Fivetran Phase 1 findings L4 (single-stage Dockerfile), L5 (no non-roo…
Decision
Fivetran Phase 1 findings L4 (single-stage Dockerfile), L5 (no non-root USER), L6 (microcheck variant not digest-pinned) are EXPECTED v18.1→v19.1.1 pre-upgrade drift — NOT framework ambiguity or violations. Framework mandates in 03_MCP_SERVER_STANDARD § 2.1-2.3 (multi-stage template, non-root USER, digest-pinned microcheck) are explicit and hard-banned. Fivetran’s non-compliance is expected because Fivetran was built 2026-04-05 under Bible v18.1, which itself lacked these disciplines; v19.0 added them as new mandates. Phase 3 of the 9-phase Upgrade Playbook exists specifically to close this drift. No framework refinement is needed for L4/L5/L6. Real refinement candidates from Phase 1 stand at R1 (tools/list handshake documentation) and R2 (microcheck multi-variant policy). Deferral of Universal Completion Gate (per-pair-scoped, not framework-scoped) remains valid.
Rationale
Stop-hook correctly flagged that my initial Phase 1 framing called L4/L5 “framework violations surfaced,” which created an apparent conflict between v19.1.1 framework (declared stable at 12c3002) and pilot reality. Closer reading resolves: v19.0’s 03_MCP_SERVER_STANDARD § 2.1 Dockerfile template is fully multi-stage + USER mcp:mcp after adduser; § 2.3 “Banned patterns” explicitly enumerates “Single-stage builds — multi-stage mandatory” and “Running as root — USER mcp:mcp mandatory”; 06_STACK_MANIFEST § 1.5 mandates microcheck digest pin. The framework is unambiguous. Fivetran’s deviation is expected pre-upgrade drift (built 17 days ago under v18.1-era template that itself had these gaps — original v18.1 audit flagged them as reasons to upgrade to v19.0). The 9-phase Upgrade Playbook’s Phase 3 (Stack bump + Dockerfile update) is precisely the surgical step that closes L4-L9. Reclassified the findings in pilot-learnings-fivetran.md under a new section “v18.1 → v19.1.1 Expected Delta (NOT framework violations)” with per-phase-to-fix table. Committed as v19.1.1 pilot: reclassify Phase 1 findings at branch v19.0. The real Phase-1 refinement candidates (R1 tools/list handshake documentation gap, R2 microcheck multi-variant policy gap) remain tracked as true ambiguity findings for post-pilot framework consolidation. The deferral now stands: v19.1.1 framework at 12c3002 is stable; Fivetran pilot proceeds via Phase 1.5 Upstream Capability Sync (research agent running in background).
Alternatives Rejected
Outcome
Pending