Follow-ups: authz scope-link reload and Awaken binding contracts

[chaizhenhua]

Follow-up from the codex/pg-authz-repo PR review. Current PR is no longer blocked for merge; this issue tracks the remaining P2/P3 quality work that can be handled after merge or before final release.

Context

The correctness blockers have been addressed: PG awaken binding schema/repo, thread/run grant schema, storage-first awaken binding writes, authz reload fallback behavior, and PG/testcontainer coverage are now aligned.

Remaining work is about reload performance, contract clarity, parity coverage, and merge hygiene.

Follow-ups

• Add a lightweight authz scope-link loader.

  • authz_sync::collect_storage_scope_links currently rebuilds scope links through generic list/search repo APIs such as search_documents(&DocFilter::default()), list_tasks(&TaskFilter::default()), list_projects, list_collections, list_cycles, and list_agent_defs.
  • These paths may hydrate full entities and sidecars even though authz only needs (child_scope, parent_scope) IDs.
  • Suggested shape:

    trait ScopeLinkRepo {
        fn list_authz_scope_links(&self) -> StoreResult<Vec<(Scope, Scope)>>;
    }

  • DB backends should satisfy this with ID-only queries.

• Add explicit AwakenBindingRepo delete/count contract tests for SQLite and PG.

  • delete_awaken_thread_binding(thread_id) removes only that thread binding and get_awaken_thread_binding_opt returns None afterward.
  • delete_awaken_run_binding(run_id) removes only that run binding.
  • delete_awaken_run_bindings_for_thread(thread_id) returns the correct count and does not affect runs on other threads.
  • Ensure SQLite and PG results stay aligned.

• Clarify/guard the AwakenBindingRepo unsupported fallback contract.

  • Existing fallback assumes a backend either fully supports awaken thread/run bindings or returns StoreError::Unsupported for the whole family.
  • Document this in the trait, or make authz_sync fallback handling explicitly per-family/per-method so a future partial backend cannot merge storage links with stale SQLite fallback links.

• Add or document a raw-diff Unicode control/bidi scan before merge.

  • The PR page has shown a hidden/bidirectional Unicode warning.
  • Add a small CI/check script or maintainer checklist item to scan changed text files for unexpected Unicode control/format/bidi characters.

Acceptance criteria

• Authz reload can rebuild scope ancestry without hydrating labels/attrs/assignees/nested workflow data on SQL backends.
• SQLite and PG contract tests cover awaken binding delete/count semantics.
• The fallback behavior for unsupported awaken binding backends is documented or made robust to partial implementations.
• Changed-file Unicode control/bidi scanning is reproducible and documented or enforced.