feat: event-sourced collaboration (Phase 1)

[jinhongkuan]

Summary

• Adds cross-team decision sharing via append-only JSON event files committed to git
• Dual-write adapter: in team mode, every ingest/link_commit writes an event file to .bicameral/events/{git-email}/ before updating the local DB
• Watermark-based materializer: on startup, replays peer events into the local ledger — incremental, only processes new events
• Zero merge conflicts: per-user directories + append-only files + UUID naming
• Zero handler changes: adapter factory swap is invisible to server.py and all handlers

New files

File	Purpose
events/__init__.py	Package marker
events/models.py	EventEnvelope Pydantic model
events/writer.py	EventFileWriter — atomic JSON writes to per-user dir
events/materializer.py	EventMaterializer — watermark + glob + replay
events/team_adapter.py	TeamWriteAdapter — composition wrapper
tests/test_team_events.py	20 tests covering writer, materializer, adapter, config

Modified files

File	Changes
adapters/ledger.py	get_ledger() reads .bicameral/config.yaml, returns TeamWriteAdapter when mode: team
setup_wizard.py	Solo/team mode selection, config.yaml creation, .gitignore handling

Test plan

• 20 new unit tests passing (writer, materializer, team adapter, config detection)
• Existing test suite unchanged (106 passing, pre-existing failures unaffected)
• Manual: bicameral-mcp setup → select team mode → verify config.yaml + .gitignore
• Manual: ingest in team mode → verify event file in .bicameral/events/
• Manual: copy events from another user dir → restart → verify materialized

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added team collaboration mode for multi-user workflows alongside solo mode
  • Introduced configuration system to set and manage collaboration mode during setup
  • Event-sourced collaboration enabling team members to share and synchronize architectural decisions

• Documentation

  • Added collaboration modes guide with comparison table and configuration instructions
  • Enhanced local development setup documentation

[coderabbitai]

Warning

Rate limit exceeded

@jinhongkuan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 1 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 1 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f2771b4-de99-4c79-a66a-e56156241a88

📥 Commits

Reviewing files that changed from the base of the PR and between b678516 and 5060b7b.

📒 Files selected for processing (4)

• events/materializer.py
• events/team_adapter.py
• setup_wizard.py
• tests/test_team_events.py

📝 Walkthrough

Walkthrough

Adds a configuration-driven "team" collaboration mode: new event-sourcing components (EventEnvelope, EventFileWriter, EventMaterializer, TeamWriteAdapter), ledger factory wiring to optionally wrap the SurrealDB adapter in team mode, and setup changes to persist and respect collaboration mode.

Changes

Cohort / File(s)	Summary
Event Sourcing Package events/__init__.py, events/models.py, events/writer.py, events/materializer.py, events/team_adapter.py	New event-sourcing modules: EventEnvelope model, atomic per-author JSON EventFileWriter, watermark-driven EventMaterializer for incremental replay, and TeamWriteAdapter implementing dual-write (emit event file then delegate) with read-pass-through methods.
Ledger Adapter Factory adapters/ledger.py	Added _read_collaboration_mode(repo_path) and updated get_ledger() to construct a base SurrealDBLedgerAdapter and, when mode == team, wrap it with TeamWriteAdapter wired with EventFileWriter and EventMaterializer using .bicameral/events/ and .bicameral/local/.
Setup Wizard & Config setup_wizard.py	Introduced _select_collaboration_mode() and _write_collaboration_config(), made _ensure_gitignore(...) mode-aware (solo vs team) and rewrote gitignore block handling; run_setup() now persists mode and creates .bicameral/events/ in team mode.
Tests tests/test_team_events.py	Added comprehensive tests for writer, materializer, TeamWriteAdapter, and config detection (in-memory SurrealDB): verifies file formats, watermarking/replay ordering, event dispatch, dual-write behavior, and git-email author detection.
Docs README.md	Added "Collaboration Modes" documentation and adjusted local development/install instructions and post-install command grouping.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Factory as get_ledger()
    participant Inner as SurrealDBLedgerAdapter
    participant Team as TeamWriteAdapter
    participant Writer as EventFileWriter
    participant Materializer as EventMaterializer
    participant FS as Event Filesystem

    Factory->>Inner: instantiate SurrealDBLedgerAdapter
    Factory->>Writer: create EventFileWriter(.bicameral/events/, author)
    Factory->>Materializer: create EventMaterializer(.bicameral/events/, .bicameral/local/)
    Factory->>Team: wrap Inner with TeamWriteAdapter(Inner, Writer, Materializer)

    Team->>Inner: connect()
    Team->>Materializer: replay_new_events(inner)
    Materializer->>FS: read new event files (*.json)
    Materializer-->>Inner: call ingest_payload / ingest_commit for events

    User->>Team: ingest_payload(payload)
    Team->>Writer: write(event_type=ingest.completed, payload)
    Writer->>FS: atomic write timestamp-uuid.json
    Team->>Inner: inner.ingest_payload(payload)
    Inner-->>Team: result

    User->>Team: get_all_decisions(...)
    Team->>Inner: get_all_decisions(...)
    Inner-->>Team: decisions

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~65 minutes

Possibly related PRs

• refactor: port interfaces + source_span for drift pipeline #1 — Related changes to ledger adapter wiring and ingest_commit signature (drift_analyzer forwarding) that overlap with TeamWriteAdapter delegations.

Poem

🐰
I hop and drop an event to share,
timestamps stitched with tidy care,
teammates read what I have penned,
watermarks tell where replays end,
solo or team—our logs declare.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.56% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: event-sourced collaboration (Phase 1)' directly summarizes the main change—adding event-sourced collaboration infrastructure for cross-team decision sharing via append-only JSON event files, which is the central theme of all file modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/event-sourced-collaboration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@events/materializer.py`:
- Around line 57-69: The single scalar watermark (watermark from
_read_watermark) is too coarse because EventFileWriter timestamps only to the
second; change the filtering logic that builds new_events (and the analogous
logic at lines 103-105) to perform per-event bookkeeping for the current
timestamp bucket: persist (or atomically store) a set of processed event
identifiers or filenames for the latest watermark-second and use
_extract_timestamp(f.name) to group by second, allowing events with timestamp ==
watermark-second to be accepted if their filename/ID is not in the persisted
processed set; update the watermark persistence API (or add a companion
persisted processed_ids set) so after processing you append processed file IDs
for that second and advance the watermark when the set is complete, and adjust
the filter to use ">" for seconds newer than watermark-second and "== and id not
in processed_ids" for the current second.

In `@events/team_adapter.py`:
- Around line 41-56: The ingest_payload and ingest_commit methods currently
write events via self._writer.write then delegate to self._inner but never
record that the local event has been materialized; after the await of
self._inner.ingest_payload(...) and self._inner.ingest_commit(...), update the
local replay cursor/state to mark that the written event has been applied (e.g.,
call your replay cursor/state API such as
self._replay_cursor.mark_applied(event_id) or update self._local_state to
include the event), ensuring this occurs only after the inner call succeeds so
replay won’t reapply the same event after restart.
- Around line 32-37: The current materialization only runs in connect(), so add
an internal async method async def _ensure_ready(self) that is idempotent and
called from every public method (e.g., read/write methods, any public API on
this adapter) to guarantee the inner adapter and materializer are initialized;
implement _ensure_ready to await a per-instance asyncio.Lock or an initialized
flag to avoid races, call await self._inner.connect() then await
self._materializer.replay_new_events(self._inner) and log as before, and set a
_ready flag so subsequent calls are no-ops; remove reliance on callers invoking
connect() and instead call await self._ensure_ready() at the start of each
public method.

In `@events/writer.py`:
- Around line 41-45: The constructor stores author_email directly into a
filesystem path which lets values with separators, '..', or absolute paths
escape the events dir; update Writer.__init__ to validate and sanitize
author_email before using it: reject or normalize inputs containing path
separators, leading slashes, or components like '..' (e.g., ensure author_email
== Path(author_email).name or apply a safe-encoding), raise ValueError for
invalid inputs, then set self._author to the sanitized value and build
self._user_dir from events_dir / sanitized_author and mkdir as before; ensure
any external callers still get a clear exception on invalid author strings.

In `@setup_wizard.py`:
- Around line 400-407: The team-mode config currently leaves SURREAL_URL and
CODE_LOCATOR_SQLITE_DB pointing to .bicameral/ledger.db and
.bicameral/code-graph.db which will be tracked; update the config generation
called after _select_collaboration_mode/_write_collaboration_config to accept
the collab_mode flag and, when collab_mode == "team", set SURREAL_URL and
CODE_LOCATOR_SQLITE_DB to files under .bicameral/local/ (e.g.,
.bicameral/local/ledger.db and .bicameral/local/code-graph.db) or add explicit
ignores for those exact paths; modify the function that writes MCP/env config
(where SURREAL_URL and CODE_LOCATOR_SQLITE_DB are emitted) to branch on
collab_mode and ensure the moved paths match what _ensure_gitignore produces.

In `@tests/test_team_events.py`:
- Around line 16-17: The test module currently uses
os.environ.setdefault("SURREAL_URL", "memory://") which can leave an existing
SURREAL_URL and cause tests to hit a persistent DB; replace this with an
unconditional override by assigning os.environ["SURREAL_URL"] = "memory://" at
module import time so the SURREAL_URL is always set to the in-memory SurrealDB
for tests (refer to the SURREAL_URL environment variable and the
tests/test_team_events.py top-level env setup).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 06293b92-42c6-4788-8add-40ed6e13ec23

📥 Commits

Reviewing files that changed from the base of the PR and between 32f9097 and 800623d.

📒 Files selected for processing (8)

• adapters/ledger.py
• events/__init__.py
• events/materializer.py
• events/models.py
• events/team_adapter.py
• events/writer.py
• setup_wizard.py
• tests/test_team_events.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

A single timestamp watermark is too coarse for these filenames.

EventFileWriter only guarantees second-level timestamps, so once the watermark is 20260410T180000Z, any event file merged later from that same second is skipped forever by the > filter here. You need per-event bookkeeping for the current timestamp bucket (or persistent processed event IDs), not a single scalar timestamp.

Also applies to: 103-105

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@events/materializer.py` around lines 57 - 69, The single scalar watermark
(watermark from _read_watermark) is too coarse because EventFileWriter
timestamps only to the second; change the filtering logic that builds new_events
(and the analogous logic at lines 103-105) to perform per-event bookkeeping for
the current timestamp bucket: persist (or atomically store) a set of processed
event identifiers or filenames for the latest watermark-second and use
_extract_timestamp(f.name) to group by second, allowing events with timestamp ==
watermark-second to be accepted if their filename/ID is not in the persisted
processed set; update the watermark persistence API (or add a companion
persisted processed_ids set) so after processing you append processed file IDs
for that second and advance the watermark when the set is complete, and adjust
the filter to use ">" for seconds newer than watermark-second and "== and id not
in processed_ids" for the current second.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Mark successful local writes as already applied.

These methods append the event file and then apply the same mutation to the local DB, but nothing records that the local event has already been materialized. After a restart, replay can apply that same event to the same ledger again. Once the inner write succeeds, record the written event in the local replay cursor/state.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@events/team_adapter.py` around lines 41 - 56, The ingest_payload and
ingest_commit methods currently write events via self._writer.write then
delegate to self._inner but never record that the local event has been
materialized; after the await of self._inner.ingest_payload(...) and
self._inner.ingest_commit(...), update the local replay cursor/state to mark
that the written event has been applied (e.g., call your replay cursor/state API
such as self._replay_cursor.mark_applied(event_id) or update self._local_state
to include the event), ensuring this occurs only after the inner call succeeds
so replay won’t reapply the same event after restart.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate author_email before using it as a path component.

author_email is joined directly into the filesystem path here. A value containing separators, .., or an absolute path can escape .bicameral/events/ and also breaks the materializer's */*.json scan.

Proposed fix

 class EventFileWriter:
     """Writes append-only JSON event files to a per-user directory."""
 
     def __init__(self, events_dir: Path, author_email: str) -> None:
+        if (
+            not author_email
+            or author_email in {".", ".."}
+            or any(sep in author_email for sep in ("/", "\\"))
+        ):
+            raise ValueError("author_email must be a single directory name")
         self._events_dir = events_dir
         self._author = author_email
         self._user_dir = events_dir / author_email
         self._user_dir.mkdir(parents=True, exist_ok=True)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@events/writer.py` around lines 41 - 45, The constructor stores author_email
directly into a filesystem path which lets values with separators, '..', or
absolute paths escape the events dir; update Writer.__init__ to validate and
sanitize author_email before using it: reject or normalize inputs containing
path separators, leading slashes, or components like '..' (e.g., ensure
author_email == Path(author_email).name or apply a safe-encoding), raise
ValueError for invalid inputs, then set self._author to the sanitized value and
build self._user_dir from events_dir / sanitized_author and mkdir as before;
ensure any external callers still get a clear exception on invalid author
strings.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Force the in-memory DB here instead of using setdefault().

setdefault() leaves any preexisting SURREAL_URL untouched, so this module can unexpectedly run against a persistent ledger and leak state across test runs. Use a test-scoped env override that always sets memory://.

As per coding guidelines, "Set SURREAL_URL environment variable to configure SurrealDB connection; use memory:// for tests (no persistence)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_team_events.py` around lines 16 - 17, The test module currently
uses os.environ.setdefault("SURREAL_URL", "memory://") which can leave an
existing SURREAL_URL and cause tests to hit a persistent DB; replace this with
an unconditional override by assigning os.environ["SURREAL_URL"] = "memory://"
at module import time so the SURREAL_URL is always set to the in-memory
SurrealDB for tests (refer to the SURREAL_URL environment variable and the
tests/test_team_events.py top-level env setup).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 488-495: The fenced code block that shows the directory tree
starting with ".bicameral/" is missing a language tag, triggering markdownlint
MD040; update the opening fence from ``` to ```text (or another appropriate
language identifier) for the block that contains ".bicameral/ ├── events/ ..."
so the code fence declares a language and the linter passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec3ac789-5221-45c5-88a7-5e1ef72787bf

📥 Commits

Reviewing files that changed from the base of the PR and between b615cc0 and b678516.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language tag to the fenced block (markdownlint MD040).

At Line 488, the code fence should declare a language to satisfy lint rules.

🛠️ Proposed fix

-```
+```text
 .bicameral/
 ├── events/              ← committed to git (shared decisions)
 │   ├── pm@co.com/       ← PM's ingested PRDs and transcripts
 │   └── dev@co.com/      ← developer's commit syncs
 ├── config.yaml          ← committed (mode: solo | team)
 └── local/               ← gitignored (materialized state)

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.0)</summary>

[warning] 488-488: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @README.md around lines 488 - 495, The fenced code block that shows the
directory tree starting with ".bicameral/" is missing a language tag, triggering
markdownlint MD040; update the opening fence from totext (or another
appropriate language identifier) for the block that contains ".bicameral/ ├──
events/ ..." so the code fence declares a language and the linter passes.

</details>

<!-- fingerprinting:phantom:triton:hawk:07d99fa3-2b89-4bda-9949-9f584bdc7bb1 -->

<!-- This is an auto-generated comment by CodeRabbit -->