CR number. CR-2026-098 Version. 0.3 Date. 2026-06-07 Repo (code). loomworks-engine Repo (this document). loomworks-record, change-requests/ Anchor. origin/main @ 2685103 (where v0.2 implementable scope landed) Predecessor. cr-2026-098-engine-api-boundary-closure-v0_2.md (BUG1 + A1 + A2 + B1, landed at 268510; A3 deferred to this v0.3)
An earlier v0.3 draft (never pushed) framed A3 as a Shape-A-vs-Shape-B fork to be decided by a caller recon, on the premise that no HTTP consumer of the /admin/* credit routes was confirmed. The recon ran and that premise proved false: a live Operator Layer admin-grants UI consumes POST /admin/grants and GET /admin/grants. This draft supersedes that fork. Trajectory preserved: the earlier framing assumed deny-all-over-HTTP was safe; the recon showed it would break a built frontend, which reopened — and deliberately re-deferred — the founder-identity question.
Resolve A3 (the deferred item of CR-2026-098) to the extent it can be resolved without inventing a platform-founder principal and without breaking a live consumer. Concretely: remove genuinely dead HTTP surface among the five /admin/* credit routes, clear the stale comment A1 orphaned, and record the routes that carry a real (or test) consumer for a focused follow-up CR where the founder-identity decision lands with their frontend in view.
The five /admin/* credit routes fall into three distinct situations:
(loomworks repo) has a built admin-grants UI (src/app/admin/grants/page.tsx + components; API client src/lib/api/admin-grants.ts calling POST :62 and GET :141). Also exercised by engine tests as system-under-test.
(test_phase_47_credit_endpoints.py). Semantically a credit-admin operation of the same kind as grants; not abandoned, just not yet UI-wired.
GET /admin/engagements/{engagement_id}/spend-authorization** — ZERO callers anywhere. No test, no script, no UI. Dead HTTP surface.
consumer makes founder-identity a real (no longer hypothetical) need — but that decision is the door-vs-ledger, who-is-the-founder, stored-where decision, and it deserves deliberate treatment with the consuming frontend in view, not a rushed landing inside a boundary-closure CR. It is carried to a focused follow-up CR (see "Deferred").
spend-authorization routes (zero callers). Seed principle: do not surface a capability that is not available.
so the founder-check that gates them is decided once, across both, with the Operator Layer frontend in the room.
This CR removes the two zero-caller spend-authorization routes and clears one stale comment. It does NOT touch /admin/grants or /admin/provisioning (carried forward). It does NOT define, store, or grant a founder/platform-authority identity. It does NOT touch the persons model, system_config, the organization model, any infrastructure-engagement membership, or any frontend repo.
surface; surfacing an unavailable capability violates the seed's "only show what is available" principle.
spend-authorization (:437-438, handler at :444's function) and GET (same path) (:463-464, handler at :469's function). Remove both route handlers.
schema or helper exclusive to them — report before removing (same discipline as A1; if any non-spend-authorization consumer of a to-be-removed symbol appears, HALT).
reference exists, remove/repoint it and record the change (corrections preserved).
drops by 2; grants and provisioning still present and unchanged; full suite green except the known pre-existing failures.
deleted. The comment is now inaccurate.
(see migration_router)…".
currently gated by get_current_person only (any authenticated person), pending the founder-authority decision carried to the follow-up CR. No reference to the deleted symbol.
it. (No separate Step 0 recon — the caller recon is complete and recorded above.)
baseline (note: the 5472335 commit message said 3; the current environment shows 4 — test_api_assertion_retract is a Pydantic-version-sensitive dev-handler failure, pre-existing, not from this work). Confirm those 4 and nothing new. Halt before commit.
get_current_person, explicitly carried to the follow-up CR.
consumer-bearing routes is scoped and deferred, not silently dropped.
**The founder/platform-authority decision for /admin/grants and /admin/provisioning.** Triggered by a now-confirmed real consumer: the Operator Layer admin-grants UI. This follow-up is cross-repo (engine + loomworks Operator Layer) and must decide together:
(recon found system_config is the lightest home — a person_id key, no migration; persons model has no role column; org-admin is deferred with no storage; no infra-engagement operator membership exists).
asserted-and-audited (the set_organization_window precedent). The live browser-driven OL consumer points toward door-verification, since a self-asserted CLI actor cannot gate a browser session.
one-function seam), applied with the OL frontend repointed in the same unit so nothing breaks. Until this lands, grants and provisioning remain reachable by any authenticated person — a known, accepted, temporary exposure, recorded here.
DUNIN7 — Done In Seven LLC — Miami, Florida Change Request — Engine API boundary closure A3 resolution — v0.3 — 2026-06-07