lex-apollo 0.4.25 → 0.4.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 96a0b3d72ad8895d264315b2da3710c323d31280cf08fe615f8db74c9c762e82
-  data.tar.gz: a6d938a7409cfd0f1b5f3a0dc6c7f1f3c0399dc93a8b7ba8ffcfff0c82536bc3
+  metadata.gz: 85cccff520bb34332f705695f5193cd55e01bb94fb680bf0a51ad81a04ec3112
+  data.tar.gz: b3370806ab160e71f3f213fb4401a6a45aa650778a29574b1cc553a9ad34d167
 SHA512:
-  metadata.gz: efd4519deb1935da01026f3149460fafd110be233f7cdaf522c1980c4cab70a2debcb4ca4ba8a7e3b5b8be0b409d94fdf566fdba6cc8bcdcc1a3ebef879ef6fe
-  data.tar.gz: b0b446a0af1010dde65247cff125c17d086ebba9cf9bd0269575fc7d94fed6eab06a2d836ee6419d742b4fe150aa7b055deefb11e6160b30bde83f79b5c63d71
+  metadata.gz: d45dd95922afbff6cf87391eca84b658359fc3b329f80cfd9404054e2e5fc7cff5b398d2b065f407ab9bff3141ba87b9f3d30e0c980e6c4625231edbf591bc18
+  data.tar.gz: 47183b00644bae505cd55c1abad707c5c86d901a38472d186bb5601eb3ec4fa0d2452715a667b3f7ebd0081d00ccb3fc3d6d6fabab61e7d146fdb2890deca7f2

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.4.27] - 2026-05-15
+
+### Added
+- `handle_ingest` now accepts and persists `access_scope`, `identity_principal_id`, `identity_id`, and `identity_canonical_name` to `apollo_entries`. These kwargs are injected automatically by `legion-apollo`'s identity middleware; no callers need updating. Defaults to `access_scope: 'global'` for backward compatibility.
+- `build_semantic_search_sql` accepts an optional `requesting_principal_id:` kwarg and adds an access-scope SQL filter when provided: `global` entries are always visible, `team` entries are visible when the requesting principal shares a group membership with the submitter, and `private` entries are visible only to the owning principal (checked via both `identity_principal_id` FK and an `identities` subquery for multi-provider auth).
+- `handle_query` and `retrieve_relevant` both accept and forward `requesting_principal_id:` to the SQL builder — covers the GAIA path (`handle_query`) and the direct-call path (`retrieve_relevant`).
+- Browse-mode fallback in `handle_query` (`list_entries_chronologically`) also applies the same access-scope filter when `requesting_principal_id:` is provided.
+- Private-entry dedup guard in `active_duplicate_for_hash`: when `access_scope: 'private'` and `identity_principal_id` is set, the dedup query is scoped per-principal so two different principals writing identical content each get their own row.
+
+### Fixed
+- `handle_erasure_request` now clears `identity_principal_id`, `identity_id`, and `identity_canonical_name` on confirmed (redacted) entries in addition to the existing `source_agent`/`source_provider`/`source_channel` redaction — GDPR right-to-erasure compliance gap.
+
+## [0.4.26] - 2026-05-11
+
+### Fixed
+- Handle `Sequel::UniqueConstraintViolation` in `create_candidate_entry` gracefully — a race condition during concurrent knowledge ingestion can cause two threads to pass the content_hash dedup check simultaneously and both attempt to insert the same row. On collision, the rescue block now looks up the existing winner row by content_hash (excluding archived) and returns its ID so the caller continues normally (access log, contradiction detection, etc.) instead of propagating a database error.
+- Added `Sequel::UniqueConstraintViolation` stub to the test-only Sequel shim so the race-condition rescue path is exercisable in unit tests without a live database.
+
 ## [0.4.25] - 2026-05-08
 
 ### Fixed

data/lib/legion/extensions/apollo/helpers/graph_query.rb

@@ -52,7 +52,9 @@ module Legion
             SQL
           end
 
-          def build_semantic_search_sql(limit: default_query_limit, min_confidence: default_query_min_confidence, statuses: nil, tags: nil, domain: nil, **)
+          def build_semantic_search_sql(limit: default_query_limit, min_confidence: default_query_min_confidence,
+                                        statuses: nil, tags: nil, domain: nil,
+                                        requesting_principal_id: nil, **)
             conditions = ["e.confidence >= #{min_confidence}"]
 
             if statuses&.any?
@@ -67,6 +69,23 @@ module Legion
 
             conditions << "e.knowledge_domain = '#{domain}'" if domain
 
+            if requesting_principal_id
+              pid = requesting_principal_id.to_i
+              conditions << <<~SCOPE_SQL.strip
+                (e.access_scope = 'global'
+                 OR (e.access_scope = 'private'
+                     AND (e.identity_principal_id = #{pid}
+                          OR e.identity_id IN (SELECT id FROM identities WHERE principal_id = #{pid})))
+                 OR (e.access_scope = 'team'
+                     AND EXISTS (
+                       SELECT 1 FROM identity_group_memberships igm1
+                       JOIN identity_group_memberships igm2 ON igm1.group_id = igm2.group_id
+                       WHERE igm1.principal_id = #{pid}
+                         AND igm2.principal_id = e.identity_principal_id
+                     )))
+              SCOPE_SQL
+            end
+
             where_clause = conditions.join(' AND ')
 
             <<~SQL

data/lib/legion/extensions/apollo/runners/knowledge.rb

@@ -82,7 +82,11 @@ module Legion
             }
           end
 
-          def handle_ingest(content: nil, content_type: nil, tags: [], source_agent: 'unknown', source_provider: nil, source_channel: nil, knowledge_domain: nil, submitted_by: nil, submitted_from: nil, content_hash: nil, context: {}, skip: false, **) # rubocop:disable Metrics/ParameterLists, Layout/LineLength
+          def handle_ingest(content: nil, content_type: nil, tags: [], source_agent: 'unknown', # rubocop:disable Metrics/ParameterLists
+                            source_provider: nil, source_channel: nil, knowledge_domain: nil,
+                            submitted_by: nil, submitted_from: nil, content_hash: nil, context: {},
+                            skip: false, access_scope: 'global', identity_principal_id: nil,
+                            identity_id: nil, identity_canonical_name: nil, **)
             return { status: :skipped } if skip
 
             content = normalize_text_input(content)
@@ -92,7 +96,8 @@ module Legion
             return early_error if early_error
 
             hash = content_hash || (defined?(Helpers::Writeback) ? Helpers::Writeback.content_hash(content) : nil)
-            existing = active_duplicate_for_hash(hash)
+            existing = active_duplicate_for_hash(hash, access_scope:          access_scope,
+                                                       identity_principal_id: identity_principal_id)
             if existing
               log.info("Apollo Knowledge.handle_ingest deduped entry_id=#{existing.id} source_agent=#{source_agent}")
               return { success: true, entry_id: existing.id, deduped: true }
@@ -102,7 +107,11 @@ module Legion
             content_type_sym = content_type.to_s
             metadata = ingest_metadata(tags: tags, knowledge_domain: knowledge_domain, source_agent: source_agent,
                                        source_provider: source_provider, source_channel: source_channel,
-                                       submitted_by: submitted_by, submitted_from: submitted_from)
+                                       submitted_by: submitted_by, submitted_from: submitted_from,
+                                       access_scope: access_scope,
+                                       identity_principal_id: identity_principal_id,
+                                       identity_id: identity_id,
+                                       identity_canonical_name: identity_canonical_name)
 
             corroborated, existing_id = find_corroboration(
               embedding, content_type_sym, metadata[:source_agent], metadata[:source_channel]
@@ -133,7 +142,10 @@ module Legion
             { success: false, error: e.message }
           end
 
-          def handle_query(query:, limit: Helpers::GraphQuery.default_query_limit, min_confidence: Helpers::GraphQuery.default_query_min_confidence, status: UNSET, tags: nil, domain: nil, agent_id: 'unknown', **) # rubocop:disable Layout/LineLength, Metrics/CyclomaticComplexity
+          def handle_query(query:, limit: Helpers::GraphQuery.default_query_limit, # rubocop:disable Metrics/CyclomaticComplexity, Metrics/ParameterLists
+                           min_confidence: Helpers::GraphQuery.default_query_min_confidence,
+                           status: UNSET, tags: nil, domain: nil, agent_id: 'unknown',
+                           requesting_principal_id: nil, **)
             return { success: false, error: 'apollo_data_not_available' } unless Helpers::DataModels.apollo_entry_available?
 
             entry_model = Helpers::DataModels.apollo_entry
@@ -143,19 +155,22 @@ module Legion
             log.debug("Apollo Knowledge.handle_query mode=#{browse_query?(query) ? 'browse' : 'semantic'} query_length=#{query.length} limit=#{limit} statuses=#{Array(requested_status).join(',')} status_defaulted=#{status_defaulted} tags=#{Array(tags).size} domain=#{domain || 'nil'} agent_id=#{agent_id}") # rubocop:disable Layout/LineLength
             if browse_query?(query)
               return list_entries_chronologically(query: query, limit: limit, status: requested_status,
-                                                  status_defaulted: status_defaulted, tags: tags, domain: domain)
+                                                  status_defaulted: status_defaulted, tags: tags, domain: domain,
+                                                  requesting_principal_id: requesting_principal_id)
             end
 
             embedding = embed_text(query)
             if embedding.nil?
               log.warn('Apollo Knowledge.handle_query embedding unavailable; falling back to browse query')
               return list_entries_chronologically(query: query, limit: limit, status: requested_status,
-                                                  status_defaulted: status_defaulted, tags: tags, domain: domain)
+                                                  status_defaulted: status_defaulted, tags: tags, domain: domain,
+                                                  requesting_principal_id: requesting_principal_id)
             end
 
             sql = Helpers::GraphQuery.build_semantic_search_sql(
               limit: limit, min_confidence: min_confidence,
-              statuses: Array(requested_status).map(&:to_s), tags: tags, domain: domain
+              statuses: Array(requested_status).map(&:to_s), tags: tags, domain: domain,
+              requesting_principal_id: requesting_principal_id
             )
 
             db = entry_model.db
@@ -251,7 +266,9 @@ module Legion
             { success: false, error: e.message }
           end
 
-          def retrieve_relevant(query: nil, limit: Helpers::Confidence.apollo_setting(:query, :retrieval_limit, default: 5), min_confidence: Helpers::GraphQuery.default_query_min_confidence, tags: nil, domain: nil, skip: false, **) # rubocop:disable Layout/LineLength
+          def retrieve_relevant(query: nil, limit: Helpers::Confidence.apollo_setting(:query, :retrieval_limit, default: 5),
+                                min_confidence: Helpers::GraphQuery.default_query_min_confidence,
+                                tags: nil, domain: nil, skip: false, requesting_principal_id: nil, **)
             return { status: :skipped } if skip
 
             return { success: false, error: 'apollo_data_not_available' } unless Helpers::DataModels.apollo_entry_available?
@@ -268,7 +285,8 @@ module Legion
 
             sql = Helpers::GraphQuery.build_semantic_search_sql(
               limit: limit, min_confidence: min_confidence,
-              statuses: %w[confirmed candidate], tags: tags, domain: domain
+              statuses: %w[confirmed candidate], tags: tags, domain: domain,
+              requesting_principal_id: requesting_principal_id
             )
 
             db = Helpers::DataModels.apollo_entry.db
@@ -341,10 +359,16 @@ module Legion
                       .exclude(status: 'confirmed')
                       .delete
 
-            # Redact attribution on confirmed entries (corroborated, retain knowledge)
             redacted = conn[:apollo_entries]
                        .where(source_agent: agent_id, status: 'confirmed')
-                       .update(source_agent: 'redacted', source_provider: nil, source_channel: nil)
+                       .update(
+                         source_agent:            'redacted',
+                         source_provider:         nil,
+                         source_channel:          nil,
+                         identity_principal_id:   nil,
+                         identity_id:             nil,
+                         identity_canonical_name: nil
+                       )
 
             { deleted: deleted, redacted: redacted, agent_id: agent_id }
               .tap { |result| log.info("Apollo Knowledge.handle_erasure_request deleted=#{result[:deleted]} redacted=#{result[:redacted]} agent_id=#{agent_id}") } # rubocop:disable Layout/LineLength
@@ -425,57 +449,86 @@ module Legion
             normalize_text_input(value)[0, max_length]
           end
 
-          def active_duplicate_for_hash(hash)
+          def active_duplicate_for_hash(hash, access_scope: nil, identity_principal_id: nil)
             return nil unless hash
 
-            existing = Helpers::DataModels.apollo_entry
-                                          .where(content_hash: hash)
-                                          .exclude(status: 'archived')
-                                          .first
+            dataset = Helpers::DataModels.apollo_entry
+                                         .where(content_hash: hash)
+                                         .exclude(status: 'archived')
+
+            dataset = dataset.where(identity_principal_id: identity_principal_id) if access_scope == 'private' && identity_principal_id
+
+            existing = dataset.first
             existing&.update(confidence: [existing.confidence + Helpers::Confidence.retrieval_boost, 1.0].min)
             log.debug("Apollo Knowledge.active_duplicate_for_hash matched entry_id=#{existing.id}") if existing
             existing
           end
 
-          def ingest_metadata(tags:, knowledge_domain:, source_agent:, source_provider:, source_channel:, submitted_by:, submitted_from:)
+          def ingest_metadata(tags:, knowledge_domain:, source_agent:, source_provider:, source_channel:, # rubocop:disable Metrics/ParameterLists
+                              submitted_by:, submitted_from:, access_scope: 'global',
+                              identity_principal_id: nil, identity_id: nil, identity_canonical_name: nil)
             tag_array = defined?(Helpers::TagNormalizer) ? Helpers::TagNormalizer.normalize_all(tags) : Array(tags)
             agent = truncate_for_column(source_agent, 50) || 'unknown'
 
-            { tags:            tag_array,
-              domain:          truncate_for_column(knowledge_domain || tag_array.first || 'general', 50),
-              source_agent:    agent,
-              source_provider: truncate_for_column(source_provider || derive_provider_from_agent(agent), 50),
-              source_channel:  truncate_for_column(source_channel, 100),
-              submitted_by:    truncate_for_column(submitted_by, 255),
-              submitted_from:  truncate_for_column(submitted_from, 255) }
+            { tags:                    tag_array,
+              domain:                  truncate_for_column(knowledge_domain || tag_array.first || 'general', 50),
+              source_agent:            agent,
+              source_provider:         truncate_for_column(source_provider || derive_provider_from_agent(agent), 50),
+              source_channel:          truncate_for_column(source_channel, 100),
+              submitted_by:            truncate_for_column(submitted_by, 255),
+              submitted_from:          truncate_for_column(submitted_from, 255),
+              access_scope:            access_scope || 'global',
+              identity_principal_id:   identity_principal_id.is_a?(Integer) ? identity_principal_id : nil,
+              identity_id:             identity_id.is_a?(Integer) ? identity_id : nil,
+              identity_canonical_name: identity_canonical_name&.to_s&.slice(0, 255) }
           end
 
           def create_candidate_entry(content:, content_type:, context:, metadata:, content_hash:, embedding:)
             new_entry = Helpers::DataModels.apollo_entry.create(
-              content:          content,
-              content_type:     content_type,
-              confidence:       Helpers::Confidence.initial_confidence,
-              source_agent:     metadata[:source_agent],
-              source_provider:  metadata[:source_provider],
-              source_channel:   metadata[:source_channel],
-              source_context:   json_dump(context.is_a?(Hash) ? context : {}),
-              tags:             Sequel.pg_array(metadata[:tags]),
-              status:           'candidate',
-              knowledge_domain: metadata[:domain],
-              submitted_by:     metadata[:submitted_by],
-              submitted_from:   metadata[:submitted_from],
-              content_hash:     content_hash,
-              embedding:        embedding ? Sequel.lit("'[#{embedding.join(',')}]'::vector") : nil
+              content:                 content,
+              content_type:            content_type,
+              confidence:              Helpers::Confidence.initial_confidence,
+              source_agent:            metadata[:source_agent],
+              source_provider:         metadata[:source_provider],
+              source_channel:          metadata[:source_channel],
+              source_context:          json_dump(context.is_a?(Hash) ? context : {}),
+              tags:                    Sequel.pg_array(metadata[:tags]),
+              status:                  'candidate',
+              knowledge_domain:        metadata[:domain],
+              submitted_by:            metadata[:submitted_by],
+              submitted_from:          metadata[:submitted_from],
+              content_hash:            content_hash,
+              access_scope:            metadata[:access_scope] || 'global',
+              identity_principal_id:   metadata[:identity_principal_id],
+              identity_id:             metadata[:identity_id],
+              identity_canonical_name: metadata[:identity_canonical_name],
+              embedding:               embedding ? Sequel.lit("'[#{embedding.join(',')}]'::vector") : nil
             )
-            log.info("Apollo Knowledge.handle_ingest created entry_id=#{new_entry.id} status=candidate domain=#{metadata[:domain]} source_agent=#{metadata[:source_agent]}") # rubocop:disable Layout/LineLength
+            log.info("Apollo Knowledge.handle_ingest created entry_id=#{new_entry.id} status=candidate domain=#{metadata[:domain]} source_agent=#{metadata[:source_agent]} access_scope=#{metadata[:access_scope]}") # rubocop:disable Layout/LineLength
             new_entry.id
+          rescue Sequel::UniqueConstraintViolation => e
+            # Race condition: another thread/process inserted the same content_hash between our
+            # dedup check and this insert. Fetch and return the winner's id so the caller can
+            # continue normally (access log, contradiction detection, etc.).
+            winner = Helpers::DataModels.apollo_entry
+                                        .where(content_hash: content_hash)
+                                        .exclude(status: 'archived')
+                                        .first
+            if winner
+              log.warn("Apollo Knowledge.create_candidate_entry race_dedup entry_id=#{winner.id} content_hash=#{content_hash} source_agent=#{metadata[:source_agent]}") # rubocop:disable Layout/LineLength
+              winner.id
+            else
+              handle_exception(e, level: :warn, handled: true, operation: 'apollo.knowledge.create_candidate_entry',
+                                  content_hash: content_hash)
+              nil
+            end
           end
 
           def browse_query?(query)
             query.to_s.strip.length < 3
           end
 
-          def list_entries_chronologically(query:, limit:, status:, status_defaulted:, tags:, domain:)
+          def list_entries_chronologically(query:, limit:, status:, status_defaulted:, tags:, domain:, requesting_principal_id: nil)
             log.debug("Apollo Knowledge.list_entries_chronologically limit=#{limit} statuses=#{Array(status).join(',')} status_defaulted=#{status_defaulted} tags=#{Array(tags).size} domain=#{domain || 'nil'}") # rubocop:disable Layout/LineLength
             dataset = Helpers::DataModels.apollo_entry.exclude(status: 'archived')
             requested = Array(status).map(&:to_s).reject(&:empty?)
@@ -483,6 +536,18 @@ module Legion
             dataset = dataset.where(Sequel.lit('tags && ?', Sequel.pg_array(Array(tags)))) if tags && !Array(tags).empty?
             dataset = dataset.where(knowledge_domain: domain) if domain && !domain.to_s.empty?
 
+            if requesting_principal_id
+              pid = requesting_principal_id.to_i
+              dataset = dataset.where(
+                Sequel.lit(
+                  "(access_scope = 'global' " \
+                  "OR (access_scope = 'private' AND (identity_principal_id = ? OR identity_id IN (SELECT id FROM identities WHERE principal_id = ?))) " \
+                  "OR (access_scope = 'team' AND EXISTS (SELECT 1 FROM identity_group_memberships igm1 JOIN identity_group_memberships igm2 ON igm1.group_id = igm2.group_id WHERE igm1.principal_id = ? AND igm2.principal_id = identity_principal_id)))", # rubocop:disable Layout/LineLength
+                  pid, pid, pid
+                )
+              )
+            end
+
             entries = dataset.order(Sequel.desc(:created_at)).limit(limit).all.map do |entry|
               format_entry(entry.is_a?(Hash) ? entry : entry.values)
             end

data/lib/legion/extensions/apollo/version.rb

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Apollo
-      VERSION = '0.4.25'
+      VERSION = '0.4.27'
     end
   end
 end

data/spec/legion/extensions/apollo/helpers/graph_query_spec.rb

@@ -65,5 +65,36 @@ RSpec.describe Legion::Extensions::Apollo::Helpers::GraphQuery do
       expect(sql).to include("'dns'")
       expect(sql).to include('&&')
     end
+
+    context 'without requesting_principal_id' do
+      it 'includes no access_scope filter' do
+        sql = described_class.build_semantic_search_sql(limit: 5, min_confidence: 0.3)
+        expect(sql).not_to include('access_scope')
+      end
+    end
+
+    context 'with requesting_principal_id' do
+      let(:sql) { described_class.build_semantic_search_sql(limit: 5, min_confidence: 0.3, requesting_principal_id: 42) }
+
+      it 'allows global entries unconditionally' do
+        expect(sql).to include("access_scope = 'global'")
+      end
+
+      it 'allows private entries owned by the principal via principal FK' do
+        expect(sql).to include('e.identity_principal_id = 42')
+      end
+
+      it 'allows private entries owned by the principal via identity subquery (multi-provider auth)' do
+        expect(sql).to include('SELECT id FROM identities WHERE principal_id = 42')
+      end
+
+      it 'allows team entries when principal shares a group with the submitter' do
+        expect(sql).to include('identity_group_memberships')
+      end
+
+      it 'wraps the entire access_scope condition in parentheses so it does not break AND chaining' do
+        expect(sql).to match(/AND \(.*access_scope.*\)/m)
+      end
+    end
   end
 end

data/spec/legion/extensions/apollo/runners/knowledge_spec.rb

@@ -321,6 +321,30 @@ RSpec.describe Legion::Extensions::Apollo::Runners::Knowledge do
           expect(result[:deduped]).to be true
           expect(result[:entry_id]).to eq('uuid-existing')
         end
+
+        it 'recovers gracefully when a concurrent ingest wins the content_hash unique constraint race' do
+          # Simulate: dedup check passes (nil — no existing entry yet), then .create
+          # raises UniqueConstraintViolation (another thread inserted between check and insert).
+          # create_candidate_entry must rescue and return the existing entry's id so the
+          # caller succeeds rather than propagating a database error.
+          race_entry = double('race_entry', id: 'uuid-race-winner')
+
+          allow(mock_entry_class).to receive(:create)
+            .and_raise(Sequel::UniqueConstraintViolation, 'duplicate key value violates unique constraint "idx_apollo_content_hash"')
+
+          collision_dataset = double('collision_dataset')
+          allow(mock_entry_class).to receive(:where).with(content_hash: anything).and_return(collision_dataset)
+          allow(collision_dataset).to receive(:exclude).with(status: 'archived').and_return(collision_dataset)
+          # First call: dedup pre-check returns nil (not yet in DB).
+          # Second call: post-collision lookup returns the winner inserted by the other thread.
+          allow(collision_dataset).to receive(:first).and_return(nil, race_entry)
+
+          result = host.handle_ingest(content: 'concurrent content', content_type: 'fact',
+                                      source_agent: 'agent-1',
+                                      content_hash: 'd3861b2862454c5a6a9e480829333841')
+          expect(result[:success]).to be true
+          expect(result[:entry_id]).to eq('uuid-race-winner')
+        end
       end
     end
 
@@ -347,6 +371,95 @@ RSpec.describe Legion::Extensions::Apollo::Runners::Knowledge do
       end
     end
 
+    context 'identity kwargs persistence' do
+      let(:mock_entry_class2) { double('ApolloEntry2') }
+      let(:mock_expertise_class2) { double('ApolloExpertise2') }
+      let(:mock_access_log_class2) { double('ApolloAccessLog2') }
+      let(:mock_entry2) { double('entry2', id: 99, embedding: nil) }
+
+      before do
+        stub_const('Legion::Data::Model::ApolloEntry', mock_entry_class2)
+        stub_const('Legion::Data::Model::ApolloExpertise', mock_expertise_class2)
+        stub_const('Legion::Data::Model::ApolloAccessLog', mock_access_log_class2)
+        scoped_ds = double('scoped_ds2', first: nil, where: double('scoped_ds2b', first: nil))
+        allow(mock_entry_class2).to receive(:where).and_return(scoped_ds)
+        allow(scoped_ds).to receive(:exclude).and_return(scoped_ds)
+        allow(mock_expertise_class2).to receive(:where).and_return(double(first: nil))
+        allow(mock_expertise_class2).to receive(:create)
+        allow(mock_access_log_class2).to receive(:create)
+        allow(host).to receive(:embed_text).and_return(nil)
+        allow(host).to receive(:find_corroboration).and_return([false, nil])
+        allow(host).to receive(:detect_contradictions).and_return([])
+      end
+
+      it 'passes identity_principal_id and access_scope through to create_candidate_entry' do
+        expect(mock_entry_class2).to receive(:create).with(
+          hash_including(identity_principal_id: 42, access_scope: 'private')
+        ).and_return(mock_entry2)
+
+        host.handle_ingest(
+          content: 'test fact', tags: [],
+          identity_principal_id: 42, identity_id: 7, identity_canonical_name: 'alice',
+          access_scope: 'private'
+        )
+      end
+
+      it 'defaults access_scope to global when not provided' do
+        expect(mock_entry_class2).to receive(:create).with(
+          hash_including(access_scope: 'global')
+        ).and_return(mock_entry2)
+
+        host.handle_ingest(content: 'test fact', tags: [])
+      end
+
+      it 'persists identity_id and identity_canonical_name' do
+        expect(mock_entry_class2).to receive(:create).with(
+          hash_including(identity_id: 7, identity_canonical_name: 'alice')
+        ).and_return(mock_entry2)
+
+        host.handle_ingest(
+          content: 'test fact', tags: [],
+          identity_principal_id: 42, identity_id: 7, identity_canonical_name: 'alice',
+          access_scope: 'private'
+        )
+      end
+    end
+
+    context 'dedup: private entries from different principals are not deduplicated' do
+      let(:mock_entry_class3) { double('ApolloEntry3') }
+      let(:mock_expertise_class3) { double('ApolloExpertise3') }
+      let(:mock_access_log_class3) { double('ApolloAccessLog3') }
+      let(:mock_entry_a) { double('entry_a', id: 7, embedding: nil) }
+      let(:mock_entry_b) { double('entry_b', id: 8, embedding: nil) }
+
+      before do
+        stub_const('Legion::Data::Model::ApolloEntry', mock_entry_class3)
+        stub_const('Legion::Data::Model::ApolloExpertise', mock_expertise_class3)
+        stub_const('Legion::Data::Model::ApolloAccessLog', mock_access_log_class3)
+        allow(mock_expertise_class3).to receive(:where).and_return(double(first: nil))
+        allow(mock_expertise_class3).to receive(:create)
+        allow(mock_access_log_class3).to receive(:create)
+        allow(host).to receive(:embed_text).and_return(nil)
+        allow(host).to receive(:find_corroboration).and_return([false, nil])
+        allow(host).to receive(:detect_contradictions).and_return([])
+        # default dedup returns nil (no duplicate) — supports chained .where for private scope
+        scoped_ds3 = double('dedup_chain3', first: nil)
+        allow(scoped_ds3).to receive(:where).and_return(double('scoped_ds3b', first: nil))
+        allow(scoped_ds3).to receive(:exclude).and_return(scoped_ds3)
+        allow(mock_entry_class3).to receive(:where).and_return(scoped_ds3)
+        # two different principals each get their own entry
+        allow(mock_entry_class3).to receive(:create).and_return(mock_entry_a, mock_entry_b)
+      end
+
+      it 'does not deduplicate private entries from different principals' do
+        result1 = host.handle_ingest(content: 'same fact', content_type: :observation,
+                                     access_scope: 'private', identity_principal_id: 1)
+        result2 = host.handle_ingest(content: 'same fact', content_type: :observation,
+                                     access_scope: 'private', identity_principal_id: 2)
+        expect(result1[:entry_id]).not_to eq(result2[:entry_id])
+      end
+    end
+
     context 'early-return warn logs' do
       let(:logger) { instance_double('Logger', debug: nil, info: nil, warn: nil) }
 
@@ -497,6 +610,37 @@ RSpec.describe Legion::Extensions::Apollo::Runners::Knowledge do
         expect(dataset).to have_received(:where).with(knowledge_domain: 'general')
       end
     end
+
+    context 'access scope forwarding' do
+      let(:mock_entry_class) { double('ApolloEntry') }
+      let(:mock_db) { double('db') }
+
+      before do
+        stub_const('Legion::Data::Model::ApolloEntry', mock_entry_class)
+        allow(Legion::LLM::Call::Embeddings).to receive(:generate)
+          .and_return({ vector: Array.new(1024, 0.1), model: 'test', provider: :ollama, dimensions: 1024, tokens: 0 })
+        allow(mock_entry_class).to receive(:db).and_return(mock_db)
+        allow(mock_db).to receive(:fetch).and_return(double(all: []))
+        allow(mock_entry_class).to receive(:where).and_return(double(update: true))
+      end
+
+      it 'forwards requesting_principal_id to build_semantic_search_sql' do
+        expect(Legion::Extensions::Apollo::Helpers::GraphQuery).to receive(:build_semantic_search_sql).with(
+          hash_including(requesting_principal_id: 42)
+        ).and_return('SELECT 1')
+        allow(mock_db).to receive(:fetch).and_return(double(all: []))
+
+        host.handle_query(query: 'test', requesting_principal_id: 42)
+      end
+
+      it 'passes nil requesting_principal_id when not provided (no filter)' do
+        expect(Legion::Extensions::Apollo::Helpers::GraphQuery).to receive(:build_semantic_search_sql).with(
+          hash_including(requesting_principal_id: nil)
+        ).and_return('SELECT 1')
+
+        host.handle_query(query: 'test')
+      end
+    end
   end
 
   describe '#normalize_text_input' do
@@ -573,6 +717,14 @@ RSpec.describe Legion::Extensions::Apollo::Runners::Knowledge do
         ).and_call_original
         host.retrieve_relevant(query: 'treatment', domain: 'clinical')
       end
+
+      it 'forwards requesting_principal_id to build_semantic_search_sql' do
+        expect(Legion::Extensions::Apollo::Helpers::GraphQuery).to receive(:build_semantic_search_sql).with(
+          hash_including(requesting_principal_id: 7)
+        ).and_return('SELECT 1')
+
+        host.retrieve_relevant(query: 'test', requesting_principal_id: 7)
+      end
     end
   end
 
@@ -842,6 +994,18 @@ RSpec.describe Legion::Extensions::Apollo::Runners::Knowledge do
         expect(result[:redacted]).to eq(2)
         expect(result[:agent_id]).to eq('agent-dead')
       end
+
+      it 'clears identity columns on confirmed (redacted) entries' do
+        expect(mock_dataset).to receive(:update).with(
+          hash_including(
+            identity_principal_id:   nil,
+            identity_id:             nil,
+            identity_canonical_name: nil
+          )
+        ).and_return(2)
+
+        host.handle_erasure_request(agent_id: 'agent-dead')
+      end
     end
 
     context 'when Sequel raises an error' do

data/spec/spec_helper.rb

@@ -13,6 +13,7 @@ require 'legion/transport'
 unless defined?(Sequel)
   module Sequel
     class Error < StandardError; end
+    class UniqueConstraintViolation < Error; end
 
     def self.pg_array(arr) = arr
     def self.lit(str, *) = str

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-apollo
 version: !ruby/object:Gem::Version
-  version: 0.4.25
+  version: 0.4.27
 platform: ruby
 authors:
 - Esity