Sideloading: App accepts Output File Sets from Executor (#42)

* accept output file set callbacks

add the earthbeam callback and job payload fields needed to record executor output file sets.

keep the table keyed by uid, harden the callback error handling, and cover the new auth and payload behavior with integration tests.

Co-authored-by: Codex <noreply@openai.com>

* fix path validation, store output file set path, update AGENTS.md

- tighten startsWith check to require exact match or trailing slash,
  preventing sibling-prefix bypass (e.g. output-evil)
- add regression test for sibling-prefix path rejection
- add path column to run_output_file_set (migration 030) so PR 6 can
  reconstruct download paths for subfolder output sets
- update AGENTS.md sequence diagram and executor lifecycle to include
  the output-files callback

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Made-with: Cursor

* add unique constraint and duplicate detection for output file sets

The PR-4 review flagged that a retried executor POST for the same
run_id + path would silently create duplicate output file sets.
Consolidate the path column and a UNIQUE(run_id, path) constraint
into migration 029 (removing the now-unnecessary 030), add an
application-level duplicate check returning 409 Conflict, and cover
the scenario with an integration test.

Co-authored-by: Claude <noreply@anthropic.com>
Made-with: Cursor

* catch unique constraint instead of pre-querying, clean up tests

- replace findFirst duplicate check with catch on P2002 unique
  constraint violation to eliminate TOCTOU race and save a query
- move jobX setup into the cross-run auth test that uses it
- remove redundant sentToOds=false test (just persisting a boolean)
- fix test semantics: sideloaded paths use sentToOds=false,
  ODS-sent paths use sentToOds=true
- simplify TIMESTAMP(6) to TIMESTAMP in migration 029
- gitignore docs/, .cursor/skills/, .claude/skills/, .agents/
  to prevent accidental commits of in-progress project docs

Co-authored-by: Claude <noreply@anthropic.com>
Made-with: Cursor

* use .catch for output file set error handling

Flatten the try/catch into a .catch on the create promise to
match the pattern used elsewhere and reduce nesting.

Co-authored-by: Claude <noreply@anthropic.com>
Made-with: Cursor

* require subfolder path, use relative S3 keys, canonicalize trailing slashes

Review round 3 fixes:
- Reject bare base path in output-files callback (must be a proper subfolder)
- Canonicalize trailing slashes before validation and persistence to prevent
  duplicate-bypassing of the UNIQUE(run_id, path) constraint
- Switch outputFilesBasePath from full S3 URI to relative key ({fileBasePath}/output)
  since the executor sends relative paths, not protocol://bucket URIs
- Rename lb-download-dir to roster-download-dir in local executor service
- Revert .gitignore scope creep (moved to .git/info/exclude)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* remove outputFilesBasePath from executor payload, validate against fileBasePath

The executor owns the output file location — it doesn't need the app
to tell it where to write. Removed outputFilesBasePath from the DTO
and payload. The output-files callback now validates the reported path
is a child of fileBasePath (the job's data directory) instead of a
narrower outputFilesBasePath.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* consolidate GET /:runId tests, remove outputFilesBasePath test

Move appUrls.outputFiles payload test into the existing GET /:runId
describe block (above Descriptor Mappings). Remove the duplicate
describe block and the outputFilesBasePath test, which tested a field
that was never shipped.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* reject output file set callback when no files found at S3 path

If the executor posts a path that has no files in S3, return 400
rather than creating a record with an empty files array.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* type RunOutputFileSet.files as string[]

Add prisma-json-types-generator annotation so the files column is
typed as string[] instead of generic Json.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* add .nxignore to prevent nx daemon from indexing vite temp files

Vite creates transient timestamp files (e.g. vite.config.mts.timestamp-*.mjs)
that NX caches in its project graph. When the dev server stops and deletes
them, NX fails with "Unable to load" errors requiring nx reset.

Co-authored-by: Claude <noreply@anthropic.com>
Made-with: Cursor

* return { key, name } from listFilesAtPath, simplify callers

listFilesAtPath now filters out undefined keys and folder markers
internally, and returns objects with both the full S3 key and the
filename. This removes duplicate prefix-stripping from both callers
and makes the contract explicit.

Also adds a test for completeRun saving output files from S3 listing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* remove redundant error logging from output file set catch

NestJS's built-in exception handler already logs unhandled errors
with full stack traces and returns a generic 500. The manual
catch-log-rethrow was duplicating that with less detail.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

AGENTS.md

@@ -111,6 +111,7 @@ sequenceDiagram
     Exec->>Exec: earthmover run (transform data)
     Exec->>ODS: lightbeam send (load to ODS)
     Exec->>S3: Upload output artifacts
+    Exec->>App: POST /output-files (path + sentToOds → app lists S3, saves run_output_file_set)
 
     Exec->>App: POST /status, /error, /summary, /unmatched-ids
     Exec->>App: POST /status {action: done}
@@ -156,7 +157,8 @@ sequenceDiagram
 6. **Transform**: `earthmover run` (with encoding detection + retry)
 7. **Load**: `lightbeam send` to Ed-Fi ODS
 8. **Report**: POST summary, unmatched IDs, errors to app via callback URLs
-9. **Done**: POST status `{action: DONE, status: success|failure}`
+9. **Output files**: POST output file path + `sentToOds` flag to `/output-files` callback; app validates path, lists S3, saves `run_output_file_set`
+10. **Done**: POST status `{action: DONE, status: success|failure}`
 
 ### S3 Path Structure
 

app/.nxignore

@@ -0,0 +1,2 @@
+
+n*.timestamp-*

app/api/integration/helpers/setup-and-teardown/tasks/init-app.ts

@@ -32,7 +32,10 @@ export const initApp = async function () {
         getPresignedDownloadUrl: jest
           .fn()
           .mockImplementation((f) => Promise.resolve(`s3-test-download-url://${f.fullPath}`)),
-        listFilesAtPath: jest.fn().mockResolvedValue(['test-file-1', 'test-file-2']),
+        listFilesAtPath: jest.fn().mockResolvedValue([
+          { key: 'test-path/test-file-1', name: 'test-file-1' },
+          { key: 'test-path/test-file-2', name: 'test-file-2' },
+        ]),
         doFilesExist: jest.fn().mockResolvedValue(true),
       })
       .compile();

app/api/integration/tests/earthbeam-api.spec.ts

@@ -8,6 +8,7 @@ import { Run } from '@prisma/client';
 import { partnerA } from '../fixtures/context-fixtures/partner-fixtures';
 import { EventEmitterLogService, EVENT_EMITTER_SERVICE } from 'api/src/event-emitter/event-emitter.service';
 import { userA } from '../fixtures/user-fixtures';
+import { FileService } from 'api/src/files/file.service';
 
 describe('Earthbeam API', () => {
   describe('GET /:runId', () => {
@@ -62,6 +63,16 @@ describe('Earthbeam API', () => {
       expect(res.status).toBe(403);
     });
 
+    it('should include appUrls.outputFiles in the job payload', async () => {
+      const res = await request(app.getHttpServer())
+        .get(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`);
+
+      expect(res.status).toBe(200);
+      expect(res.body.appUrls.outputFiles).toBeDefined();
+      expect(res.body.appUrls.outputFiles).toContain(`/earthbeam/jobs/${runA.id}/output-files`);
+    });
+
     // TODO: add tests for things other than descriptor mappings
     describe('Authenticated requests: Descriptor Mappings', () => {
       const testDescriptorTypeA = 'testDescriptorTypeA';
@@ -187,6 +198,7 @@ describe('Earthbeam API', () => {
         expect(descriptorNamespaceX).toBeUndefined(); // not included in seed for partner X
       });
     });
+
   });
 
   describe('POST /:runId/status', () => {
@@ -222,15 +234,44 @@ describe('Earthbeam API', () => {
     describe('Complete Run', () => {
       // TODO: more tests re: run completion
       let eventEmitterMock: jest.SpyInstance;
+      let fileServiceMock: Record<string, jest.Mock>;
 
       beforeEach(async () => {
         eventEmitterMock = jest.spyOn(EventEmitterLogService.prototype, 'emit');
+        fileServiceMock = app.get(FileService) as unknown as Record<string, jest.Mock>;
       });
 
       afterEach(() => {
         eventEmitterMock.mockRestore();
       });
 
+      it('should save output files from S3 listing', async () => {
+        fileServiceMock.listFilesAtPath.mockResolvedValueOnce([
+          { key: 'partner/tenant/2025/1/output/results.jsonl', name: 'results.jsonl' },
+          { key: 'partner/tenant/2025/1/output/summary.csv', name: 'summary.csv' },
+        ]);
+
+        const res = await request(app.getHttpServer())
+          .post(endpointA)
+          .set('Authorization', `Bearer ${tokenA}`)
+          .send({ action: 'done', status: 'success' });
+        expect(res.status).toBe(201);
+
+        const outputFiles = await prisma.runOutputFile.findMany({
+          where: { runId: runA.id },
+          orderBy: { name: 'asc' },
+        });
+        expect(outputFiles).toHaveLength(2);
+        expect(outputFiles[0]).toMatchObject({
+          name: 'results.jsonl',
+          path: 'partner/tenant/2025/1/output/results.jsonl',
+        });
+        expect(outputFiles[1]).toMatchObject({
+          name: 'summary.csv',
+          path: 'partner/tenant/2025/1/output/summary.csv',
+        });
+      });
+
       describe('Slack Notifiction', () => {
         it('should send a slack notification when the run is complete', async () => {
           const res = await request(app.getHttpServer())
@@ -311,4 +352,165 @@ describe('Earthbeam API', () => {
       });
     });
   });
+
+  describe('POST /:runId/output-files', () => {
+    let runA: Run;
+    let tokenA: string;
+    let endpointA: string;
+    let jobA: Awaited<ReturnType<typeof seedJob>>;
+    let fileBasePath: string;
+    let fileServiceMock: Record<string, jest.Mock>;
+
+    beforeEach(async () => {
+      const authService = app.get(EarthbeamApiAuthService);
+      fileServiceMock = app.get(FileService) as unknown as Record<string, jest.Mock>;
+
+      jobA = await seedJob({
+        odsConfig: odsConfigA2425,
+        bundle: bundleA,
+        tenant: tenantA,
+      });
+
+      if (!jobA?.runs?.[0]) {
+        throw new Error('Failed to seed job and run');
+      }
+      runA = jobA.runs[0];
+      tokenA = await authService.createAccessToken({ runId: runA.id });
+      endpointA = `/earthbeam/jobs/${runA.id}/output-files`;
+      fileBasePath = jobA.fileBasePath!;
+    });
+
+    it('should reject unauthenticated requests', async () => {
+      const res = await request(app.getHttpServer()).post(endpointA);
+      expect(res.status).toBe(401);
+    });
+
+    it('should reject requests if the token does not match the run id', async () => {
+      const authService = app.get(EarthbeamApiAuthService);
+      const jobX = await seedJob({
+        odsConfig: odsConfigX2425,
+        bundle: bundleX,
+        tenant: tenantX,
+      });
+      if (!jobX?.runs?.[0]) {
+        throw new Error('Failed to seed job and run');
+      }
+      const tokenX = await authService.createAccessToken({ runId: jobX.runs[0].id });
+
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenX}`)
+        .send({ path: `${fileBasePath}/output/sideloaded`, sentToOds: false });
+      expect(res.status).toBe(403);
+    });
+
+    it('should reject paths outside the job data directory', async () => {
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: 'other-partner/other-tenant/other-year/other-job/output/evil', sentToOds: true });
+      expect(res.status).toBe(400);
+    });
+
+    it('should reject sibling paths that share the fileBasePath prefix', async () => {
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}-evil`, sentToOds: true });
+      expect(res.status).toBe(400);
+    });
+
+    it('should reject the bare base path (must be a child)', async () => {
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: fileBasePath, sentToOds: true });
+      expect(res.status).toBe(400);
+    });
+
+    it('should reject the bare base path with trailing slash', async () => {
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/`, sentToOds: true });
+      expect(res.status).toBe(400);
+    });
+
+    it('should reject when no files are found at the given path', async () => {
+      fileServiceMock.listFilesAtPath.mockResolvedValueOnce([]);
+
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/output/empty`, sentToOds: true });
+      expect(res.status).toBe(400);
+    });
+
+    it('should canonicalize trailing slashes and store the path without them', async () => {
+      const subfolder = `${jobA.fileBasePath}/output/transformed/`;
+      fileServiceMock.listFilesAtPath.mockResolvedValueOnce([
+        { key: `${subfolder}output1.jsonl`, name: 'output1.jsonl' },
+      ]);
+
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/output/transformed/`, sentToOds: true });
+
+      expect(res.status).toBe(201);
+
+      const saved = await prisma.runOutputFileSet.findUnique({
+        where: { uid: res.body.uid },
+      });
+      expect(saved!.path).toBe(`${fileBasePath}/output/transformed`);
+    });
+
+    it('should list S3 at the given path and save discovered files', async () => {
+      const subfolder = `${jobA.fileBasePath}/output/transformed/`;
+      fileServiceMock.listFilesAtPath.mockResolvedValueOnce([
+        { key: `${subfolder}output1.jsonl`, name: 'output1.jsonl' },
+        { key: `${subfolder}output2.jsonl`, name: 'output2.jsonl' },
+      ]);
+
+      const res = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/output/transformed`, sentToOds: true });
+
+      expect(res.status).toBe(201);
+      expect(res.body.uid).toBeDefined();
+      expect(typeof res.body.uid).toBe('string');
+
+      expect(fileServiceMock.listFilesAtPath).toHaveBeenCalledWith(subfolder);
+
+      const saved = await prisma.runOutputFileSet.findUnique({
+        where: { uid: res.body.uid },
+      });
+      expect(saved).not.toBeNull();
+      expect(saved!.runId).toBe(runA.id);
+      expect(saved!.path).toBe(`${fileBasePath}/output/transformed`);
+      expect(saved!.files).toEqual(['output1.jsonl', 'output2.jsonl']);
+      expect(saved!.sentToOds).toBe(true);
+    });
+
+    it('should return 409 on duplicate run_id + path', async () => {
+      const subfolder = `${jobA.fileBasePath}/output/sideloaded/`;
+      fileServiceMock.listFilesAtPath.mockResolvedValue([
+        { key: `${subfolder}output1.jsonl`, name: 'output1.jsonl' },
+      ]);
+
+      const first = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/output/sideloaded`, sentToOds: false });
+      expect(first.status).toBe(201);
+
+      const second = await request(app.getHttpServer())
+        .post(endpointA)
+        .set('Authorization', `Bearer ${tokenA}`)
+        .send({ path: `${fileBasePath}/output/sideloaded`, sentToOds: false });
+      expect(second.status).toBe(409);
+    });
+  });
+
 });

app/api/src/database/postgrator/migrations/029.do.run-output-file-set.sql

@@ -0,0 +1,9 @@
+CREATE TABLE public.run_output_file_set (
+    uid UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    run_id INTEGER NOT NULL REFERENCES public.run (id) ON DELETE CASCADE,
+    files JSONB NOT NULL,
+    sent_to_ods BOOLEAN NOT NULL DEFAULT true,
+    path TEXT NOT NULL,
+    created_on TIMESTAMP NOT NULL DEFAULT now(),
+    UNIQUE(run_id, path)
+);

app/api/src/database/postgrator/migrations/029.undo.run-output-file-set.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS public.run_output_file_set;

app/api/src/database/prisma/schema.prisma

@@ -265,22 +265,23 @@ model Job {
 
 /// This model or at least one of its fields has comments in the database, and requires an additional setup for migrations: Read more: https://pris.ly/d/database-comments
 model Run {
-  id                        Int             @id @default(autoincrement())
-  jobId                     Int             @map("job_id")
-  status                    RunStatus       @default(new)
-  createdById               Int?            @map("created_by_id")
-  createdOn                 DateTime        @default(now()) @map("created_on") @db.Timestamp(6)
-  modifiedById              Int?            @map("modified_by_id")
-  modifiedOn                DateTime        @default(now()) @map("modified_on") @db.Timestamp(6)
+  id                        Int                @id @default(autoincrement())
+  jobId                     Int                @map("job_id")
+  status                    RunStatus          @default(new)
+  createdById               Int?               @map("created_by_id")
+  createdOn                 DateTime           @default(now()) @map("created_on") @db.Timestamp(6)
+  modifiedById              Int?               @map("modified_by_id")
+  modifiedOn                DateTime           @default(now()) @map("modified_on") @db.Timestamp(6)
   /// [RunSummary]
-  summary                   Json?           @db.Json
+  summary                   Json?              @db.Json
   /// [UnmatchedStudentsInfo]
-  unmatchedStudentsInfo     Json?           @map("unmatched_students_info")
-  userRunCreatedByIdTouser  User?           @relation("run_created_by_idTouser", fields: [createdById], references: [id], onUpdate: NoAction)
-  job                       Job             @relation("jobRun", fields: [jobId], references: [id], onDelete: Cascade, onUpdate: NoAction)
-  userRunModifiedByIdTouser User?           @relation("run_modified_by_idTouser", fields: [modifiedById], references: [id], onUpdate: NoAction)
+  unmatchedStudentsInfo     Json?              @map("unmatched_students_info")
+  userRunCreatedByIdTouser  User?              @relation("run_created_by_idTouser", fields: [createdById], references: [id], onUpdate: NoAction)
+  job                       Job                @relation("jobRun", fields: [jobId], references: [id], onDelete: Cascade, onUpdate: NoAction)
+  userRunModifiedByIdTouser User?              @relation("run_modified_by_idTouser", fields: [modifiedById], references: [id], onUpdate: NoAction)
   runError                  RunError[]
   runOutputFile             RunOutputFile[]
+  runOutputFileSet          RunOutputFileSet[]
   runUpdate                 RunUpdate[]
 
   @@map("run")
@@ -433,6 +434,20 @@ model SchoolYearConfig {
   @@map("school_year_config")
 }
 
+model RunOutputFileSet {
+  uid       String   @id @default(dbgenerated("gen_random_uuid()")) @db.Uuid
+  runId     Int      @map("run_id")
+  /// [RunOutputFileSetFiles]
+  files     Json
+  sentToOds Boolean  @default(true) @map("sent_to_ods")
+  path      String
+  createdOn DateTime @default(now()) @map("created_on") @db.Timestamp(6)
+  run       Run      @relation(fields: [runId], references: [id], onDelete: Cascade, onUpdate: NoAction)
+
+  @@unique([runId, path])
+  @@map("run_output_file_set")
+}
+
 enum OdsAuthResponse {
   success
   error