backend/tests/unit/test_migration_seed.py

"""Migration-seed parity test (MA3 + sprint 2 delta).

The runtime F11 matrix in `mimic.rbac.matrix` must equal the union of:

- the inline frozen snapshot in the initial migration `202605210001`, plus
- every per-migration `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` added
  by later migrations.

When the runtime drifts, *do not* edit an existing migration: write a new
one with its own delta block and extend the `_MIGRATIONS` tuple below.
"""

from __future__ import annotations

import importlib
from types import ModuleType

from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission

_INITIAL = "mimic.db.migrations.versions.202605210001_initial_schema"
_DELTAS: tuple[str, ...] = ("mimic.db.migrations.versions.202605230001_add_user_manage_permission",)


def _load(name: str) -> ModuleType:
    return importlib.import_module(name)


def _cumulative_permissions() -> set[str]:
    initial = _load(_INITIAL)
    codes = set(initial._PERMISSIONS_FROZEN)
    for name in _DELTAS:
        delta = _load(name)
        codes.update(delta._DELTA_PERMISSIONS)
    return codes


def _cumulative_group_permissions() -> dict[str, set[str]]:
    initial = _load(_INITIAL)
    cumulative = {gn: set(perms) for gn, perms in initial._GROUP_PERMISSIONS_FROZEN.items()}
    for name in _DELTAS:
        delta = _load(name)
        # `rt_lead` carries ALL_PERMISSIONS at runtime — every delta perm
        # implicitly extends rt_lead too, regardless of whether the migration
        # listed it explicitly.
        rt_lead_implicit = {p for perms in delta._DELTA_GROUP_PERMISSIONS.values() for p in perms}
        cumulative.setdefault("rt_lead", set()).update(rt_lead_implicit)
        for group_name, perms in delta._DELTA_GROUP_PERMISSIONS.items():
            cumulative.setdefault(group_name, set()).update(perms)
    return cumulative


def test_runtime_permissions_match_cumulative_migrations() -> None:
    runtime_codes = {p.value for p in Permission}
    cumulative = _cumulative_permissions()
    assert runtime_codes == cumulative, (
        "Permission enum drifted from the cumulative migration freeze; "
        "write a new migration delta, do not edit existing ones."
    )


def test_runtime_group_membership_matches_cumulative_migrations() -> None:
    runtime = {gn.value: {p.value for p in perms} for gn, perms in GROUP_PERMISSIONS.items()}
    cumulative = _cumulative_group_permissions()
    assert runtime == cumulative, (
        "GROUP_PERMISSIONS drifted from the cumulative migration freeze; "
        "write a new migration delta, do not edit existing ones."
    )


def test_initial_frozen_group_names_match_enum() -> None:
    initial = _load(_INITIAL)
    assert set(initial._GROUP_PERMISSIONS_FROZEN.keys()) == {g.value for g in GroupName}
feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`"""Migration-seed parity test (MA3 + sprint 2 delta).`

			The runtime F11 matrix in `mimic.rbac.matrix` must equal the union of:

			- the inline frozen snapshot in the initial migration `202605210001`, plus
			- every per-migration `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` added
			`by later migrations.`

			`When the runtime drifts, do not edit an existing migration: write a new`
			one with its own delta block and extend the `_MIGRATIONS` tuple below.
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00			`"""`

			`from __future__ import annotations`

			`import importlib`
feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`from types import ModuleType`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00
			`from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission`

feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`_INITIAL = "mimic.db.migrations.versions.202605210001_initial_schema"`
			`_DELTAS: tuple[str, ...] = ("mimic.db.migrations.versions.202605230001_add_user_manage_permission",)`


			`def _load(name: str) -> ModuleType:`
			`return importlib.import_module(name)`


			`def _cumulative_permissions() -> set[str]:`
			`initial = _load(_INITIAL)`
			`codes = set(initial._PERMISSIONS_FROZEN)`
			`for name in _DELTAS:`
			`delta = _load(name)`
			`codes.update(delta._DELTA_PERMISSIONS)`
			`return codes`

fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00
feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`def _cumulative_group_permissions() -> dict[str, set[str]]:`
			`initial = _load(_INITIAL)`
			`cumulative = {gn: set(perms) for gn, perms in initial._GROUP_PERMISSIONS_FROZEN.items()}`
			`for name in _DELTAS:`
			`delta = _load(name)`
			# `rt_lead` carries ALL_PERMISSIONS at runtime — every delta perm
			`# implicitly extends rt_lead too, regardless of whether the migration`
			`# listed it explicitly.`
			`rt_lead_implicit = {p for perms in delta._DELTA_GROUP_PERMISSIONS.values() for p in perms}`
			`cumulative.setdefault("rt_lead", set()).update(rt_lead_implicit)`
			`for group_name, perms in delta._DELTA_GROUP_PERMISSIONS.items():`
			`cumulative.setdefault(group_name, set()).update(perms)`
			`return cumulative`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00

feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`def test_runtime_permissions_match_cumulative_migrations() -> None:`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00			`runtime_codes = {p.value for p in Permission}`
feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`cumulative = _cumulative_permissions()`
			`assert runtime_codes == cumulative, (`
			`"Permission enum drifted from the cumulative migration freeze; "`
			`"write a new migration delta, do not edit existing ones."`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00			`)`


feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`def test_runtime_group_membership_matches_cumulative_migrations() -> None:`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00			`runtime = {gn.value: {p.value for p in perms} for gn, perms in GROUP_PERMISSIONS.items()}`
feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`cumulative = _cumulative_group_permissions()`
			`assert runtime == cumulative, (`
			`"GROUP_PERMISSIONS drifted from the cumulative migration freeze; "`
			`"write a new migration delta, do not edit existing ones."`
fix(backend): freeze F11 matrix inline in the initial migration (MA3) Code-review MAJOR MA3. The initial Alembic migration imported the live `mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` / `group_permission` rows. That breaks the Alembic invariant "a migration produces the same schema regardless of when you replay it": a future tweak to the runtime matrix would silently change the seeded baseline on a fresh DB. Two changes: 1. The migration now carries an inline frozen snapshot of the F11 matrix (`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`). The seed reads from these tuples/dicts only. If the canonical matrix evolves, the next migration is responsible for the delta. 2. A new unit test `test_migration_seed_matches_current_matrix` enforces that the frozen seed equals the runtime `Permission` enum and `GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to write a new migration instead of editing the existing one. Also: docstring no longer mentions `ttp_version` (M8 follow-up). 2026-05-22 05:24:37 +02:00			`)`


feat(backend): add USER_MANAGE permission + delta migration (D-015) Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead gets the new permission automatically, rt_operator and soc_analyst get 403. Alembic migration `202605230001_add_user_manage_permission`: - inserts the `user.manage` row into `permission`, - inserts the `(rt_lead, user.manage)` link into `group_permission`, - exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests. The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New migrations register themselves there without editing the historical one. Verbatim wording from spec-analyst is recorded as D-015 in `tasks/spec-decisions.md` (separate commit). 2026-05-23 15:52:47 +02:00			`def test_initial_frozen_group_names_match_enum() -> None:`
			`initial = _load(_INITIAL)`
			`assert set(initial._GROUP_PERMISSIONS_FROZEN.keys()) == {g.value for g in GroupName}`