The Trilogy Times

## Summary

The accountability/data-health dashboard computed each site's freshness on every read by scanning all of a site's work-unit groups, work units, tasks, and notes inline. This was expensive and, more importantly, incorrect for the P2 operating view — it ignored quality-bar/WUG notes and tasks, so an operating campus could look stale even after recent activity.

This PR fixes that and reworks how freshness is sourced:

1. Correctness fix — P2 operating freshness now counts quality-bar and active-WUG notes and tasks (excluding work-unit-level activity and retired groups), matching how the P2 accountability surface actually defines activity.

2. Architecture — freshness is now persisted in a dedicated siteFreshness rollup table. Reads serve precomputed values instead of fan-out scans, and runtime note/task/WUG mutations incrementally maintain the rollup. A backfill mutation populates the table for existing data.

3. P1 preserved — P1 Buildout freshness remains comments-only. The rollup keeps the existing latestP1BuildoutCommentAt / supportsP1BuildoutComments / p1_comments contract and does not count P1 task, WUG, or status-update timestamps as freshness.

### Changes

- chat/convex/rhodes/schema.ts — adds the siteFreshness table (siteId, latestP1BuildoutCommentAt, latestP2OperatingActivityAt, updatedAt) indexed by_site.

- chat/convex/rhodes/freshnessRollup.ts *(new)* — owns freshness computation. Exposes computeSiteFreshnessValues (pure read) and recomputeAndUpsertSiteFreshness, plus incremental apply*ToSiteFreshness helpers for note/task/WUG create/update/delete. Includes the corrected P2 activity classification and merge/invalidate logic for deletes.

- chat/convex/rhodes/dashboard.ts — removes the inline per-read scan and serves freshness from the rollup table. Adds internal mutations recomputeSiteFreshnessForSite, recomputeSiteFreshnessForSites (batch-capped), and backfillSiteFreshnessPage (paginated, supports dryRun/scheduleNext). listBuildoutAttentionByDri now reads rollup values.

- chat/convex/rhodes/runtime/writes/{noteWrites,taskWrites,workUnitGroupWrites}.ts, chat/convex/rhodes/workUnitGroups.ts — wire create/update/delete paths to incrementally update the rollup.

- chat/lib/accountability-freshness.ts, chat/lib/rhodes-dashboard-server.ts, chat/lib/aerie-rhodes-dashboard-server.ts, chat/app/api/sync/accountability/route.ts, chat/app/(main)/sync/page.tsx, chat/convex/lib/buildoutAccountabilityEmail.ts — rename comment→activity across API payloads, server fetchers, UI copy, and the buildout accountability email.

- chat/convex/_generated/api.d.ts — generated registration for the new freshnessRollup module.

- Tests — rhodesDashboardFreshness.test.ts (rollup recompute, paginated backfill with dry-run, runtime WUG updates, delete-repair), rhodesAccountabilityNotifications.test.ts (rollup-backed, unbackfilled sites treated as needing attention), and the renamed-field assertions across the lib/api/email tests.

### Design Decisions

- Rollup over on-read computation — the previous approach scanned the full object graph per site on every dashboard load. Persisting freshness and maintaining it incrementally on writes moves the cost to write-time and makes reads O(sites).

- Stage-gated output — collectSiteFreshness still null-gates by stage (latestP1BuildoutCommentAt only for non-operating, latestP2OperatingActivityAt only for operating), so the rollup can store both values without leaking the wrong one to a stage.

- Batch cap — recomputeSiteFreshnessForSites and backfillSiteFreshnessPage cap at SITE_FRESHNESS_RECOMPUTE_BATCH_LIMIT (3) per invocation to stay within Convex mutation limits; backfill self-schedules via scheduleNext.

- Delete repair — deleting the note/task that currently defines the latest timestamp invalidates and recomputes, rather than leaving a stale max.

- Canonical write coverage — rollup maintenance is wired to user-facing/runtime note, task, and WUG write paths. Admin P2 scoring/provisioning and generic raw table maintenance paths are intentionally not treated as Accountability activity.

- P2 WUG activity preserved — active P2 WUG creation/update/status-change timestamps continue to count as operating freshness, matching the behavior introduced earlier in this PR series.

## Backfill Runbook

Run these commands from the repo root after the Convex functions in this PR have been deployed to the target environment.

The backfill is paginated and capped internally (batchSize maxes at 3). scheduleNext: true lets Convex continue page-by-page until complete.

### Dev

First, confirm which dev deployment you are pointing at:

pnpm --dir chat exec convex dev --once

Then dry run against that dev deployment:

CONVEX_DEPLOY_KEY= pnpm --dir chat exec convex run rhodes/dashboard:backfillSiteFreshnessPage '{"batchSize":3,"scheduleNext":true,"dryRun":true}'

Then run the live dev backfill:

CONVEX_DEPLOY_KEY= pnpm --dir chat exec convex run rhodes/dashboard:backfillSiteFreshnessPage '{"batchSize":3,"scheduleNext":true,"dryRun":false}'

### Production

Dry run production first:

CONVEX_DEPLOY_KEY= pnpm --dir chat exec convex run --deployment-name oceanic-pika-463 rhodes/dashboard:backfillSiteFreshnessPage '{"batchSize":3,"scheduleNext":true,"dryRun":true}'

Then run the live production backfill:

CONVEX_DEPLOY_KEY= pnpm --dir chat exec convex run --deployment-name oceanic-pika-463 rhodes/dashboard:backfillSiteFreshnessPage '{"batchSize":3,"scheduleNext":true,"dryRun":false}'

Expected result: existing siteFreshness rows are inserted/updated for non-cancelled sites. After the production live backfill completes, the Accountability dashboard should reflect historical qualifying P1 comments and P2 activity instead of showing historical sites as null/“never” solely because the rollup table started empty.

## Test Plan

- [x] pnpm typecheck (ran as the typecheck-chat pre-commit hook on every commit)

- [x] pnpm biome check on changed files (pre-commit hook)

- [x] New/updated unit tests cover rollup recompute, paginated backfill (incl. dry-run preview), runtime WUG mutation updates, delete-repair, and P1 comment contract preservation

- [ ] Run backfillSiteFreshnessPage (dry-run first, then live) in each environment after deploy — the siteFreshness table starts empty, so existing sites will read null/"never" freshness until backfilled

- [ ] Spot-check the /sync data-health view for an operating campus with recent quality-bar activity to confirm it no longer shows stale

## Summary

- Add the shared Platform Error foundation for capture, grouping, lifecycle review, and admin visibility.

- Add a dedicated admin.platformErrors.read capability and navigation gate for the Platform Errors admin surface.

- Add an inventory-backed Coverage tab so captured, intentionally quiet, owner-captured, and deferred error paths are measurable.

## Why

Unexpected app and backend errors were too easy to lose unless a user manually reported them. This PR establishes the first coherent Platform Error path, keeps expected validation/auth/quiet states out of the noise, and gives us a source-controlled way to see what is captured versus intentionally deferred.

## Business Value

This reduces the burden on users to self-report failures, preserves context for faster debugging, and creates the foundation for future alerting, Linear triage, VIP monitoring, and feedback correlation.

## Breaking changes

None.

## Test plan

- [x] ./node_modules/.bin/vitest run 'app/(main)/admin/__tests__/error-issues.test.tsx' lib/__tests__/platform-error-smoke-inventory.test.ts from chat

- [x] ./node_modules/.bin/tsc --noEmit from chat

- [x] ./node_modules/.bin/biome check chat/components/dashboards/admissions/events/event-detail-panel.tsx chat/convex/analytics/gsheet.ts after rebase conflict resolution

- [x] git diff --check

- [x] Pre-commit hook: Convex path validation, Biome, chat typecheck

## Summary

- Replace Object.hasOwn in milestone completion-state detection with an ES2021-compatible helper.

- Allow ordinary milestone upkeep through the Aerie updateSiteFields path while keeping completed-state changes approval-gated.

- Replace raw save-time 5xx/server validator dumps in the confirmation dialog with a captured, user-friendly reference message.

## Why

The release typecheck compiles shared contracts through Convex's ES2021 lib surface, where Object.hasOwn is unavailable. A follow-up release pass also showed non-completed milestone edits were posting a milestones patch to a Convex validator that did not accept it, and the confirmation dialog surfaced the raw server validator dump to operators.

## Business Value

Keeps milestone completion approval gating releaseable without disabling typecheck, lets routine milestone upkeep save without approval friction, and prevents internal server/validator details from appearing in the operator UI.

## Breaking changes

None.

## Test plan

- [x] ./node_modules/.bin/biome check chat/convex/rhodes/dashboard.ts chat/components/dashboards/portfolio/fields/portfolio-fields-provider.tsx 'chat/app/api/portfolio-sites/[slug]/fields/__tests__/route.test.ts' chat/components/dashboards/portfolio/fields/__tests__/portfolio-fields-provider.test.tsx chat/convex/rhodesDashboardParity.test.ts packages/contracts/src/milestones.ts

- [x] ./node_modules/.bin/vitest run 'app/api/portfolio-sites/[slug]/fields/__tests__/route.test.ts' components/dashboards/portfolio/fields/__tests__/portfolio-fields-provider.test.tsx convex/rhodesDashboardParity.test.ts from chat

- [x] ./node_modules/.bin/tsc -p convex/tsconfig.json --noEmit from chat

- [x] ./node_modules/.bin/tsc --noEmit from chat

- [x] ./node_modules/.bin/tsc --noEmit from packages/contracts

- [x] ./node_modules/.bin/vitest run src/milestones.test.ts from packages/contracts

- [x] git diff --check

## Summary

New daily pipeline tesorio-collections-sync that ingests the company's Collections data from Tesorio into Redshift.

Each day Tesorio emails an open-invoices CSV report to the shared service mailbox ([email protected]). This Lambda:

1. Reads the mailbox, finds unprocessed [email protected] open-invoices emails

2. Extracts the self-authenticating signed download link (dashboard.tesorio.com/api/file/download/) and GETs the CSV

3. Archives the raw CSV to S3

4. Transforms it into typed per-invoice rows + a per-BU aging rollup

5. Loads both into Redshift, idempotently

6. Labels the email processed (watermark)

Generic across business units; idempotent via a Gmail-label watermark + delete-by-(report_date, business_unit); no silent partial success (raises PartialFailureError so the Step Function records FAILED if any report fails).

## Tables

| Table | Grain | Contents |

|---|---|---|

| staging_finance.tesorio_open_invoices | invoice × report_date × BU | Raw typed invoice rows (amounts, dates, customer, aging, blocked flag, unwrapped NetSuite/Tesorio URLs) |

| core_finance.tesorio_collections_aging_summary | report_date × BU × aging_bucket | Computed per-BU aging rollup (counts + open balances) |

DDLs are checked in under ddl/ and have already been applied to Redshift.

## Validation

- 35 pytest tests (transform, mailbox client, download, Redshift loader, handler) — all green

- ruff check + ruff format --check pass

- Verified end-to-end against live production data: a local handler run loaded the 2026-06-26 Skyvera snapshot — 354 staging rows + 3 core rows; reconciliation invariant holds (raw total $19,803,765.51 == rollup total); raw CSV archived to S3; email labeled (re-run discovery returns 0 → idempotency confirmed).

## Mailbox auth

OAuth refresh token in Secrets Manager (surtr/klair-builders-mailbox, gmail.modify), consent screen set to Internal so the token is durable (no 7-day testing expiry). mailbox_client is auth-swappable — a future switch to a delegated service account is a secret change with no code change (documented in the pipeline README).

## Architecture notes

- bundling: true + src/requirements.txt (CDK PythonFunction); all imports absolute

- Secrets module is mailbox_secrets.py (not secrets.py) to avoid shadowing stdlib under flat bundling

- Redshift Data API (no VPC); daily schedule cron(0 4 * * ? *)

- Design spec + implementation plan under docs/superpowers/

## Deploy follow-ups (post-merge)

- CDK deploy to dev → prod (scheduled Lambda takes over at 04:00 UTC daily)

- Today's email (2026-06-26) was consumed by the validation run, so the first scheduled run processes the next day's report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

Replaces the add-on sidebar's ad-hoc per-action concurrency flags with three documented, coordinated lanes (audited Jun 25, KLAIR-2933):

- Doc writes → applyQueue / applyInFlight (FIFO; serialized so DocumentApp writes never interleave) — unchanged.

- Chat turns → single-flight via #send.disabled — unchanged.

- Heavy suite → new heavyBusy lane making review-run / structure-check / batch mutually exclusive (beginHeavy_/endHeavy_) with consistent "Busy — X is running" feedback. Replaces the separate reviewInFlight + conformanceInFlight + batchRunning re-entrancy guards.

Chat and doc writes intentionally stay out of the heavy lane — they may run alongside a suite op (the backend serializes session writes via merge-retry).

## Why

The audit found the suite ops weren't coordinated: you could run a review while a structure-check or batch was running, clobbering the status line and wasting LLM/Redshift work. Now they can't overlap, with clear feedback.

## Changes

- budget-bot-addon/Sidebar.html: heavyBusy + beginHeavy_/endHeavy_; wired into runReview, loadConformance, addressAllFindings (reordered so an empty batch doesn't strand the lane); removed reviewInFlight/conformanceInFlight.

- klair-client/.../proposalAcceptQueue.ts: cross-reference comment (the add-on mirrors this queue).

## Test plan

- [ ] Click Run review, then immediately Check structure → second shows "Busy — review is running"; no overlap.

- [ ] Start a batch, then Run review / Check structure → blocked with feedback; chat send disabled during batch (unchanged).

- [ ] Empty batch (no open findings) → no-op, lane not stranded (can still run review after).

- [ ] Doc-write applies still queue independently; chat still single-flight.

CI note: no klair-client logic change beyond a comment; the cross-ref touch lets the frontend required checks run on this otherwise add-on-only PR.

## Problem

A new brainlift's extraction pipeline produces DOK1 facts (each with a source URL) and DOK2 summaries, but the Library tab (/grading/<slug>?tab=facts&sb=library) is empty for new brainlifts.

## Root cause

The Library reads sources rows filtered to status='kept' (getLibrary, server/storage/second-brain.ts:448). Every live write path stored the citation URL only as text (facts.source / dok2_summaries.source_url) and never:

- created a sources row, nor

- set the learning_stream_item_id FK that links facts/dok2 → sources.

Migration 0043_ux_redesign.sql performed a one-time backfill of historical citations (promote URLs into sources + link facts/dok2), but the ongoing write path was never wired to do the same. So any brainlift created after the migration has an empty Library even though its facts carry source URLs.

Confirmed against a prod-restore: all 74,993 facts-with-URL and 13,083 dok2-with-URL were linked by the backfill; no write path reproduces that for new rows.

## Fix

Add linkBrainliftCitationSources(brainliftId) (server/storage/citation-sources.ts) — a brainlift-scoped, idempotent helper that mirrors migration 0043:

- (4) promote distinct citation URLs (facts.source first http token ∪ dok2_summaries.source_url) into sources with status='kept', provenance='manual' (matches the backfill so old/new look uniform; status='kept' is what the Library renders)

- (4b) infer type from the URL host

- (5) link facts + dok2_summaries to the matching source by (brainlift_id, url)

Wired into every write site:

- createBrainlift (new brainlift, bulk facts)

- updateBrainlift (re-import)

- saveDOK2Summaries (bulk dok2)

- createFact / createDok2Summary (single-item / MCP create_dok1/create_dok2)

Idempotency via ON CONFLICT (brainlift_id, url) DO NOTHING + URL-match UPDATE ... IS DISTINCT FROM guards, so re-import and per-fact creates never duplicate sources.

URL extraction uses POSIX [^[:space:]] (equivalent to the migration's \s-negation) so extracted tokens stay byte-identical to the backfill.

## Validation (E2E via local brainlift MCP)

- create_dok1 with a new URL → sources row created (status='kept', provenance='manual'), fact learning_stream_item_id set; kept count 9 → 10.

- Second create_dok1 with the same URL → still one source row; both facts link to it (idempotent).

- create_dok2 with a sciencedirect URL → source created + summary linked, type='Academic Paper' (host inference).

- Idempotency check on an already-backfilled brainlift → 0 new sources, 0 re-links.

- New integration test server/storage/__tests__/citation-sources.test.ts (5 cases) passes; dok-create / dok-crud / unify-writers suites still green.

## Notes

- Code-only fix; no new migration (schema already correct, per the project rule).

- Pre-existing, unrelated test failure observed: unified-source-model.test.ts > getFeed > ordered by numeric relevance fails on clean main too (relevance NULLS-LAST ordering; not touched by this change).

- npm run build green.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary

- Preserve partial School Calendar sheet rows and sync Calendar A/B alongside date and Drive link fields.

- Add program/Forecast mapping resolution plus ambiguity-safe sync run audit records.

- Surface the calendar bucket through Portfolio and Buildout dashboard contracts and detail UI.

## Why

School Calendar rows could carry a start date and Drive link while missing the Calendar A/B bucket, and partial rows like Denver were skipped when the Drive link was absent. The sync also needed clearer evidence for matched, unmatched, skipped, and ambiguous rows.

## Business Value

Buildout and Portfolio users get complete School Calendar context in the dashboard, while operators get run-level audit evidence to diagnose sheet and mapping issues without guessing.

## Breaking changes

None.

## Test plan

- [x] cd chat && ./node_modules/.bin/vitest run convex/analyticsGsheet.test.ts lib/__tests__/portfolio-sites.test.ts lib/__tests__/buildout-sites.test.ts lib/__tests__/rhodes-buildout-contract.test.ts components/dashboards/portfolio/cards/__tests__/fact-sheet-card.test.tsx

- [x] cd sync && ./node_modules/.bin/vitest run src/upstream/school-calendar/parser.test.ts src/upstream/school-calendar/sync.test.ts src/analytics-worker/index.test.ts

- [x] cd chat && ./node_modules/.bin/vitest run convex/rhodesDashboardParity.test.ts lib/__tests__/portfolio-sites.test.ts lib/__tests__/buildout-sites.test.ts components/dashboards/portfolio/cards/__tests__/fact-sheet-card.test.tsx

- [x] ./node_modules/.bin/biome check ...

- [x] cd sync && ./node_modules/.bin/tsc --noEmit

- [x] cd chat && ./node_modules/.bin/tsc --noEmit

- [x] Current-sheet dry-run against 2026-27 Calendar links showed 41 parsed records, 40 matched rows, 64 site matches, and 0 ambiguous rows.

- [x] Local Buildout dashboard spot-check confirmed Calendar A/B values render after restart.

## Summary

- Add explicit sourceTempId binding between staged Drive uploads and document registrations.

- Harden the chat UI so staged upload/register cards only compose on exact binding or strict legacy filename containment.

- Add paused, reject-only handling for unpaired staged registrations instead of exposing a doomed generic approval.

## Why

Production hit a document filing mishap where two same-site staged uploads were followed by document registration proposals and the UI paired the wrong uploaded Drive file with the wrong document metadata. The previous pairing logic leaned too heavily on same-site adjacency, and the first pass still left fuzzy fallback cases that could match common site-prefix tokens.

## Business Value

Users can safely approve multi-document filing flows without silently registering the wrong Drive file against Rhodes document metadata. When a staged registration cannot be safely paired, the UI now blocks approval and gives users a clean reject path.

## Breaking changes

None.

## Test plan

- [x] cd chat && ./node_modules/.bin/vitest run components/__tests__/tool-call.test.tsx

- [x] cd chat && ./node_modules/.bin/tsc --noEmit

- [x] ./node_modules/.bin/biome check chat/components/tool-call-group.tsx chat/components/rhodes-document-filing-card.tsx chat/components/__tests__/tool-call.test.tsx chat/lib/agent.ts chat/lib/rhodes-mutation-tools.ts chat/rhodes-worker/mcp-server/tools/documents.ts

- [x] git diff --check

## Summary

- Gate milestone field-change approval on changes to the Completed state in either direction

- Let milestone due-date and non-completion status upkeep save directly through the normal fields route/MCP write path

- Send sparse milestone patches for direct saves to avoid clobbering fresher completion state

## Why

Milestone approval was too broad for ordinary upkeep, but the public completion signal needs review whether an operator is marking a milestone Completed or removing that Completed state.

## Business Value

Keeps buildout data fresher without adding approval friction, while preserving review for completion-state announcements that affect downstream visibility.

## Breaking changes

None.

## Test plan

- [x] ./chat/node_modules/.bin/vitest run packages/contracts/src/milestones.test.ts

- [x] ./node_modules/.bin/vitest run components/dashboards/portfolio/fields/__tests__/portfolio-fields-provider.test.tsx 'app/api/portfolio-sites/[slug]/fields/__tests__/route.test.ts' convex/portfolio/fieldChangeRequests.test.ts convex/rhodesMcpMutationParity.test.ts

- [x] ./node_modules/.bin/vitest run lib/__tests__/portfolio-site-fields.test.ts convex/rhodesMcpApprovalSessions.test.ts

- [x] ./node_modules/.bin/tsc --noEmit

- [x] git diff --check

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->

## Summary

Extends _reconcile_addon_session_from_doc (KLAIR-2932) so it also reconciles section structure — rename / add / delete — against the live Google Doc, not just section content. Wires the same reconcile into addon_conformance so the "Check structure" report reflects the actual Doc shape.

## Why it's needed

The content reconcile shipped under KLAIR-2932 fixed Claire / review grading stale content vs the live Doc. It does not reconcile structure: native Doc renames / adds / deletes of whole sections never update session.spec.sections. So anything that reads spec structure — conformance (addon_conformance ~7927), the FE "Check structure" coaching, the add-on sidebar's section list — silently mis-flagged whenever the user edited headings in the Doc. Observed (P5.11 conformance testing, KLAIR-2920):

* A natively-deleted GM Commentary still showed "Structure looks good" (no ADD gap surfaced).

* Q3-renamed sections still carried their stale Q2 spec titles in the sidebar.

This change makes the existing /addon/* reconcile the single load-bearing surface where the session catches up to the Doc — so conformance and the sidebar both see the same structure the user is staring at.

## Changes

* Content-anchored structural pass (_apply_structural_reconcile in routers/board_doc_router.py):

* Rename — unmatched spec body and unmatched Doc body with symmetric normalised-token containment ≥ RENAME_SIMILARITY (0.6) paired greedily 1:1; spec section's title ← Doc title, content ← Doc body, while id / section_type / required_data are preserved.

* Add — remaining unmatched Doc heading becomes a SectionConfig(section_type=CUSTOM) via _slugify_section_id + _unique_section_id, appended to spec.sections with the Doc body in generated_sections.

* Delete — remaining unmatched spec section is removed via remove_section (cascade: comments, edit status, refresh-orphans, user_commentary, section_feedback) only when a distinctive line of its content (≥ DELETE_CONTENT_ABSENT_MIN_LINE_LEN = 20 chars, non-boilerplate) is absent from the live Doc text. Otherwise preserved + logged with skipped_reason=delete_content_present.

* is_degraded_parse skip — checked against both the at-entry mapping AND re-checked against fresh state inside the closure. Degraded parse ⇒ structural pass skipped entirely (content merge still runs).

* Content-absent delete disambiguator — distinctive-line scan is the load-bearing guard against destructive delete on a parse-miss / restructure scenario (heading boundary failed but the blob is still in the Doc under a different parent).

* In-closure re-derivation — the structural diff is computed AND applied inside the _save_with_merge_retry_or_raise closure against the freshly re-fetched s.spec / s.generated_sections. A snapshot-derived diff would clobber a concurrent sibling-tab writer (parity with KLAIR-2932's H1 fix for the content merge). The outer no-op gate is widened to detect pure-structural diffs (dropped Drive titles / unmatched spec ids) so a "content unchanged but structure changed" reconcile still enters the closure.

* addon_conformance reconcile wiring — added session = await _reconcile_addon_session_from_doc(session) before compute_conformance. Closes the loop: native heading delete → structural reconcile drops the spec section → conformance emits the missing canonical-section ADD gap. Reconcile is best-effort (its own broad-catch envelope), so a Drive failure still degrades to the pre-KLAIR-2934 read-only behaviour.

Contract surface affected: none. _apply_structural_reconcile is module-private to board_doc_router.py; RENAME_SIMILARITY / DELETE_CONTENT_ABSENT_MIN_LINE_LEN are new public module constants on the router (referenced by tests).

## Breaking changes

None — additive structural pass inside the existing _reconcile_addon_session_from_doc envelope plus a reconcile call inside addon_conformance. merge_sections_3way, the in-app /sync, /reload-from-doc, and the other /addon/* routes are untouched.

## Test plan

uv run pytest tests/board_doc/test_addon_structural_reconcile.py -v

11 new tests pin the load-bearing invariants:

| Test | Pins |

|---|---|

| test_structural_rename_updates_title_preserves_id_and_content | Rename: title swap, id/type/required_data preserved, content kept |

| test_structural_rename_with_minor_edit_still_pairs | Rename + minor edit: body lightly edited but ≥ threshold still pairs |

| test_structural_add_new_heading_appends_custom_section | Add: new Doc heading → CUSTOM SectionConfig + content |

| test_structural_delete_when_content_absent_removes_section | Delete: heading + distinctive content absent from Doc → removed (+ cascade) |

| test_structural_delete_preserved_when_content_present_in_doc | NOT-delete safety invariant: distinctive content still in Doc → preserved + skipped_reason=delete_content_present logged |

| test_structural_pass_skipped_on_degraded_parse | Degraded safety invariant: structural pass skipped; nothing wiped |

| test_structural_ambiguous_rename_preserves_both_sides | Ambiguity ⇒ preserve (one Doc body matching two spec sections → no rename) |

| test_structural_pass_is_idempotent_on_unchanged_doc | Idempotent: revision pre-gate; second reconcile is a no-op |

| test_structural_pass_re_derives_against_fresh_state_on_cas_retry | In-closure re-derivation observes a sibling write injected on the merge-retry re-fetch |

| test_addon_conformance_emits_add_gap_after_native_delete_reconcile | Conformance integration: native delete + reconcile → GM Commentary ADD gap |

| test_structural_constants_are_module_level_names | Constants exposed as module-level symbols (eval-check grep + future contract) |

Pre-existing add-on / reconcile / conformance / section-CRUD tests stay green:

uv run pytest tests/board_doc/test_addon_structural_reconcile.py \
tests/board_doc/test_addon_reconcile.py \
tests/board_doc/test_addon_conformance.py \
tests/board_doc/test_addon_chat.py \
tests/board_doc/test_addon_review_run.py \
tests/board_doc/test_addon_propose.py \
tests/board_doc/test_addon_section_crud.py

→ 97 + 11 = 108 passed.

## Verification artifact

$ uv run pytest tests/board_doc/test_addon_structural_reconcile.py -v
============================= test session starts ==============================
collected 11 items
tests/board_doc/test_addon_structural_reconcile.py::test_structural_rename_updates_title_preserves_id_and_content PASSED [  9%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_rename_with_minor_edit_still_pairs PASSED [ 18%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_add_new_heading_appends_custom_section PASSED [ 27%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_delete_when_content_absent_removes_section PASSED [ 36%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_delete_preserved_when_content_present_in_doc PASSED [ 45%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_pass_skipped_on_degraded_parse PASSED [ 54%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_ambiguous_rename_preserves_both_sides PASSED [ 63%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_pass_is_idempotent_on_unchanged_doc PASSED [ 72%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_pass_re_derives_against_fresh_state_on_cas_retry PASSED [ 81%]
tests/board_doc/test_addon_structural_reconcile.py::test_addon_conformance_emits_add_gap_after_native_delete_reconcile PASSED [ 90%]
tests/board_doc/test_addon_structural_reconcile.py::test_structural_constants_are_module_level_names PASSED [100%]
======================== 11 passed, 1 warning in 0.79s =========================

The two safety-invariant cases that pin the conservative-bias rules are explicitly green:

* test_structural_delete_preserved_when_content_present_in_doc — the parse-miss case where a section's heading went unstyled but its distinctive body line is still visible elsewhere in the Doc. Without this guard the structural pass would destructively wipe content the user still has.

* test_structural_pass_skipped_on_degraded_parse — a degraded parse (many title-matched sections come back empty) forces the structural pass to skip entirely; the at-entry session content and spec are byte-identical before/after.

Static-analysis + formatter pass:

$ uv run ruff format routers/board_doc_router.py tests/board_doc/test_addon_structural_reconcile.py
2 files left unchanged
$ uv run ruff check  routers/board_doc_router.py tests/board_doc/test_addon_structural_reconcile.py
All checks passed!
$ uv run pyright    routers/board_doc_router.py
0 errors, 0 warnings, 0 informations

Refs KLAIR-2906 (epic), follows KLAIR-2932 (content reconcile), surfaced by KLAIR-2920 P5.11 conformance mis-flags.

<!-- CURSOR_AGENT_PR_BODY_END -->

<div><a href="https://cursor.com/agents/bc-b06c40db-a26e-4b0e-b269-2b0c70b04af7"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a href="https://cursor.com/background-agent?bcId=bc-b06c40db-a26e-4b0e-b269-2b0c70b04af7"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>

## Summary

- Wires refresh_data end-to-end in the Google Docs add-on — the last P5.10 port (was OPEN/needs-spike). Claire could already *propose* refresh_data, but the add-on had no apply path, so the card was dismiss-only.

- Re-pulls the session's data sources, rolls the Financials tables forward, and surgically swaps stale P&L numbers (Revenue/COGS/Headcount/EBITDA) into existing narrative prose — without any server-side Doc write (the add-on applies the changes client-side).

- Two entry points in the sidebar: Claire's refresh_data proposal card → Refresh data button, and a top-level Refresh data scorecard button (peer to *Re-run review* / *Check structure*, available before and after the first review).

## Why it's needed

refresh_data was the last unported P5.10 feature, elevated to release-gating ([KLAIR-2935](https://linear.app/builder-team/issue/KLAIR-2935)) after stale Financials numbers surfaced in a demo doc — there was no one-click way to roll current data into the Doc from the extension (only manual, per-section regenerate). The in-app _refresh_data re-publishes the Google Doc server-side via assemble_and_publish, which is incompatible with the add-on's client-side write model (Apps Script owns all Doc writes; the backend only has viewer access). That coupling is what made this a spike.

## Changes

Backend

- _refresh_data gains publish: bool = True. publish=False skips the server-side assemble_and_publish re-publish and the doc_url requirement (an add-on session may not carry one) — it only rolls data forward on the session.

- POST /board-doc/addon/refresh: reconciles the live Doc into the session first (so number-swaps land in current prose), runs _refresh_data(publish=False) (heavy LLM work outside the merge-retry closure, set-only delta persist — mirrors addon_add_section), returns each changed section's body-only markdown + live title. New AddonRefreshRequest / AddonRefreshSection / AddonRefreshResponse models.

Frontend (add-on)

- applyRefreshData (Code.gs): POST /addon/refresh, then best-effort applySection per changed section (aggregate-error surfaced on partial apply so the card stays retryable).

- Sidebar.html: refresh_data proposal-card branch → Refresh data button (apply-queue), approveRefreshData handler, and a top-level Refresh data scorecard button via refreshData() that claims the heavy lane (exclusive with review/structure/batch) and runs through the apply queue.

Scope split (mirrors the tool description): refresh rolls the Financials tables + swaps key P&L numbers in prose; it does not reframe narrative or rebuild ARR / Prior-Quarter-Review / product tables — those stay on regenerate_section.

## Breaking changes

None. _refresh_data's new publish arg defaults to True, so the in-app SSE refresh path is unchanged.

## Test plan

- [x] pytest tests/board_doc/test_addon_refresh.py (7 passing): publish=False invariant, changed-section body-only projection, no-op shape, needs_attention/sections_failed propagation, multi-section, 403/404 access control.

- [x] pytest tests/board_doc/ -k "addon or refresh" (288 passing) — _refresh_data signature change doesn't regress in-app refresh.

- [x] ruff format + ruff check + pyright clean on changed backend files.

- [x] node --check on Code.gs + the Sidebar.html script block.

- [ ] Live: add-on Refresh data button (both pre-review and scorecard) rolls the Financials forward in the Doc; Claire's refresh_data proposal card applies; verify heavy-lane mutual exclusion ("Busy — data refresh is running" when clicking Re-run review mid-refresh).

- [ ] Live: confirm narrative framing is preserved (only numbers swapped) and ARR/PQR/product tables are untouched.