NafqaX System Tree & Rust Migration Checklist

1. Production Status

Orchestratorhealthy

Streamhealthy

Release ativocoordinator-runner-ws-task-completion-f385dcb6-20260509T193744Z

Backend production runtimeRust global active for command-mailbox core with fallback OFF; Python retained for rollback/source parity

Rust modules in productionmemory embedded + command-mailbox global core

Phase 5 command-mailboxPARTIAL_OK; SMALL_BATCH_DECOMPOSITION_OK; FALLBACK_REMOVAL_CANARY_OK; RUST_COMMAND_MAILBOX_IMPLEMENTED_SCOPED; NEXT_BATCH_SCOPED_EXPANSION_OK; ROUND1_FINAL_STATE_AUDIT_OK; ROUND2_MINIMAL_SENTINEL_OK; ROUND3_PRIMARY_CUTOVER_CANDIDATE_OK; ROUND4_ROLLBACK_DRILL_OK; ROUND5_DECOMMISSION_PACKAGE_PREPARED; FIRST_SOURCE_REMOVAL_PROXY_RELEASE_PROMOTED; ROUND1_SCOPED_PYTHON_HANDLER_SURFACE_REMOVED_LOCAL; SCOPED_PYTHON_HANDLER_GUARD_RELEASE_PROMOTED; SCOPED_PYTHON_HANDLER_GUARD_ACTIVE_MINIMAL_OK; RUNNER_COMMAND_HANDLER_GUARD_RELEASE_PROMOTED; RUNNER_COMMAND_HANDLER_GUARD_ACTIVE_MINIMAL_OK; NO_SCOPED_PYTHON_HANDLERS_RELEASE_PROMOTED; NO_SCOPED_PYTHON_HANDLERS_ACTIVE_MINIMAL_OK; LAZY_PYTHON_HANDLERS_RELEASE_PROMOTED; LAZY_PYTHON_HANDLERS_ACTIVE_MINIMAL_OK; COMMAND_MAILBOX_SCOPED_CORE_FINALIZED; GLOBAL_COMMAND_MAILBOX_RUST_ACTIVE_OK; TASK_COMPLETION_REVIEW_RELEASE_PROMOTED; TASK_OUTPUT_COMPLETION_REVIEW_RELEASE_PROMOTED; AUTO_TASK_CONTROL_PAYLOAD_RELEASE_PROMOTED; RUNNER_WS_TASK_COMPLETION_RELEASE_PROMOTED

DB Foundationrunner_control ledger + timeline applied

Escopo Rust validadoglobal core runtime active; off-old-allowlist probe 306 passed mailbox/cursor/ACK

runner-command-mailbox-serviceactive liveness; global Rust core runtime active

Rust liveness8099 /health=200 /readiness=200

DB-write readiness gatecanary evidence validated

Scope noteglobal_scope_enabled=1; canary_only=0; READ_PATH=false; AUTHORITATIVE=0; DUAL_WRITE=0

Global authoritative / dual-writeOFF

Ultima atualizacao UTC2026-05-09 06:38 UTC

2. app.py Monolith Summary

backend/app.py39.455 linhas

Funcoes inventariadas791

Route decorators inventariados169

Dominios/nos catalogados25

Statusmonolito ativo em producao

Riscoeditar app.py sem mapa pode reintroduzir bugs

3. System Tree Checklist

Each node tracks the full system tree, not only the Rust migration.

01. health/readiness/bootstrap PYTHON_PRODUCTION_ACTIVE

Responsibilityhealth endpoints, readiness, version, metrics, app bootstrapRust targetobservability-health-readinessPriorityP1 supportNext stepkeep Python authoritative until explicit service rolloutRiskfalse readiness or exposing sensitive runtime detail

02. auth/users/orgs/projects PYTHON_PRODUCTION_ACTIVE

Responsibilityauth, user sessions, orgs, projects, membershipRust targetauth-users-orgs-projectsPriorityP4Next stepdocument contracts before extractionRiskbroad auth/session blast radius

03. RBAC/membership/grants PYTHON_HOTFIXED

Responsibilityproject roles, runner operational authorization, grantsRust targetshared-auth, runner-rbac-policyPriorityP0 supportNext steppreserve explicit field-based RBACRiskfalse allow/deny and platform admin overreach

04. runner device registry PYTHON_HOTFIXED

Responsibilityrunner registration, device lifecycle, device-scoped project resolutionRust targetrunner-device-registryPriorityP1Next stepaudit after command-mailbox global runtime stabilizesRiskwrong device identity or stale project binding

05. runner token/QR approval PYTHON_HOTFIXED

Responsibilityrunner approval requests, mobile approval, QR pickupRust targetrunner-token-approvalPriorityP2Next stepleave in Python until rollout pattern is provenRiskapproval replay or stale pickup

06. runner config/sync PYTHON_HOTFIXED

Responsibilityrunner config, sync, device-aware project mappingRust targetrunner-device-registry + runner-project-bindingPriorityP1Next stepkeep device-first resolution invariantRiskdefault global project regression

07. runner commands PYTHON_PRODUCTION_ACTIVE RUST_PARTIAL_SCOPE_VALIDATED

Responsibilitycommand queue, command write, next polling, claim lifecycleRust targetrunner-command-mailbox-servicePriorityP0Next stepuse Round 5 package for a separately approved source-removal/proxy patchRiskduplicate command, wrong runner/project, fallback drift, or accidental off-scope routing

08. runner command status/logs/results PYTHON_PRODUCTION_ACTIVE PYTHON_HOTFIXED

Responsibilitycommand status, logs, result idempotency, exec resultRust targetrunner-command-mailbox-service laterPriorityP0Next stepkeep out of partial decommission until a separate QA gateRiskstatus leakage, sensitive log material, lost result

09. mailbox PYTHON_PRODUCTION_ACTIVE RUST_PARTIAL_SCOPE_VALIDATED PYTHON_HOTFIXED

Responsibilitymailbox input, pull, ack, cursor, epoch, runner deliveryRust targetrunner-command-mailbox-servicePriorityP0Next stepuse Round 5 package; keep off-scope traffic on Python until approved cutoverRiskoff-scope mutation, wrong epoch/cursor, duplicate ACK, or unexpected Python fallback inside scope

10. cli send/stream/chat PYTHON_PRODUCTION_ACTIVE RUST_PARTIAL_SCOPE_VALIDATED

Responsibilitychat send, raw send, stream, session runner routeRust targetrunner-command-mailbox-service for scoped command/mailbox writes; later stream-eventsPriorityP0/P3Next stepkeep stream/chat and off-scope traffic on Python; monitor scoped Rust command/mailbox writesRiskcoordinator stays thinking, fallback drift, or routes to old runner

11. coordinator session/runtime PYTHON_HOTFIXED

Responsibilitycoordinator start, stop, status, runtime/fleet stateRust targetcoordinator-session-runtimePriorityP2Next stepwait for command/mailbox rollout lessonsRiskruntime split-brain, stale coordinator device

12. project artifacts PYTHON_PRODUCTION_ACTIVE

Responsibilityartifact write/read/apply and project output promotionRust targetproject-artifactsPriorityP2Next stepkeep command-backed until result semantics are stableRiskpath safety and stale session project apply

13. runner project binding PYTHON_HOTFIXED

Responsibilitylocal projects, workspace bindings, apply session projectRust targetrunner-project-bindingPriorityP1Next stepaudit after runner-device registry boundary is explicitRiskstale session project switching

14. mobile APIs PYTHON_PRODUCTION_ACTIVE

Responsibilitymobile auth, device sessions, runner approvalsRust targetmobile-auth-mobile-runner-approvalPriorityP3Next stepextract only after runner approval boundaries are explicitRiskmobile session drift and approval identity mismatch

15. admin platform PYTHON_PRODUCTION_ACTIVE

Responsibilityplatform admin users, org plans, audits, repair operationsRust targetadmin-platformPriorityP4Next stepdo not mix with runner operation RBACRiskbroad admin operation blast radius

16. dashboard support APIs PYTHON_PRODUCTION_ACTIVE

Responsibilitymessages, timeline, setup wizard, project info, dashboard helpersRust targetpossible dashboard-support laterPriorityP3Next stepkeep frontend debt separate from Rust rolloutRiskUI route/auth expectations and stale browser state

17. stream/SSE/events PYTHON_PRODUCTION_ACTIVE

ResponsibilitySSE, mailbox stream, CLI stream, event deliveryRust targetstream-eventsPriorityP3Next stepwait until command/mailbox source of truth is settledRiskmissed events, duplicates, backpressure

18. AI providers PYTHON_PRODUCTION_ACTIVE

Responsibilityprovider accounts, configs, catalog, execution providersRust targetai-providers or remain PythonPriorityP4Next stepcredential safety audit before any extractionRiskcredential handling and provider behavior

19. agents/sessions/tasks PYTHON_PRODUCTION_ACTIVE

Responsibilityagent sessions, tasks, interactions, process stateRust targetagents-sessions-tasksPriorityP3Next stepseparate monolith auditRisktask lifecycle regressions and old state planes

20. workflows/templates PYTHON_PRODUCTION_ACTIVE

Responsibilityworkflows, templates, workflow responsesRust targetworkflows-templatesPriorityP4Next stepdefer; not on critical runner/mailbox pathRiskworkflow compatibility and template migration

21. runtime/operator/Norcx UNKNOWN_NEEDS_AUDIT

Responsibilityoperator/runtime integration and agent process controlRust targetruntime-operator-norcxPriorityP4Next stepoperator-specific audit before changesRiskprocess lifecycle side effects

22. observability/health/SigNoZ/OTel PYTHON_PRODUCTION_ACTIVE

Responsibilityhealth, readiness, metrics, logs, observability statusRust targetshared-observabilityPriorityP1 supportNext steptreat Rust /health and /readiness as liveness; DB-write readiness must come from canary evidenceRiskfalse readiness or telemetry drift

23. background jobs/schedulers DO_NOT_TOUCH_WITHOUT_AUDIT

Responsibilitycleanup, sync, pollers, watchdogs, hidden write pathsRust targetseparate job modules after auditPriorityP4Next stepinventory side effects before editingRiskhidden production writes

24. release/deploy/static frontend PYTHON_PRODUCTION_ACTIVE

Responsibilityrelease dirs, static assets, frontend serving, operational handoffRust targetnonePriorityP0 operationalNext stepconfirm systemd WorkingDirectory before any release workRiskserving stale or wrong frontend

25. unknown/needs classification UNKNOWN_NEEDS_AUDIT

Responsibilitylegacy helpers and less-used admin/debug endpointsRust targetunknownPriorityaudit as neededNext stepadd owner before moving or deletingRiskhidden side effects and implicit coupling

4. Python vs Rust Migration Matrix

Item	Python atual	Rust atual	Status	Falta para finalizar
/api/mailbox/pull	production active for pull/read semantics	global Rust core mutation gate active; pull/read path remains Python-led because `READ_PATH=false`	PYTHON_PRODUCTION_ACTIVE	do not mark pull/read globally moved without separate QA gate
/api/cli/send	production active for routing/chat/stream orchestration and rollback parity	command-mailbox core runtime active globally in Rust with `COMMAND_MAILBOX_RUST_GLOBAL_ENABLED=true` and fallback OFF	RUST_PARTIAL_SCOPE_VALIDATED	monitor global release before deleting residual Python source
/api/mailbox/ack	rollback/source parity retained	global Rust ACK core mutation active; off-old-allowlist probe validated ACK without duplication	RUST_PARTIAL_SCOPE_VALIDATED	continue rollback preservation until residual Python source-removal gate
/api/runner/commands/next	production active	command write path covered by Rust core tests; next/claim read path not globally moved	PYTHON_PRODUCTION_ACTIVE	separate read/claim canary before moving this path
/api/runner/commands/{id}/status	production active, RBAC fixed locally	not part of the approved partial command-mailbox decommission	PYTHON_PRODUCTION_ACTIVE	separate status/result migration gate required
/api/runner/commands/{id}/logs	production active	not part of the approved partial command-mailbox decommission	PYTHON_PRODUCTION_ACTIVE	log redaction and compatibility tests before any Rust path
/api/runner/exec/result	production active	not part of the approved partial command-mailbox decommission	PYTHON_PRODUCTION_ACTIVE	result write canary and rollback package required
/api/admin/auto_coordinator/start	production active after coordinator hotfix chain	route decision support only	RUST_NOT_STARTED	runtime service shadow and canary
/api/runner/projects/apply_session_project	production active with stale-session safeguards	command result support only	RUST_NOT_STARTED	project binding and artifact contract tests
/api/runner/config	production active, device-aware hotfix	snapshots cover regression	RUST_NOT_STARTED	runner-device registry audit
/api/runner/sync	production active, project overwrite guarded	snapshots cover related risk	RUST_NOT_STARTED	sync contract and project binding module
QR pickup	production active, hotfixed	no Rust module	RUST_NOT_STARTED	approval state machine audit
runner friendly/display name	production active, hotfixed	no Rust module	RUST_NOT_STARTED	runner-device display contract
frontend stale session guard	frontend hotfix in published source chain	no Rust module	PYTHON_HOTFIXED	frontend regression tests remain tracked separately
memory_plane_service	Python adapters integrate with memory plane schema/contracts	Rust crate shipped in active release	RUST_PARTIAL_PRODUCTION RUST_EMBEDDED_RUNTIME	focused memory plane audit before flag/schema/read changes
memory plan/planning promotion	Python planning/session flow can materialize/compare memory plane	Rust-defined memory plane domain through Python adapter runtime	RUST_PARTIAL_PRODUCTION	verify active flags, shadow-read behavior, and primary store boundary

5. Rust Modules Already in Production / Production Adjacent

Module	Status	Execution	Source	Notes
memory_plane_service	RUST_PARTIAL_PRODUCTION RUST_EMBEDDED_RUNTIME	via Python adapters/contracts; no daemon found	`services/memory_plane_rust/` and `backend/api/src/memory_plane_shadow*.py`	Rust crate/schema shipped in active release; Python remains observed runtime entrypoint.
memory plan / planning promotion	RUST_PARTIAL_PRODUCTION	Python planning flow backed by memory plane domain	`backend/app.py`, memory plane adapters, Rust memory plane crate	Planning/inicial project memory flow; not a separate Rust service.
runner-command-mailbox-service	RUST_PARTIAL_SCOPE_VALIDATED	loopback service on port 8099; global command-mailbox core runtime active with fallback OFF	`rust-services/` and `backend/api/src/command_mailbox_runtime_switch.py`	GLOBAL_COMMAND_MAILBOX_RUST_ACTIVE_OK passed on release `b4f3d061`; `COMMAND_MAILBOX_RUST_GLOBAL_ENABLED=true`, `NAFQAX_RUST_GLOBAL_SCOPE_ENABLED=1`, `CANARY_ONLY=0`, `AUTHORITATIVE=0`, `DUAL_WRITE=0`, and `READ_PATH=false`.

6. Runner Command Mailbox Checklist

[x] Fase 1 - Infra Safety concluida: backup/restore/PITR/WAL e gates agent-infra
[x] Fase 2 - DB Foundation concluida: runner_control ledger/timeline aplicados
[x] Fase 3 - Rust Adapter concluido: adapter Postgres e contrato HTTP/runtime switch aprovados
[x] Fase 4 - Core Canary concluido: write runner command, write mailbox, cursor e ACK validados
[x] Fase 5 - Partial Decommission OK historico no escopo 587 + phase4-core-canary-device-20260503
[x] Rust escreveu ledger/timeline e core canary em producao dentro do escopo aprovado
[x] Release multi-scope gate 2039957b promovido com default seguro
[x] Runtime switch presente; command-mailbox core carregado em Rust global via COMMAND_MAILBOX_RUST_GLOBAL_ENABLED=true
[x] Rust service ativo em 8099 com /health=200 e /readiness=200
[x] DB-write readiness validado por evidencia de canary/core mutation
[x] Python fallback removido no runtime Rust global do command-mailbox core; Python permanece como rollback/source parity
[x] AUTHORITATIVE global e DUAL_WRITE global permanecem OFF
[x] SMALL_BATCH_DECOMPOSITION_OK - NAFQAX_RUST_ALLOWED_SCOPES chegou ao Rust com scope_config_present=true e allowed_scope_count=5
[x] 20 operacoes aplicadas no small batch: write runner command, write mailbox, cursor e ACK para 5 escopos
[x] FALLBACK_REMOVAL_CANARY_OK - COMMAND_MAILBOX_PYTHON_FALLBACK=false nos 5 escopos, fallback_used=false, fail-closed provado sem cair em Python, rollback nao necessario
[x] MINIMAL_FALLBACK_OFF_OK - fallback OFF validado somente no escopo 587, 4 operacoes Rust, fallback_used=false, runtime_fail_closed=0, db_write=true, cursor/ACK OK e rollback nao necessario
[x] RUST_COMMAND_MAILBOX_IMPLEMENTED_SCOPED - runtime Rust ativo para 587-591 com fallback OFF, 20 eventos Rust recebidos/resultados, sem timeout, sem blocked_by_canary_scope e sem leak
[x] NEXT_BATCH_SCOPED_EXPANSION_OK - runtime Rust ativo para 587-596 com fallback OFF, 40 operacoes Rust, fora do escopo em Python, sem blocked_by_canary_scope e scan sensivel zerado
[x] Plano de finalizacao em 5 rodadas preparado; proximas janelas usam probes sentinela minimos em vez de repetir matriz completa de 20 operacoes por padrao
[x] ROUND1_FINAL_STATE_AUDIT_OK - auditoria read-only confirmou health 200, escopos 587-596, fallback OFF nos escopos, fora do escopo Python, zero problema recente, zero off-scope Rust e sem restart/mutation
[x] ROUND2_MINIMAL_SENTINEL_OK - escopo 596 validou write_runner_command, write_mailbox, cursor e ACK em Rust, python_fallback_inside_scope=false, runtime_fail_closed=0, fora do escopo em Python e sem restart/flag change
[x] ROUND3_PRIMARY_CUTOVER_CANDIDATE_OK - seletor candidato manteve 587-596, escopo 595 validou as quatro familias core em Rust, sem fallback/fail-closed/bloqueio e fora do escopo em Python
[x] ROUND4_ROLLBACK_DRILL_OK - rollback temporario para Python-only ficou saudavel, drop-in removido, seletor Rust 587-596 restaurado, Stream/Rust PIDs inalterados
[x] ROUND5_DECOMMISSION_PACKAGE_PREPARED - pacote de decommission Python preparado com superficies proxy/removal, testes e rollback; nenhuma fonte removida sem aprovacao separada
[x] FIRST_SOURCE_REMOVAL_PROXY_RELEASE_PROMOTED - release 5752b8a1 ativo; fallback Python removido do caminho COMMAND_MAILBOX_RUNTIME=rust; fora do escopo continua Python e rollback permanece via COMMAND_MAILBOX_RUNTIME=python
[x] ACTIVE_10SCOPE_NO_PYTHON_FALLBACK_OK - escopos 587-596 executaram 40/40 operacoes Rust, python_fallback_inside_scope=false, sem fail-closed, sem bloqueio de canary e fora do escopo em Python
[x] SECOND_SOURCE_REMOVAL_PROXY_RELEASE_PROMOTED - release agents-orchestrator-v2-release-command-mailbox-fallback-switch-glue-674722d5-20260507T045146Z promovido; fallback glue interno removido do runtime switch, sem flag change, sem DB change e rollback operacional preservado por COMMAND_MAILBOX_RUNTIME=python
[x] POST_FALLBACK_SWITCH_ACTIVE_MINIMAL_OK - escopo 596 validou write runner command, write mailbox, cursor e ACK em Rust no release promovido, fallback_used=false, runtime_fail_closed=0, fora do escopo em Python e scan sensivel zerado
[x] ROUND1_SCOPED_PYTHON_HANDLER_SURFACE_REMOVED_LOCAL - plano restante comprimido para 4 rodadas; wrappers runtime_insert_mailbox_row, runtime_mailbox_cursor_upsert e runtime_ack_mailbox_rows nao expõem mais handler SQL Python dentro do escopo Rust; sem deploy ou flag change
[x] SCOPED_PYTHON_HANDLER_GUARD_RELEASE_PROMOTED - release command-mailbox-scoped-python-handler-guard-e921ca39-20260507T052102Z ativo, rollback para release anterior preservado, Stream/Runner WS/Rust PIDs preservados
[x] SCOPED_PYTHON_HANDLER_GUARD_ACTIVE_MINIMAL_OK - escopo 596 validou as quatro familias core em Rust, python_fallback_inside_scope=false, runtime_fail_closed=0, fora do escopo em Python e scan sensivel zerado
[x] RUNNER_COMMAND_HANDLER_GUARD_RELEASE_PROMOTED - release command-mailbox-runner-command-handler-guard-f6a21c07-20260507T053207Z ativo; write_runner_command nao expõe mais handler SQL Python dentro do escopo Rust; rollback anterior preservado
[x] RUNNER_COMMAND_HANDLER_GUARD_ACTIVE_MINIMAL_OK - escopo 596 validou as quatro familias core em Rust, python_fallback_inside_scope=false, runtime_fail_closed=0, fora do escopo em Python e scan sensivel zerado
[x] NO_SCOPED_PYTHON_HANDLERS_RELEASE_PROMOTED - release command-mailbox-no-scoped-python-handlers-f140885e-20260507T055239Z ativo; wrappers em escopo Rust passam sem callable Python para o runtime switch; rollback anterior preservado
[x] NO_SCOPED_PYTHON_HANDLERS_ACTIVE_MINIMAL_OK - escopo 596 validou as quatro familias core em Rust, python_fallback_inside_scope=false, runtime_fail_closed=0, fora do escopo em Python e scan sensivel zerado
[x] LAZY_PYTHON_HANDLERS_RELEASE_PROMOTED - release command-mailbox-lazy-python-handlers-92d1820c-20260507T060936Z ativo; wrappers em escopo Rust constroem handlers SQL Python somente em if not rust_in_scope; rollback anterior preservado
[x] LAZY_PYTHON_HANDLERS_ACTIVE_MINIMAL_OK - escopo 596 validou as quatro familias core em Rust, python_fallback_inside_scope=false, runtime_fail_closed=0, fora do escopo em Python e scan sensivel zerado
[x] COMMAND_MAILBOX_SCOPED_CORE_FINALIZED - core command-mailbox escopado finalizado para 587-596; Python segue obrigatorio fora do escopo e para rollback
[x] GLOBAL_COMMAND_MAILBOX_RUST_ACTIVE_OK - release command-mailbox-global-rust-b4f3d061 ativo; COMMAND_MAILBOX_RUST_GLOBAL_ENABLED=true, NAFQAX_RUST_GLOBAL_SCOPE_ENABLED=1, CANARY_ONLY=0, AUTHORITATIVE=0, DUAL_WRITE=0, READ_PATH=false
[x] Global Rust active probe validou escopo fora da allowlist antiga 306:global-rust-validation-device-20260507 com write mailbox, cursor e ACK em Rust, cursor_ok=true, ack_ok=true e scan sensivel zerado
[x] TASK_COMPLETION_REVIEW_RELEASE_PROMOTED - release command-mailbox-task-completion-b0af74ba-20260509T050620Z ativo em Orchestrator e Runner WS; task_output pendente agora fecha completion review no backend sem alterar o runtime Rust global
[x] TASK_OUTPUT_COMPLETION_REVIEW_RELEASE_PROMOTED - release command-mailbox-task-output-completion-cab9c5f9-20260509T060245Z ativo em Orchestrator e Runner WS; task_output originado por agente agora aplica a decisao deterministica de completion review sem alterar o runtime Rust global
[x] AUTO_TASK_CONTROL_PAYLOAD_RELEASE_PROMOTED - release command-mailbox-auto-task-control-92cfc573-20260509T062324Z ativo em Orchestrator e Runner WS; payloads legados auto_create_task e action=create_task agora normalizam para control_agent create_task sem alterar o runtime Rust global
[x] RUNNER_WS_TASK_COMPLETION_RELEASE_PROMOTED - release coordinator-runner-ws-task-completion-f385dcb6-20260509T193744Z ativo em Orchestrator e Runner WS; status terminal reportado pelo Runner WS agora reconcilia task/output e outputs nao-terminais nao mascaram fechamento terminal, sem alterar o runtime Rust global
[x] Six-item finalization gate audit historico executado: observacao passiva saudavel, autoridade global bloqueada e decommission total Python ainda pendente
[x] Scan sensivel vazio; falso negativo inicial do validador documentado como reset de contexto RLS
[ ] PENDING - remover codigo Python residual do command-mailbox somente apos novo pacote de source-removal/proxy e rollback aprovado

7. Definition of Done

[x] contrato congelado para runtime switch e adapter core
[x] testes unitarios, contrato, staging e core canary passam
[x] evidencias preservadas e redigidas
[x] Rust liveness/readiness basico confirmado separadamente de DB-write readiness
[x] feature flags default seguras e runtime por escopo
[x] canary por session/device
[x] rollback por flag documentado e preservado
[x] audit/redaction validado
[x] Rust scoped runtime validado com write/cursor/ACK
[x] DB-write readiness validado por evidencia de canary
[x] Python fallback removido do runtime Rust global command-mailbox; rollback para Python-only permanece preservado
[x] small batch validado para 587-591 com write runner command, write mailbox, cursor e ACK
[x] next batch validado para 587-596 com 40 operacoes Rust, python_fallback_inside_scope=false, cursor/ACK OK e fora do escopo em Python
[x] fallback removal canary validado para 587-591 com 20 operacoes Rust e fallback_used=false
[x] minimal fallback OFF validado para 587 com write runner command, write mailbox, cursor e ACK, sem timeout ou blocked_by_canary_scope
[x] scoped implementation ativo para 587-596 com COMMAND_MAILBOX_PYTHON_FALLBACK=false, CANARY_ONLY=1 e fora do escopo em Python
[x] plano historico de finalizacao em 5 rodadas concluido; plano restante comprimido para 4 rodadas apos release fallback-switch-glue
[x] Round 1 a Round 5 do plano de finalizacao concluidos; pacote de decommission Python preparado, sem remover fonte sem aprovacao separada
[x] fallback OFF ativo validado em 10 escopos com 40 operacoes Rust; release fallback-switch-glue validado em rodada ativa minima sem alterar escopos ou flags
[x] primeira rodada comprimida removeu a superficie local de handler SQL Python nos wrappers mailbox/cursor/ACK para escopos Rust; fora do escopo continua Python
[x] release scoped-python-handler-guard promovido e validado com sentinel minimo no escopo 596; health final 200 em 5055/5057/8099
[x] gate audit preservado em /var/backups/nafqax-agent-infra/command-mailbox-six-item-finalization-20260506T081250Z
[x] command-mailbox core global carregado em Rust; decommission de codigo Python residual permanece fora de escopo

8. Risks / Blockers

app.py ainda e monolito ativo em producao fora do escopo command-mailbox aprovado.
Release ativo atual e coordinator-runner-ws-task-completion-f385dcb6 no Orchestrator/Runner WS; Rust service permanece saudavel no runtime global existente.
Rust command/mailbox core esta globalmente ativo com fallback OFF; Python fica como rollback/source parity, nao como caminho fora de escopo.
Core global command-mailbox esta ativo; rotas nao migradas como command status, logs/result, read path amplo e Runner WS continuam preservadas.
Rust /health=200 e /readiness=200 nao bastam para DB-write readiness sem evidencia de canary/core mutation.
AUTHORITATIVE global e DUAL_WRITE global continuam proibidos nesta etapa.
Qualquer promocao para Rust authoritative, dual-write ou remocao de codigo Python residual exige QA, monitoramento, evidencia e rollback equivalentes.
Observacao passiva nao substitui soak com trafego real; nenhum marcador runtime ocorreu durante a janela idle.
As proximas rodadas nao exigem 20 operacoes por padrao; matriz completa volta apenas se houver evidencia ambigua ou novo caminho funcional.
Scan sensivel do small batch ficou sem leak; scan amplo anterior teve falso positivo pelo filename task-bound.
memory_plane Rust e parcial/embedded, nao servico daemon separado.

9. Next Recommended Actions

Manter evidencia /var/backups/nafqax-agent-infra/command-mailbox-partial-decommission-20260504T035517Z/, /var/backups/nafqax-agent-infra/progressive-scope2-unsetenv-fix-20260506T054128Z, /var/backups/nafqax-agent-infra/small-batch-decomposition-20260506T060953Z, /var/backups/nafqax-agent-infra/fallback-removal-canary-20260506T070952Z, /var/backups/nafqax-agent-infra/minimal-fallback-off-20260506T074019Z, /var/backups/nafqax-agent-infra/rust-command-mailbox-scoped-5-fallback-off-20260506T075828Z, /var/backups/nafqax-agent-infra/command-mailbox-six-item-finalization-20260506T081250Z, /var/backups/nafqax-agent-infra/command-mailbox-next-batch-scoped-expansion-20260506T083640Z, /var/backups/nafqax-agent-infra/command-mailbox-finalization-round1-20260507T015645Z, /var/backups/nafqax-agent-infra/command-mailbox-finalization-round2-20260507T020429Z, /var/backups/nafqax-agent-infra/command-mailbox-finalization-round3-20260507T021345Z, /var/backups/nafqax-agent-infra/command-mailbox-finalization-round4-20260507T021459Z, /var/backups/nafqax-agent-infra/command-mailbox-finalization-round5-20260507T022134Z, /var/backups/nafqax-agent-infra/command-mailbox-lazy-python-handlers-active-minimal-20260507T061802Z e /var/backups/nafqax-agent-infra/command-mailbox-global-rust-active-20260507T070039Z.
Reexecutar E2E coordinator task infra/audit por caminho autenticado contra o release f385dcb6; a tentativa autenticada em 92cfc573 criou task infra e executou o agente, mas ficou bloqueada por task_output sem ack/finalizacao, com evidencia em /var/backups/nafqax-agent-infra/coordinator-task-e2e-92cfc573-online-20260509T171122Z.
Continuar exigindo matriz completa somente quando uma evidencia ficar ambigua.
Nao ativar Rust authoritative, dual-write global ou remocao total de Python sem nova janela aprovada.
Manter rollback por flag para Python-only e preservar ledger/timeline.