feat(LLMO-4176): add brandalf flag override and decision matrix to onboarding mode resolution

[irenelagno]

Summary

Implements LLMO-4176 (epic LLMO-4054).

Rewrites resolveLlmoOnboardingMode to follow an 8-row decision matrix based on 3 inputs:

#	Default version	Pre-cutoff sites	Brandalf flag	Onboarding version	Side effects
1	v1	yes	yes	v1	Reverts brandalf to false + logs warning
2	v1	yes	no	v1	—
3	v1	no	yes	v2	—
4	v1	no	no	v1	—
5	v2	yes	yes	v2	—
6	v2	yes	no	v1	—
7	v2	no	yes	v2	—
8	v2	no	no	v2	Sets brandalf to true

Priority order: Brandalf flag (highest) → kill switch → legacy site check → default v2.

Temporary safeguard — will be removed once all v1 customers are migrated to v2.

Related PRs

⚠️ Both PRs must be merged and deployed together.

PR	Repo	What
This PR (#2171)	spacecat-api-service	Decision matrix + DRS baseUrl fix
adobe/spacecat-audit-worker#2380	spacecat-audit-worker	Fixes brand resolution to prefer baseSiteId over brand_sites join

What changed

src/support/llmo-onboarding-mode.js — Rewrites resolveLlmoOnboardingMode with 4-step logic:

1. Read brandalf flag — if true: check for Row 1 condition (kill switch + pre-cutoff → revert flag to false, return v1), otherwise return v2
2. If brandalf false/missing + kill switch LLMO_ONBOARDING_DEFAULT_VERSION=v1 → v1
3. Legacy check: org has pre-cutoff sites → v1
4. Default → v2

New exports (all TEMPORARY):

• LLMO_BRANDALF_GA_CUTOFF_MS_DEFAULT — epoch-ms constant (2026-04-01T00:00:00Z)
• resolveBrandalfCutoffMs(context) — reads cutoff from LLMO_BRANDALF_GA_CUTOFF_MS env var
• hasPreBrandalfSites(organizationId, context) — returns true if org has any site created before cutoff

src/controllers/llmo/llmo-onboarding.js — Fixes DRS baseUrl bug (NASCAR issue): passes overrideBaseURL to DRS prompt generation job when available.

Files changed

File	What
src/support/llmo-onboarding-mode.js	Decision matrix logic + Row 1 revert
src/controllers/llmo/llmo-onboarding.js	DRS baseUrl fix (overrideBaseURL)
src/support/customer-config-mapper.js	Minor fix
test/support/llmo-onboarding-mode.test.js	Rewritten unit tests (45 cases covering all 8 matrix rows)
test/controllers/llmo/llmo-onboarding.test.js	Updated mocks for new logic
test/support/slack/actions/onboard-llmo-modal.test.js	Updated mocks
test/it/shared/tests/llmo-onboarding.js	IT tests for hasPreBrandalfSites + resolveLlmoOnboardingMode
test/it/postgres/llmo-onboarding.test.js	Wire PostgREST client into IT tests
test/it/postgres/seed-data/organizations.js	Add legacy + new LLMO test orgs
test/it/postgres/seed-data/sites.js	Add sites with explicit created_at
test/it/shared/seed-ids.js	Add IDs for new test orgs/sites
docs/llmo-brandalf-apis/v1-v2-onboarding-consistency-safeguard.md	Design doc with decision matrix

Test plan

Unit tests (automated — run in CI)

npx mocha test/support/llmo-onboarding-mode.test.js
# 45 tests — all 8 matrix rows, edge cases, error handling

npx mocha test/controllers/llmo/llmo-onboarding.test.js
# 79 tests — full performLlmoOnboarding suite

Integration tests (automated — require Docker)

npx mocha --require test/it/postgres/harness.js --timeout 30000 \
  test/it/postgres/llmo-onboarding.test.js

Covers:

• hasPreBrandalfSites → true for org with pre-cutoff site
• hasPreBrandalfSites → false for org with post-cutoff site
• hasPreBrandalfSites → false for org with no sites
• resolveLlmoOnboardingMode → v1 for legacy org
• resolveLlmoOnboardingMode → v2 for new org
• resolveLlmoOnboardingMode → v1 when kill switch active

E2E validation (manual — completed on dev)

Validated on dev environment (spacecat.experiencecloud.live/api/ci) with two test orgs. Results documented in docs/llmo-brandalf-apis/e2e-test-results.md.

Test	Row	Result
Row 7: default=v2, no pre-cutoff, brandalf=true → v2	PASS
Row 8: default=v2, no pre-cutoff, no brandalf → v2 + sets flag	PASS
Row 5: default=v2, pre-cutoff, brandalf=true → v2	PASS
Row 6: default=v2, pre-cutoff, no brandalf → v1	PASS

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

This PR will trigger a minor release when merged.

[irenelagno]

End-to-end test results — dev environment

Environment: spacecat-dev / drs-dev / audit-worker-dev
Lambda version deployed: v5608 (confirmed via CloudWatch — mixed-state error log unique to this branch appeared)
Branch confirmed live: PR is still OPEN but code was force-deployed to dev via Lambda version publish

---

Test 1 — Legacy org stays on v1 (site cutoff protection)

Org: AE-ASSETS-ENG
Sites in org with created_at < 2026-04-01:

• aem.live — created 2023-11-22 (pre-cutoff)
• nzz.ch — created 2024-01-12 (pre-cutoff)

Test: Onboarded magneticme.com and bershka.com (both new sites) for AE-ASSETS-ENG.

Observed: Both onboarded as v1 — hasPreBrandalfSites returned true because aem.live (2023-11-22) is before the cutoff. CloudWatch confirmed:

"Created site <id> for https://www.magneticme.com using LLMO onboarding mode v1"
"Skipping v2 customer config initialization and Brandalf flow"

✅ Legacy org correctly protected from v2.

---

Test 2 — New org goes to v2 (happy path)

Setup: Set LLMO_BRANDALF_GA_CUTOFF_MS in Vault (not SM — api-service reads from HashiCorp Vault at dx_mysticat/dev/api-service, ignores /helix-deploy/spacecat-services/api-service/latest). Set cutoff to 1577836800000 (2020-01-01) so all existing org sites fall after it.

Vault warm container caveat: Even after writing to Vault, warm containers kept the old (missing) secret due to metadata baseline caching (60s metadata check, baseline set on cold start without re-fetch). Fixed by publishing Lambda version v5608 with a dummy env var change to force cold start.

Test: Onboarded lovevery.com for AE-ASSETS-ENG after cold start.

Observed: Onboarded as v2 — hasPreBrandalfSites returned false (cutoff = 2020-01-01, all sites newer). CloudWatch confirmed:

"Created site <id> for https://www.lovevery.com using LLMO onboarding mode v2"

✅ v2 path executed correctly after Vault secret propagated.

---

Test 3 — v2 onboarding end-to-end: petco.com

Test: Onboarded petco.com as v2 (same AE-ASSETS-ENG org, cutoff = 2020-01-01).

Observed: v2 config initialized, brandalf=true feature flag written to org. However, upsertBrand failed:

WARN: Failed to create initial brand in normalized table: Failed to sync brand_sites: 
new row for relation "brand_sites" violates check constraint "brand_sites_type_check"

Root cause: llmo-onboarding.js was passing urls: [{ value: baseURL, type: 'url' }] but PR #2149 (merged Apr 9) added brand_sites_type_check which only allows 'base' and 'localized'. This prevented brand creation → audit-worker couldn't resolve brandId → DRS brand-presence scheduler returned 422.

Fix: Committed as part of this PR — all 4 callsites (llmo-onboarding.js ×3, customer-config-mapper.js ×1) changed to type: 'base'.

---

Test 4 — Kill switch (LLMO_ONBOARDING_DEFAULT_VERSION=v1)

Not tested live on dev, but covered by the 36-case unit test suite and IT tests. The kill switch skips the hasPreBrandalfSites DB call entirely and returns v1 immediately.

---

Key operational notes discovered during testing

1. SM writes have no effect — dx_mysticat/dev/api-service in Vault is the authoritative secret source. Writing to /helix-deploy/spacecat-services/api-service/latest in SM is silently ignored.
2. Vault cache requires cold start to pick up new secrets reliably. Publish a new Lambda version (or change a dummy env var) after writing to Vault.
3. LLMO_BRANDALF_GA_CUTOFF_MS env var must be set in Vault (not SM) for dev/stage/prod. Default in code is 2026-04-01T00:00:00Z (1743465600000).
4. Orphan pre-cutoff sites in an org (e.g. aem.live in AE-ASSETS-ENG) will force all new onboardings for that org to v1 — even if the intent is to add a new LLMO customer. This is expected behavior per the safeguard design; the monitoring script (separate PR) is needed to identify and resolve these cases.

[irenelagno]

Behaviour & environment variable reference

How the safeguard works

resolveLlmoOnboardingMode(organizationId, context) runs on every /llmo/onboard call and returns 'v1' or 'v2' using this decision tree:

1. LLMO_ONBOARDING_DEFAULT_VERSION == 'v1'?
   └─ YES → return v1 immediately (kill switch, no DB call)

2. hasPreBrandalfSites(organizationId)?
   ├─ YES → check brandalf feature flag for mixed-state warning
   │        └─ return v1
   └─ NO  → continue

3. return v2 (default for new orgs)

hasPreBrandalfSites queries all sites for the org (not just LLMO-enrolled) and returns true if any site has created_at < LLMO_BRANDALF_GA_CUTOFF_MS. A single legacy site in an org is enough to force all future onboardings in that org to v1.

---

Environment variables

Variable	Where	Required	Description
LLMO_BRANDALF_GA_CUTOFF_MS	Vault (dx_mysticat/<env>/api-service)	No	Epoch-ms cutoff. Sites created before this timestamp classify an org as legacy (v1). Defaults to 1743465600000 (2026-04-01T00:00:00Z) if not set.
LLMO_ONBOARDING_DEFAULT_VERSION	Vault	No	Global kill switch. Set to 'v1' to force all onboardings to v1 regardless of site dates (skips DB lookup entirely). Leave unset for normal operation.

Both variables are optional. The system works out of the box with the hardcoded default cutoff of 2026-04-01.

---

What each mode does

v1 path (hasPreBrandalfSites = true):

• Creates site, entitlement, enrollment ✓
• Enables audits including llmo-customer-analysis ✓
• Submits DRS prompt generation job with onboardingMode='v1' ✓
• brandalf feature flag NOT set on org
• upsertBrand NOT called (no brand in PostgREST)
• No Brandalf flow triggered
• Downstream: DRS writes v1 aiTopics config → triggers llmo-customer-analysis → brand-presence schedule created with site_id only (no brand_id needed for v1)

v2 path (hasPreBrandalfSites = false):

• Creates site, entitlement, enrollment ✓
• Enables audits ✓
• Writes v2 customer config to PostgREST ✓
• Sets brandalf=true feature flag on org ✓
• Calls upsertBrand → creates brand row in brands + brand_sites tables with type='base' ✓
• Triggers Brandalf onboarding job via DRS ✓
• Submits DRS prompt generation job with onboardingMode='v2' ✓
• Downstream: audit-worker resolves brand_id from PostgREST → brand-presence schedule created with brand_id + spacecat_org_id

---

Mixed-state detection

If an org has brandalf=true and hasPreBrandalfSites=true — onboarding is forced to v1 but a log.error is emitted:

LLMO mode resolution: organization <id> has brandalf=true but also a pre-Brandalf-GA site.
Forcing v1 will create a mixed v1/v2 state — manual remediation required.

This is a monitoring signal. Onboarding itself succeeds (v1 path). Remediation requires manually auditing which sites in the org are pre/post-cutoff.

---

Operational notes

1. LLMO_BRANDALF_GA_CUTOFF_MS lives in Vault, not in SM (/helix-deploy/spacecat-services/api-service/latest). SM writes are silently ignored by the api-service.
2. Vault changes require a cold start to take effect on warm Lambda containers. Force one by updating the Lambda description + publishing a new version + updating the latest alias.
3. 2026-04-01 is the GA date — any org with a site created before that date is considered a legacy v1 org. This date should not need to change unless the Brandalf GA date was set incorrectly.
4. This safeguard is temporary — it will be removed once all v1 customers are migrated to v2. The TEMPORARY annotations in code mark the removal points.

---

Dev test results (2026-04-13)

Test	Org	Earliest site	Result
v2 new org	ACCF1A6467D1F49A0A49400C@AdobeOrg	apollo.com (2025-11-20) — initially tested with wrong Vault cutoff	✅ v2 after Vault cleanup
v1 legacy org	ACCF1A6467D1F49A0A49400C@AdobeOrg	apollo.com (2025-11-20) < 2026-04-01	✅ v1 with default cutoff
Mixed-state blocked	AE-ASSETS-ENG	aem.live (2023-11-22) + brandalf=true	✅ mixed-state error logged, forced v1

🤖 Generated with Claude Code

[irenelagno]

Related PRs

audit-worker fix (required for v1 onboarding to work end-to-end):
adobe/spacecat-audit-worker#2380

Why both PRs are needed

PR	Repo	What it does
This PR (#2171)	spacecat-api-service	Adds resolveLlmoOnboardingMode safeguard — forces v1 for orgs with pre-Brandalf sites even when brandalf=true flag is set
#2380	spacecat-audit-worker	Fixes llmo-customer-analysis to respect onboardingMode='v1' from auditContext instead of re-checking isBrandalfEnabled independently

Without the audit-worker fix, mixed-state orgs (brandalf flag = true, but pre-Brandalf sites present) will always fail brand-presence schedule creation with DRS 422 — even though api-service correctly chose the v1 onboarding path.

[aniham]

Hi Iryna!! Notes from Cursor:

What works well

1. Re-parent then resolve mode — Moving resolveLlmoOnboardingMode to after createOrFindSite, plus await site.save() when setOrganizationId runs, is the right fix. Without that, Site.allByOrganizationId can miss a legacy site that was just moved into a “new” org and the mixed-state bug reappears.

2. Decision logic matches the stated matrix — Brandalf-first, row-1 remediation (kill switch + pre-cutoff + brandalf=true), then global v1 default, then legacy cutoff, then v2, is coherent and matches the long-form design doc.

3. hasPreBrandalfSites data-quality behavior — Treating missing / unparseable createdAt as “not legacy” avoids false v1 positives, while logging those cases is the right bias for a safeguard.

4. Operational resilience — Flag read failures fall back to the rest of the pipeline; site-list failures in the non–brandalf=true path fall back to v2; row-1 upsertFeatureFlag failure still returns v1 (best-effort revert). Defensible as long as the team understands the tradeoffs.

5. Tests — Large rewrite of llmo-onboarding-mode.test.js, controller mock defaults (allByOrganizationId), IT wiring for real created_at, and the compression IT comment explain Node / undici / payload-size behavior instead of hiding a flake.

6. Cross-service awareness — Calling out spacecat-audit-worker#2380 as a co-deploy requirement is essential; the design doc explains why.

---

Issues and suggestions (by severity)

1. Misleading warning when revert fails (row 1)

After a failed upsertFeatureFlag, the code can still log that the flag was reverted. If the upsert failed, brandalf may still be true, so the message can mislead incident response.

Suggestion: Only log “reverted” when upsert succeeds, or split messages (“attempting revert” / “revert succeeded” / “revert failed — flag may still be true”).

2. hasPreBrandalfSites loads all sites -- ani comment: i don't think we need to care about this one

Site.allByOrganizationId + .some() is correct and simple, but for very large orgs this is O(n) rows per onboarding. If this path becomes hot, an “any site before cutoff” query (or LIMIT 1 with created_at < cutoff) would scale better. Fine for an initial safeguard unless orgs already have huge site counts.

3. brandalf=true + kill switch v1 + hasPreBrandalfSites throws → v2

If the legacy check throws while brandalf is still true and the kill switch is v1, resolution returns v2 and never enters row 1. Documented as “honor migration when uncertain,” but it opposes the kill switch in the narrow DB-flaky case. Worth a short comment in code next to the catch so future edits do not “fix” it blindly.

4. type: 'url' → type: 'base' — contract scope -- ani comment: i don't think we need to care about this one

Updates onboarding-created configs and v1→v2 mapping in customer-config-mapper.js. Confirm in review that no consumer still requires type: 'url' for these objects (including repos outside this service if anything reads raw config).

5. IT: temporary org insert -- ani comment: i think that one is dumb, just leaving here for completeness

The “empty org” test inserts and deletes by id; fine for serialized IT. Parallel runs against one DB could theoretically collide on hardcoded ids—not a blocker under current harness assumptions.

[solaris007]

🎉 This PR is included in version 1.441.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀