Ticket: SC-14561 — 25 - Final SA2 verification: zero legacy patterns + docs update
77 SA1 legacy patterns remain across src/backend/ (76) and tests/ (1). The CI gate already blocks new patterns on every PR. We need to reach zero to close the SA2 migration epic.
| # | PR Scope | Patterns | Files | Risk |
|---|---|---|---|---|
| 1 | Tasks (Celery) — workflows.py, reporting.py, inventory_models.py, user.py |
11 | 4 | Medium — raw session usage in async workers |
| 2 | Auth — auth.py, auth_service.py, oidc_mappings.py |
8 | 3 | High — auth critical path |
| 3 | Handlers (non-MD) — amazon_marketplace, task_handlers, business_units, custom_fields, entity_attachments, assets, model_document_templates, custom_field_rename |
12 | 8 | Medium — spread across handlers, each file small |
| 4 | Utils — report_render_helpers, event_helpers, celery_session, attestation_roles |
10 | 4 | Medium — report_render_helpers has 5 patterns |
| 5 | Loaders/Bootstrap — load_org_default_roles, load_finding_severities, load_rbac_resources, load_business_units |
12 | 4 | Low — startup scripts, rarely change |
| 6 | Notifications — email_notifications, update_notifications |
3 | 2 | Low |
| 7 | Custom field migrators + settings — permission_migrator, workflow_execution_migrator, page_layout_migrator, settings_manager |
6 | 4 | Low |
| 8 | Remaining singles — create_org, model_document task, querybuilder/stakeholders |
3 | 3 | Low |
| 9 | Test + cleanup — integration test fix, baseline refresh to zeros, docs update | 1 | 3 | Low — final PR after all above merge |
Total: 77 patterns → 0
- Each PR is reviewable in isolation (~3-12 patterns)
- Rollback scope is narrow if something breaks
- Auth (PR 2) gets dedicated review attention
- PR 9 is the gate: only merges when progress script reports zero
finding_handlers.py— already being migrated by MD in SC-15221migrations/versions/— historical migration scripts, not scannedscripts/andagents-ui/— not in scan scope
Authorize this 9-PR plan so I can start executing against SC-14561.