docs: Roux Ingest Workspace publishing runbook (DRAFT)

[chitcommit]

What

Adds docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md — a repo-derived inventory of the Google publishing side of the Roux Ingest Workspace Studio step, plus a drafted GAM domain-wide-delegation sequence.

Why it's loudly marked DRAFT / UNCONFIRMED

• No live Google-side read was possible when this was produced — no gam/gcloud/credentials in the environment, and the connected Google MCP tools are end-user Gmail/Calendar/Drive scopes that cannot enumerate service accounts, Marketplace apps, or domain-wide delegation. The inventory is therefore repo-derived (the worker code is the contract), and the GAM sequence could not be validated.
• GAM owns only one step. Of the publish chain, GAM truly owns only the domain-wide delegation grant + read-back. Service account, OAuth client, Marketplace/Add-on listing, and app install are Google Cloud Console / Admin Console actions GAM cannot perform — the doc draws that boundary explicitly.

Two catches captured in the doc

1. The repo enumerates zero OAuth scopes for this add-on; a Gmail-read scope is inferred from a downstream attachment fetch, not a repo fact. The gmail.readonly references elsewhere belong to a different feature (ChittyRouter), not this add-on.
2. The SA email and OAuth client ID in the test suite are TEST CONSTANTS, not production values. The real values live in the worker's secret_text bindings (confirmed deploy-safe; not in [vars]).

Contents

• (A) Tooling reality check — why no live read
• (B) Google-side contract from worker code (cited file:line) + placeholder identifier table + scope caveat + bindings table
• (C) Drafted GAM sequence with Console/GAM boundary and marked placeholders
• (D) Open questions / 6 identifiers needing operator confirmation

No code changes — docs only.

https://claude.ai/code/session_01A9JYLNVkaEL7SU7N2xZQYN

---

Generated by Claude Code

Summary by CodeRabbit

• Documentation
  • Updated internal operational documentation for custom step publishing procedures and submission routing workflows.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9583d684-826f-4f4f-a795-e3e4e119b86a

📥 Commits

Reviewing files that changed from the base of the PR and between 6a26e66 and 7d35f26.

📒 Files selected for processing (2)

• docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md
• docs/registration/SUBMISSION_RUNBOOK.md

---

📝 Walkthrough

Walkthrough

Adds a new 215-line DRAFT runbook documenting the Google-side publishing process for the Roux Ingest Workspace Studio add-on, covering JWT/auth contract, secret bindings, worker endpoints, and a drafted GAM/Console sequence. Also updates four lines in an existing submission runbook to replace Chico-based terminology with ChittyConnect.

Changes

New Roux Ingest Workspace publish runbook

Layer / File(s)	Summary
Draft preamble, JWT/auth contract, and secret bindings docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md	Introduces the document as DRAFT/unconfirmed, documents the worker-derived JWT contract (algorithm, JWKS URL, issuer, audience, dynamic kid), lists required secret bindings, and adds an OAuth scope caveat requiring operator confirmation.
Worker endpoints inventory docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md	Enumerates the two production-served endpoints (/config and /execute), their auth gating behavior, and expected response structures.
GAM/Console publishing sequence and open questions docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md	Provides the drafted, placeholder-heavy GAM/Console step sequence for domain-wide delegation, add-on installation/allowlisting, and a smoke-check, followed by an open-questions checklist and a final whole-draft caveat.

ChittyConnect wording fixes in submission runbook

Layer / File(s)	Summary
Chico → ChittyConnect terminology updates docs/registration/SUBMISSION_RUNBOOK.md	Replaces Chico-based phrasing with ChittyConnect in four lines: submission routing description, P-synthetic ChittyID canonical path, <<CHITTY_REGISTER_TOKEN>> substitution source row, and bearer token ownership bullet.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hippity-hop, the docs have grown,
A runbook drafted, seeds are sown!
ChittyConnect now owns the name,
Chico's gone — no more to blame.
The rabbit stamps each placeholder neat,
With caveats aplenty, the draft's complete! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a draft runbook document for Roux Ingest Workspace publishing. It is concise, specific, and clearly reflects the primary contribution of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/magical-feynman-ue6lvg

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittycommand	7d35f26	Jun 15 2026, 05:44 AM

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[chitcommit]

Adversarial review (@claude) — docs-only change.

Scope: one new file docs/plans/2026-06-12-roux-ingest-workspace-publish-runbook.md. No code, CI, auth, schema, or config touched.

• Security / secret disclosure: None. Every real identifier is <<PLACEHOLDER>>. The two test-fixture strings it references (SA email, OAuth client ID) already live in tests/routes/workspace-studio-ingest.spec.ts and are explicitly labeled TEST CONSTANTS / non-production. The doc also warns against moving the CHITTYROUX_* / REGISTERED_CHANNELS_JSON secrets into wrangler.jsonc [vars] (that would convert deploy-safe secret_text to plaintext) — net safety-positive.
• Policy-bypass / merge-gating: N/A — no workflow or middleware changes.
• Regression risk: None — non-executable markdown; wrangler.jsonc untouched.
• Reader caveat (already in the doc): DRAFT/UNCONFIRMED; identifiers must be operator-verified before any GAM/Console action.

No blocking findings.

---

Generated by Claude Code

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[chitcommit]

Adversarial review (@claude) — delta for 7d35f269.

Only change since the prior review (662e851) is docs/registration/SUBMISSION_RUNBOOK.md: a 4-line rename of the "Chico" nickname → "ChittyConnect" (to avoid collision with the real Furnished-Condos/chico repo). Pure docs, no semantic change — same broker, same gated sensitive-intent path.

• Security / secret disclosure: none — still no real credentials; payload placeholders unchanged.
• Policy-bypass / merge-gating: N/A — no workflow/auth/middleware touched.
• Regression risk: none — non-executable markdown.

Prior review of the Roux Ingest runbook still stands. No blocking findings.

---

Generated by Claude Code