adobe
diff --git a/‎docs/llmo-brandalf-apis/v1-v2-onboarding-consistency-safeguard.md‎
Lines changed: 684 additions & 0 deletions b/‎docs/llmo-brandalf-apis/v1-v2-onboarding-consistency-safeguard.md‎
Lines changed: 684 additions & 0 deletions
diff --git a/‎src/controllers/llmo/llmo-onboarding.js‎
Lines changed: 18 additions & 6 deletions b/‎src/controllers/llmo/llmo-onboarding.js‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎src/support/customer-config-mapper.js‎
Lines changed: 1 addition & 1 deletion b/‎src/support/customer-config-mapper.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/support/llmo-onboarding-mode.js‎
Lines changed: 159 additions & 15 deletions b/‎src/support/llmo-onboarding-mode.js‎
Lines changed: 159 additions & 15 deletions
diff --git a/‎test/controllers/llmo/llmo-onboarding.test.js‎
Lines changed: 20 additions & 13 deletions b/‎test/controllers/llmo/llmo-onboarding.test.js‎
Lines changed: 20 additions & 13 deletions
@@ -215,7 +215,7 @@ export function buildInitialCustomerConfigV2({
   brand.baseUrl = primaryUrl;
   brand.updatedAt = timestamp;
   brand.updatedBy = updatedBy;
-  brand.urls = [{ value: primaryUrl, type: 'url' }];
+  brand.urls = [{ value: primaryUrl, type: 'base' }];
   brand.brandAliases = [{ name: brandName, regions: ['gl'] }];
 
   config.customer.customerName = brandName;
@@ -275,7 +275,7 @@ export async function ensureInitialCustomerConfigV2({
       regions: ['gl'],
       updatedAt: timestamp,
       updatedBy: resolveUpdatedBy(context),
-      urls: [{ value: primaryUrl, type: 'url' }],
+      urls: [{ value: primaryUrl, type: 'base' }],
       brandAliases: [{ name: trimmedName, regions: ['gl'] }],
     });
 
@@ -1013,6 +1013,12 @@ export async function createOrFindSite(baseURL, organizationId, context, deliver
   if (site) {
     if (site.getOrganizationId() !== organizationId) {
       site.setOrganizationId(organizationId);
+      // Persist the re-parent immediately. resolveLlmoOnboardingMode (called
+      // right after this in performLlmoOnboarding) reads sites by org_id, so
+      // the move must be visible to that query — otherwise a legacy site
+      // re-parented into a brand-new org would be classified as v2 and create
+      // an instant mixed v1/v2 state. (LLMO-4176)
+      await site.save();
     }
 
     return site;
@@ -1259,11 +1265,17 @@ export async function performLlmoOnboarding(params, context, say = () => {}) {
 
     // Create or find organization
     const organization = await createOrFindOrganization(imsOrgId, context, say);
-    const onboardingMode = await resolveLlmoOnboardingMode(organization.getId(), context);
 
-    // Create site
+    // Create site BEFORE resolving the onboarding mode. createOrFindSite may
+    // re-parent an existing site into the destination org; resolveLlmoOnboardingMode
+    // reads Site.allByOrganizationId, so the re-parent has to be persisted first
+    // (createOrFindSite saves the site in that branch). Otherwise a legacy
+    // pre-cutoff site moved into a brand-new org would be misclassified as v2
+    // and instantly create the mixed state LLMO-4176 was filed to prevent.
     site = await createOrFindSite(baseURL, organization.getId(), context, deliveryType);
 
+    const onboardingMode = await resolveLlmoOnboardingMode(organization.getId(), context);
+
     log.info(`Created site ${site.getId()} for ${baseURL} using LLMO onboarding mode ${onboardingMode}`);
 
     // Create entitlement and enrollment
@@ -1363,7 +1375,7 @@ export async function performLlmoOnboarding(params, context, say = () => {}) {
             name: brandName.trim(),
             status: 'active',
             baseSiteId: site.getId(),
-            urls: [{ value: baseURL, type: 'url' }],
+            urls: [{ value: baseURL, type: 'base' }],
             brandAliases: [{ name: brandName.trim(), regions: ['gl'] }],
           },
           postgrestClient,
@@ -1417,7 +1429,7 @@ export async function performLlmoOnboarding(params, context, say = () => {}) {
 
         const drsJob = await submitOnboardingPromptGenerationJob({
           drsClient,
-          baseUrl: baseURL,
+          baseUrl: siteConfig.getFetchConfig?.()?.overrideBaseURL || baseURL,
           brandName: brandName.trim(),
           audience,
           region: 'US',
 
@@ -134,7 +134,7 @@ export function convertV1ToV2(llmoConfig, brandName, imsOrgId) {
   });
 
   const brandRegions = allRegions.size > 0 ? Array.from(allRegions) : ['gl'];
-  const brandUrls = Array.from(allUrls).map((url) => ({ value: url, type: 'url' }));
+  const brandUrls = Array.from(allUrls).map((url) => ({ value: url, type: 'base' }));
 
   // Only create a brand if we have brand aliases
   if (brandAliases.length === 0) {
 
@@ -10,16 +10,21 @@
  * governing permissions and limitations under the License.
  */
 
-import { readFeatureFlag } from './feature-flags-storage.js';
+import { readFeatureFlag, upsertFeatureFlag } from './feature-flags-storage.js';
 
 export const LLMO_FEATURE_FLAG_PRODUCT = 'LLMO';
 export const LLMO_BRANDALF_FLAG = 'brandalf';
 export const LLMO_ONBOARDING_MODE_V1 = 'v1';
 export const LLMO_ONBOARDING_MODE_V2 = 'v2';
 
-export function normalizeLlmoOnboardingMode(mode) {
-  return mode === LLMO_ONBOARDING_MODE_V2 ? LLMO_ONBOARDING_MODE_V2 : LLMO_ONBOARDING_MODE_V1;
-}
+/**
+ * Brandalf GA cutoff in Unix epoch milliseconds (2026-04-01T00:00:00Z).
+ * Any site whose createdAt is strictly before this value is treated as v1 (legacy).
+ * Override per-environment via LLMO_BRANDALF_GA_CUTOFF_MS without a full redeploy.
+ *
+ * TEMPORARY — remove once all v1 customers have been migrated to v2.
+ */
+export const LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT = Date.UTC(2026, 3, 1);
 
 export async function readBrandalfFlagOverride(organizationId, postgrestClient) {
   if (!organizationId || !postgrestClient?.from) {
@@ -34,31 +39,170 @@ export async function readBrandalfFlagOverride(organizationId, postgrestClient)
   });
 }
 
+/**
+ * Resolves the Brandalf GA cutoff from the environment (epoch ms).
+ * Falls back to LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT if the env var is missing or invalid.
+ *
+ * TEMPORARY — remove once all v1 customers have been migrated to v2.
+ *
+ * @param {object} context - Request context
+ * @returns {number} Cutoff timestamp in milliseconds
+ */
+export function resolveBrandalfCutoffMs(context) {
+  const raw = context?.env?.LLMO_BRANDALF_GA_CUTOFF_MS;
+  if (raw === undefined || raw === null || raw === '') {
+    return LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT;
+  }
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    context?.log?.warn?.(
+      `Invalid LLMO_BRANDALF_GA_CUTOFF_MS "${raw}", using default ${LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT}`,
+    );
+    return LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT;
+  }
+  return parsed;
+}
+
+/**
+ * Returns true if the organization has any site whose createdAt is strictly before
+ * the resolved cutoff. Sites with missing or unparseable createdAt are ignored (not
+ * treated as legacy) to avoid false positives, but logged so monitoring can pick up
+ * data-quality issues — silently swallowing them would bias the safeguard toward v2.
+ *
+ * TEMPORARY — remove once all v1 customers have been migrated to v2.
+ *
+ * @param {string} organizationId
+ * @param {object} context - Request context (must have context.dataAccess.Site)
+ * @returns {Promise<boolean>}
+ */
+export async function hasPreBrandalfSites(organizationId, context) {
+  const cutoffMs = resolveBrandalfCutoffMs(context);
+  const { Site } = context.dataAccess;
+  const log = context?.log;
+  const sites = await Site.allByOrganizationId(organizationId);
+  return sites.some((s) => {
+    const createdAt = s.getCreatedAt?.();
+    if (createdAt === null || createdAt === undefined) {
+      log?.warn?.(
+        `Site ${s.getId?.() ?? '<unknown>'} in org ${organizationId} has no createdAt — skipping legacy check`,
+      );
+      return false;
+    }
+    const ts = createdAt instanceof Date
+      ? createdAt.getTime()
+      : new Date(createdAt).getTime();
+    if (!Number.isFinite(ts)) {
+      log?.warn?.(
+        `Site ${s.getId?.() ?? '<unknown>'} in org ${organizationId} has unparseable createdAt "${createdAt}" — skipping legacy check`,
+      );
+      return false;
+    }
+    return ts < cutoffMs;
+  });
+}
+
+/**
+ * Resolves the LLMO onboarding mode (v1 or v2) for the given organization.
+ *
+ * Decision order (see decision matrix in v1-v2-onboarding-consistency-safeguard.md):
+ *  1. If brandalf=true on the org:
+ *     a. If kill switch is v1 AND org has pre-cutoff sites → revert brandalf
+ *        flag to false, log warning, return v1 (row 1 remediation).
+ *     b. Otherwise → return v2 (rows 3, 5, 7).
+ *  2. If LLMO_ONBOARDING_DEFAULT_VERSION is 'v1' → return v1 (kill switch, rows 2, 4).
+ *  3. If org has pre-cutoff sites → return v1 (legacy protection, row 6).
+ *  4. Otherwise → return v2 (new customer default, row 8).
+ *
+ * TEMPORARY — should be removed once all v1 customers have been migrated to v2.
+ *
+ * @param {string} organizationId
+ * @param {object} context - Request context
+ * @returns {Promise<'v1'|'v2'>}
+ */
 export async function resolveLlmoOnboardingMode(organizationId, context) {
-  const configuredDefault = context?.env?.LLMO_ONBOARDING_DEFAULT_VERSION;
-  const defaultMode = normalizeLlmoOnboardingMode(configuredDefault);
   const { log = console } = context || {};
   const postgrestClient = context?.dataAccess?.services?.postgrestClient;
 
-  if (configuredDefault && configuredDefault !== defaultMode) {
+  // 1. Brandalf flag check: if the org has brandalf=true, it has been
+  //    explicitly migrated to v2. Honor it — except when the kill switch
+  //    is active AND the org has pre-cutoff sites (row 1 remediation).
+  let brandalfEnabled = false;
+  try {
+    brandalfEnabled = await readBrandalfFlagOverride(organizationId, postgrestClient) === true;
+  } catch (flagError) {
     log.warn(
-      `Invalid LLMO_ONBOARDING_DEFAULT_VERSION "${configuredDefault}", falling back to ${defaultMode}`,
+      `Failed to read brandalf flag for org ${organizationId}: ${flagError.message} — proceeding with default resolution`,
     );
   }
 
-  try {
-    const override = await readBrandalfFlagOverride(organizationId, postgrestClient);
-    if (override === true) {
-      return LLMO_ONBOARDING_MODE_V2;
+  if (brandalfEnabled) {
+    const configuredDefault = context?.env?.LLMO_ONBOARDING_DEFAULT_VERSION;
+
+    // Row 1: kill switch active + pre-cutoff sites + brandalf=true
+    // → revert flag to false and force v1.
+    if (configuredDefault === LLMO_ONBOARDING_MODE_V1) {
+      try {
+        if (await hasPreBrandalfSites(organizationId, context)) {
+          try {
+            await upsertFeatureFlag({
+              organizationId,
+              product: LLMO_FEATURE_FLAG_PRODUCT,
+              flagName: LLMO_BRANDALF_FLAG,
+              value: false,
+              updatedBy: 'llmo-onboarding-mode-resolution',
+              postgrestClient,
+            });
+            log.warn(
+              `LLMO mode resolution: organization ${organizationId} has brandalf=true but also has `
+              + 'pre-cutoff sites while kill switch is active. Reverted brandalf flag to false. '
+              + 'This org has sites that require migration before it can use v2.',
+            );
+          } catch (revertError) {
+            log.error(
+              `Failed to revert brandalf flag for org ${organizationId}: ${revertError.message}. `
+              + 'Flag may still be true — manual intervention required.',
+            );
+          }
+          return LLMO_ONBOARDING_MODE_V1;
+        }
+      } catch (error) {
+        log.warn(
+          `Failed to check pre-Brandalf sites for org ${organizationId}: ${error.message}`,
+        );
+        // Cannot confirm pre-cutoff sites — fall through to v2
+        // (brandalf=true is still set, so honor the migration).
+      }
     }
-    if (override === false) {
+
+    // Rows 3, 5, 7: brandalf=true without row-1 condition → v2.
+    log.info(
+      `LLMO mode resolution: organization ${organizationId} has brandalf=true — using v2`,
+    );
+    return LLMO_ONBOARDING_MODE_V2;
+  }
+
+  // 2. Environment-level default (brandalf is false/missing from here on).
+  //    'v1' is the global kill switch; anything else defaults to v2.
+  const configuredDefault = context?.env?.LLMO_ONBOARDING_DEFAULT_VERSION;
+  if (configuredDefault === LLMO_ONBOARDING_MODE_V1) {
+    return LLMO_ONBOARDING_MODE_V1;
+  }
+  if (configuredDefault && configuredDefault !== LLMO_ONBOARDING_MODE_V2) {
+    log.warn(
+      `Invalid LLMO_ONBOARDING_DEFAULT_VERSION "${configuredDefault}", falling back to ${LLMO_ONBOARDING_MODE_V2}`,
+    );
+  }
+
+  // 3. Protect legacy customers: any org with a pre-cutoff site stays on v1.
+  try {
+    if (await hasPreBrandalfSites(organizationId, context)) {
       return LLMO_ONBOARDING_MODE_V1;
     }
   } catch (error) {
     log.warn(
-      `Failed to resolve brandalf feature flag for organization ${organizationId}: ${error.message}`,
+      `Failed to check pre-Brandalf sites for organization ${organizationId}: ${error.message}`,
     );
   }
 
-  return defaultMode;
+  return LLMO_ONBOARDING_MODE_V2;
 }
@@ -37,6 +37,10 @@ describe('LLMO Onboarding Functions', () => {
       Site: {
         findByBaseURL: sinon.stub(),
         create: sinon.stub(),
+        // Default: no pre-cutoff sites → mode resolution returns v2 (the default).
+        // Tests that need v1 mode should set LLMO_ONBOARDING_DEFAULT_VERSION='v1'
+        // in context.env to use the global kill switch.
+        allByOrganizationId: sinon.stub().resolves([]),
       },
       Organization: {
         findByImsOrgId: sinon.stub(),
@@ -1208,8 +1212,10 @@ describe('LLMO Onboarding Functions', () => {
       expect(mockDataAccess.Site.findByBaseURL).to.have.been.calledWith('https://example.com');
       expect(mockSite.getOrganizationId).to.have.been.called;
       expect(mockSite.setOrganizationId).to.have.been.calledWith('new-org-456');
-      // Note: save() is NOT called by createOrFindSite, it's the caller's responsibility
-      expect(mockSite.save).to.not.have.been.called;
+      // LLMO-4176: re-parent must be persisted before resolveLlmoOnboardingMode
+      // queries Site.allByOrganizationId, otherwise a legacy site moved into a
+      // brand-new org would be misclassified as v2.
+      expect(mockSite.save).to.have.been.calledOnce;
     });
 
     it('should not update organization ID when existing site has same organization', async () => {
@@ -1408,6 +1414,13 @@ describe('LLMO Onboarding Functions', () => {
         organizationId: 'org123',
       });
 
+      // LLMO-4176 regression guard: resolveLlmoOnboardingMode reads
+      // Site.allByOrganizationId, and that read MUST happen after the site
+      // has been created/re-parented — otherwise a legacy site moved into a
+      // brand-new org gets misclassified as v2.
+      expect(mockDataAccess.Site.allByOrganizationId)
+        .to.have.been.calledAfter(mockDataAccess.Site.findByBaseURL);
+
       // Verify site config was updated
       expect(mockSite.getConfig().updateLlmoBrand).to.have.been.calledWith('Test Brand');
       expect(mockSite.getConfig().updateLlmoDataFolder).to.have.been.calledWith('dev/example-com');
@@ -1446,7 +1459,7 @@ describe('LLMO Onboarding Functions', () => {
       });
       // Must use baseURL (matches sites.base_url), not overrideBaseURL
       expect(mockUpsertBrand.firstCall.args[0].brand.urls).to.deep.equal([
-        { value: 'https://example.com', type: 'url' },
+        { value: 'https://example.com', type: 'base' },
       ]);
       expect(mockLog.info).to.have.been.calledWith('Created initial brand "Test Brand" in normalized table for site site123');
 
@@ -1615,13 +1628,7 @@ describe('LLMO Onboarding Functions', () => {
         getQueues: sinon.stub().returns({ audits: 'audit-queue' }),
       };
 
-      const maybeSingle = sinon.stub().resolves({ data: { flag_value: false }, error: null });
-      const eqFlag = sinon.stub().returns({ maybeSingle });
-      const eqProduct = sinon.stub().returns({ eq: eqFlag });
-      const eqOrg = sinon.stub().returns({ eq: eqProduct });
-      const select = sinon.stub().returns({ eq: eqOrg });
-      mockDataAccess.services.postgrestClient.from.withArgs('feature_flags').returns({ select });
-
+      // Force v1 mode via the global kill switch — no brandalf flag lookup needed.
       mockDataAccess.Organization.findByImsOrgId.resolves(mockOrganization);
       mockDataAccess.Site.findByBaseURL.resolves(null);
       mockDataAccess.Site.create.resolves(mockSite);
@@ -1657,7 +1664,7 @@ describe('LLMO Onboarding Functions', () => {
       const context = {
         dataAccess: mockDataAccess,
         log: mockLog,
-        env: mockEnv,
+        env: { ...mockEnv, LLMO_ONBOARDING_DEFAULT_VERSION: 'v1' },
         sqs: {
           sendMessage: sinon.stub().resolves(),
         },
@@ -2725,7 +2732,7 @@ describe('LLMO Onboarding Functions', () => {
       expect(brand.status).to.equal('active');
       expect(brand.v1SiteId).to.equal('site-123');
       expect(brand.baseUrl).to.equal('https://www.example.com');
-      expect(brand.urls).to.deep.equal([{ value: 'https://www.example.com', type: 'url' }]);
+      expect(brand.urls).to.deep.equal([{ value: 'https://www.example.com', type: 'base' }]);
       expect(brand.brandAliases).to.deep.equal([{ name: 'Test Brand', regions: ['gl'] }]);
       expect(brand.updatedBy).to.equal('tester@example.com');
       expect(brand.prompts).to.deep.equal([]);
@@ -2918,7 +2925,7 @@ describe('LLMO Onboarding Functions', () => {
       expect(newBrand.status).to.equal('active');
       expect(newBrand.origin).to.equal('system');
       expect(newBrand.regions).to.deep.equal(['gl']);
-      expect(newBrand.urls).to.deep.equal([{ value: 'https://www.example.com', type: 'url' }]);
+      expect(newBrand.urls).to.deep.equal([{ value: 'https://www.example.com', type: 'base' }]);
       expect(newBrand.brandAliases).to.deep.equal([{ name: 'New Brand', regions: ['gl'] }]);
 
       expect(mockCustomerConfigV2Storage.writeCustomerConfigV2ToPostgres).to.have.been.calledOnce;