harden Little Bull Premium workspace controls

[JOTAAAA12]

Little Bull Premium Phase 21 PR Notes

Status date: 2026-05-01

This note summarizes commit 40779b98 Fix Little Bull permissions and tri-bank smoke.
It contains no secrets, tokens, passwords, .env values or connection strings.

Summary

• Hardened Little Bull Premium document upload so classified uploads require group and subgroup selection.
• Added typed frontend API contracts for knowledge groups, subgroups and classified document upload responses.
• Added pure workspace helpers for Premium navigation permissions, upload readiness, subgroup filtering and stale selection cleanup.
• Added Bun coverage for classified upload, permission fallbacks and frontend API upload parameters.
• Added Playwright visual smoke coverage for the Premium shell across mobile, tablet and desktop viewports.
• Fixed macOS Bash 3.2 drift by making direct setup execution and interactive setup tests prefer Bash 4+ when available.
• Closed least-privilege UI permission bugs: document listing works with little_bull.documents.read, scoped workspace choices can be derived from the principal, and taxonomy for classified upload remains gated by little_bull.areas.read.
• Recorded additive live-smoke and strict tri-bank smoke evidence in the Little Bull risk register.

Backend / Control Plane

• Little Bull service/router/models/admin store were extended for the Phase 20/21 hardening path already covered by enterprise contract tests.
• Classified upload contracts now preserve workspace, group, subgroup and registry document identifiers through backend/frontend boundaries.
• No global NEO4J_WORKSPACE, QDRANT_WORKSPACE or POSTGRES_WORKSPACE override was set.
• No Neo4j/Qdrant data was deleted or reset.

Frontend

• LittleBullPreview now loads groups/subgroups for uploads and blocks file selection until classification is complete.
• Document refresh no longer fails for users who can read documents but cannot read areas.
• Users without area-listing permission can still select scoped workspaces from their principal workspace_ids.
• littleBullWorkspace.ts centralizes permission and upload state rules for direct unit testing.
• Playwright smoke uses route-mocked local API responses and a fake non-secret JWT.
• Playwright reports and test-results are ignored by git.

Validation Evidence

• uv run ruff check lightrag_enterprise tests_enterprise lightrag/api/lightrag_server.py tests/test_interactive_setup/_helpers.py
• python -m lightrag_enterprise.system.migrate
• ./scripts/test.sh tests_enterprise -q: 184 passed, 4 skipped.
• ./scripts/test.sh tests -q: 794 passed, 32 skipped.
• cd lightrag_webui && bun test: 21 passed.
• cd lightrag_webui && bunx tsc --noEmit
• cd lightrag_webui && bun run lint
• cd lightrag_webui && bun run test:visual: 3 passed.
• cd lightrag_webui && bun run build
• node /Users/joao_tourinho/Documents/specops-tooling-os/packages/cli/dist/index.js validate: 0 issues.
• node /Users/joao_tourinho/Documents/specops-tooling-os/packages/cli/dist/index.js eval: 10 passed, 0 failed.
• git diff --check

Smoke Evidence

• Additive current-worktree smoke on temporary server 127.0.0.1:9631:

  • workspace phase21_smoke_820a9f72e3b4
  • document doc-1588f7b35aed62f7a69230c53c9b711a
  • naive query returned 1 retrieval reference
  • server stopped after validation

• Strict tri-bank smoke on temporary server 127.0.0.1:9632:

  • target storage: PGKV/PGDocStatus + Neo4j + Qdrant
  • workspace phase21_tribank_44657da3ed86
  • document doc-974a377549c90fa3d2434ec663c8b1f4
  • Qdrant counts for this workspace: 1 chunk, 5 entities, 0 relationships
  • naive query returned 1 retrieval reference
  • server stopped after validation

Rollback

• Disable feature flags when applicable:
  • LITTLE_BULL_GRAPH_V2_ENABLED
  • LITTLE_BULL_QDRANT_DATA_PLANE_ENABLED
  • LITTLE_BULL_OBSIDIAN_WORKSPACE_ENABLED
• PostgreSQL remains the control-plane source of truth.
• Neo4j and Qdrant artifacts are rebuildable from control-plane state plus reindexing.
• Do not run cleanup commands without explicit approval and exact target list.

READY Status

Do not declare READY from this note alone.
READY still requires final release review, explicit cleanup decision if cleanup is desired, and all production release gates.

[JOTAAAA12]

Local validation/status update from Codex:

• Worktree clean on enterprise-foundation-platform.
• Final read-only subagent audit found no P0/P1.
• GitHub currently reports no status checks for this branch.
• Local gates already run:
  • uv run ruff check ...
  • python -m lightrag_enterprise.system.migrate
  • ./scripts/test.sh tests_enterprise -q -> 184 passed / 4 skipped
  • ./scripts/test.sh tests -q -> 794 passed / 32 skipped
  • cd lightrag_webui && bun test -> 22 passed
  • bunx tsc --noEmit
  • bun run lint
  • bun run test:visual -> 3 passed
  • bun run build
  • SpecOps validate -> 0 issues
  • SpecOps eval -> 10 passed / 0 failed
  • git diff --check
• No data cleanup was executed. Diagnostic artifacts are documented in docs/little-bull-diagnostic-artifacts-inventory.md and require explicit target approval before any cleanup.
• READY is not declared from this PR comment; this remains a draft pending review/release decision.

[JOTAAAA12]

CI status update:

I marked the PR ready for review so pull_request workflows would no longer be filtered by draft status. GitHub still reports the relevant runs as action_required with 0 jobs:

• Offline Unit Tests: action_required
• Linting and Formatting: action_required

This appears to require maintainer approval for Actions on this fork PR. Local validation evidence remains in the previous comment and PR body. Product READY is still not declared.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3c3e530f6d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fall back to standard auth when enterprise auth is unavailable

When LIGHTRAG_SYSTEM_DATABASE_URL is not configured (common non-enterprise setup), get_enterprise_auth_state() can resolve to ENTERPRISE_AUTH_UNAVAILABLE because enterprise runtime defaults require a control-plane DB, and this branch immediately returns HTTP 503 for any route using get_combined_auth_dependency. That turns previously functional core endpoints (for API key/JWT/guest flows) into service-unavailable responses instead of using the existing auth path.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Allow guest sessions to reach an application route

The router now treats isGuestMode the same as unauthenticated and redirects / to /login, but LoginPage still auto-authenticates guest users (when auth is disabled) and navigates back to /; this creates a redirect loop in guest mode and blocks UI access for deployments that rely on auth_mode: disabled guest tokens.

Useful? React with 👍 / 👎.

[JOTAAAA12]

CI retry update:

After the approval note, I pushed an empty commit (88bb283a) to retrigger PR workflows. GitHub created new pull_request workflow runs, but they still complete immediately as action_required with 0 jobs:

• Linting and Formatting: action_required
• Offline Unit Tests: action_required

I cannot rerun/approve these Actions from my account (Must have admin rights to Repository). This still appears to require maintainer-side approval or repository Actions policy changes.

[JOTAAAA12]

Local workflow-equivalent update:

Since upstream Actions are still action_required, I ran the two blocked workflow equivalents locally:

• uv run pre-commit run --all-files --show-diff-on-failure
  • first run applied formatting fixes
  • second run passed all hooks
• ./scripts/test.sh tests -m offline -v --tb=short
  • 576 passed, 1 skipped, 249 deselected

I also reran affected gates after the formatting commit:

• ./scripts/test.sh tests_enterprise -q -> 184 passed / 4 skipped
• ./scripts/test.sh tests_enterprise/test_core_route_governance.py -q -> 14 passed
• cd lightrag_webui && bun test -> 22 passed
• bunx tsc --noEmit
• bun run lint
• bun run build
• git diff --check

Pushed formatting commit 53687978. GitHub still creates new workflow runs as action_required with 0 jobs, so maintainer-side approval is still required for official CI publication.