workflow#699: IaCProvider.Apply removal — design + plan + scope-lock (PR 1 of 10)

CHANGELOG.md

@@ -23,6 +23,17 @@ Configs that still reference the legacy types now fail to load with an actionabl
 
 ## [Unreleased]
 
+### Breaking changes (workflow#699 — IaCProvider.Apply hard-removal)
+
+- `interfaces.IaCProvider.Apply` removed. Plugins must implement v2 dispatch (declare `CapabilitiesResponse.compute_plan_version="v2"` via the typed RPC) and drop their `Apply` Go method.
+- `pb.IaCProviderRequired.Apply` RPC removed; `ApplyRequest`/`ApplyResponse`/`ApplyResult`/`ActionResult` proto messages deleted (`ActionStatus` enum survives — surfaced through engine-side `interfaces.ActionOutcome`).
+- `iac/wfctlhelpers/dispatch.go` package deleted (`ComputePlanVersionDeclarer`, `DispatchVersionFor`, `DispatchVersionV2`); v2 is the only supported dispatch path.
+- `cmd/iac-codemod` deleted (the v1→v2 migration tool no longer has a target).
+- `plugin/sdk.IaCProvider.EffectiveComputePlanVersion()` accessor deleted (post-cutover, "v1" is not a valid runtime value); the manifest field remains as a parse-time validation surface.
+- Load-time enforcement: `cmd/wfctl/deploy_providers.go`'s `discoverAndLoadIaCProvider` now calls the typed `Capabilities` RPC at plugin handshake (with a 10s bounded context that bypasses the adapter's lifetime cache) and rejects providers whose `compute_plan_version != "v2"`.
+- Makefile lint guard added: `grep -qE '^\s*rpc Apply\s*\(' plugin/external/proto/iac.proto` runs as part of the `lint` target so a future PR cannot silently re-introduce the deleted RPC.
+- Minimum plugin versions: aws v2.0.0+, gcp v2.0.0+, azure v2.0.0+, digitalocean v2.0.0+.
+
 ### Fixed (issue #663 — follow-up)
 
 - **`*external.RemoteModule.Dependencies()` now returns the yaml-level `dependsOn:` keys** instead of always returning `nil`. The v0.51.8 fix (PR #664) only reordered the `cfg.Modules` slice — but modular's `app.Init()` then runs its own `DependencyAware`-driven sort over the registered modules, and `RemoteModule` (the wrapper used for every external-plugin module) returned `nil` from `Dependencies()`, so modular saw every external-plugin module as a root and sorted alphabetically. BMW PR #280 image-launch surfaced this as the same `bmw-eventbus`/`bmw-stream` ordering race that v0.51.8 was supposed to close. Engine `BuildFromConfig` now filters `modCfg.DependsOn` through `filterResolvableDeps` (drops empty strings + names not present in `cfg.Modules` — the same edge-set topoSortModules used for ordering) and calls `SetDependencies(filtered)` on each module that **implements** `interface{ SetDependencies([]string) }`, but **only when the filtered slice is non-empty**, immediately after the factory returns and before `app.RegisterModule`. (Modules with no resolvable dependsOn — empty yaml + transform-injected modules whose dependsOn is all empty/ghost — are skipped, so a constructor-time default isn't clobbered with `SetDependencies(nil)`.) `RemoteModule` implements that setter, defensively copies the slice, and modular's Init() walker then reads it via the existing `Dependencies()` contract. 7 unit tests cover the `RemoteModule` contract (default-nil, plumb, empty-slice, overwrite, defensive-copy aliasing, plus two type-assertion pins for `modular.DependencyAware` and the engine's `SetDependencies` interface) plus 4 engine-level `BuildFromConfig` tests covering the production path (basic plumb + defensive copy via raw-slice recorder + back-compat skip + real-modular Init order). Built-in modules can opt in by implementing the same setter; existing behaviour is unchanged for modules that don't.

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build build-ui build-go test bench bench-baseline bench-compare lint fmt vet fix install-hooks clean ko-build build-wfctl build-iac-codemod migrate-providers
+.PHONY: build build-ui build-go test bench bench-baseline bench-compare lint fmt vet fix install-hooks clean ko-build build-wfctl
 
 # Common benchmark flags
 BENCH_FLAGS = -bench=. -benchmem -run=^$$ -timeout=30m
@@ -40,9 +40,17 @@ bench-compare:
 	go test $(BENCH_FLAGS) -count=6 ./... | tee current-bench.txt
 	benchstat baseline-bench.txt current-bench.txt
 
-# Run golangci-lint
+# Run golangci-lint + workflow#699 proto guard (re-introduction of rpc
+# Apply on the IaCProviderRequired service is a regression — guarded by
+# CI so a future PR can't silently restore the deleted dispatch path).
 lint:
 	golangci-lint run --timeout=5m
+	@if grep -qE '^[[:space:]]*rpc Apply[[:space:]]*\(' plugin/external/proto/iac.proto; then \
+		echo "workflow#699: rpc Apply re-introduced in iac.proto; see decisions/0024-iac-typed-force-cutover.md"; \
+		exit 1; \
+	else \
+		echo "workflow#699 guard: rpc Apply correctly absent"; \
+	fi
 
 # Format code
 fmt:
@@ -83,51 +91,9 @@ run-admin: build
 ko-build:
 	KO_DOCKER_REPO=ko.local ko build ./cmd/server --bare --platform=linux/$(shell go env GOARCH)
 
-# Build the iac-codemod CLI (W-8 / cmd/iac-codemod). GOWORK=off keeps
-# the build self-contained: contributors with a workspace go.work file
-# that doesn't include this module shouldn't have to amend their
-# environment to run `make migrate-providers`.
-build-iac-codemod:
-	GOWORK=off go build -o iac-codemod ./cmd/iac-codemod
-
-# Workspace-wide IaC migration runner (W-8 / T8.6).
-#
-# Runs `iac-codemod lint -dry-run` against the AWS, GCP, and Azure plugin
-# repos as advisory-only checks. The plugins themselves stay un-migrated
-# at v1 (per plan §W-8: "AWS/GCP/Azure plugins are run advisory-only (no
-# `-fix`); their reports are filed as GitHub issues against the
-# respective plugin repos for activation-time triage"). For DO, run the
-# refactor-* modes manually with `-fix` against the workspace's DO
-# checkout — that migration is the subject of P-DO and is intentionally
-# excluded from this target's mechanical sweep.
-#
-# Provider paths are sibling-repo defaults; override on the command line:
-#
-#	make migrate-providers AWS=/path/to/workflow-plugin-aws \
-#	                       GCP=/path/to/workflow-plugin-gcp \
-#	                       AZURE=/path/to/workflow-plugin-azure
-AWS ?= ../workflow-plugin-aws
-GCP ?= ../workflow-plugin-gcp
-AZURE ?= ../workflow-plugin-azure
-
-migrate-providers: build-iac-codemod
-	@# iac-codemod lint exit-code semantics (review round-5 finding #7):
-	@#   0 = clean / 1 = advisory findings (continue) / 2 = parse errors (fail).
-	@# Naive `|| true` would swallow real execution failures alongside the
-	@# expected advisory findings; gate on exit code 1 specifically so a
-	@# parse-error or unknown-flag (>=2) still fails the target.
-	@echo "==> Running iac-codemod lint (advisory) against AWS plugin: $(AWS)"
-	@if [ -d "$(AWS)" ]; then ./iac-codemod lint -dry-run "$(AWS)"; ec=$$?; if [ $$ec -ne 0 ] && [ $$ec -ne 1 ]; then echo "  iac-codemod lint failed (exit=$$ec)"; exit $$ec; fi; else echo "  (skipping: $(AWS) not found)"; fi
-	@echo "==> Running iac-codemod lint (advisory) against GCP plugin: $(GCP)"
-	@if [ -d "$(GCP)" ]; then ./iac-codemod lint -dry-run "$(GCP)"; ec=$$?; if [ $$ec -ne 0 ] && [ $$ec -ne 1 ]; then echo "  iac-codemod lint failed (exit=$$ec)"; exit $$ec; fi; else echo "  (skipping: $(GCP) not found)"; fi
-	@echo "==> Running iac-codemod lint (advisory) against Azure plugin: $(AZURE)"
-	@if [ -d "$(AZURE)" ]; then ./iac-codemod lint -dry-run "$(AZURE)"; ec=$$?; if [ $$ec -ne 0 ] && [ $$ec -ne 1 ]; then echo "  iac-codemod lint failed (exit=$$ec)"; exit $$ec; fi; else echo "  (skipping: $(AZURE) not found)"; fi
-	@echo "==> migrate-providers complete (advisory-only; no files mutated)"
-
 # Clean build artifacts
 clean:
 	rm -f server
 	rm -f wfctl
-	rm -f iac-codemod
 	rm -f example/workflow-example
 	rm -rf module/ui_dist/assets module/ui_dist/index.html module/ui_dist/vite.svg