✅ No new issues found.

Reviewed changes — incremental review of the audit-to-ctrl migration since the prior pullfrog review at 33bd80b (fix: regex). The project.delete audit write moved out of the API handler and into the control plane, with caller identity plumbed through the proto, plus a new dashboard tRPC delete router.

• Moved audit write API → ctrl — svc/ctrl/services/project/delete_project.go now resolves the project via FindProjectById, enqueues the Restate teardown, then inserts the project.delete audit log itself (non-transactional nil tx). The API handler no longer writes the audit log.
• Actor plumbing — DeleteProjectRequest.actor (field 2, ActorInfo) added to the proto and generated Go/TS; the API builds it via ctrlclient.Actor(s) and ctrl asserts it non-nil (assert.All) and maps it back through svc/ctrl/internal/actor.
• New dashboard tRPC delete router — web/apps/dashboard/lib/trpc/routers/deploy/project/delete.ts does the workspace-scoped lookup, 404 / precondition pre-checks, then calls ctrl.project.deleteProject with an inline actor (no name, matching the create convention).
• Tests updated — the 200 handler test now asserts the ctrl RPC carried the resolved project id and ACTOR_TYPE_ROOT_KEY rather than a DB audit row, since the audit write lives in ctrl now.

The actor wiring is consistent end-to-end (API helper, dashboard inline, proto field, ctrl assertion + mapping) and mirrors the create endpoint. The prior review's note about the audit insert happening after the external enqueue and outside a transaction is unchanged — it has simply relocated from the API handler into ctrl, where the same shape applies (the Restate enqueue cannot share a DB transaction with the audit write).

ℹ️ Delete audit write in ctrl has no integration test

The create sibling has a dedicated ctrl integration test (svc/ctrl/integration/create_project_test.go) asserting the project.create audit row reaches the outbox. The delete path moved its audit write into ctrl in this delta but added no analogous test, so nothing verifies the project.delete audit log is actually emitted with the right workspace and actor. The API handler test only checks the RPC was called — it cannot see the audit write that now happens inside ctrl. Mergeable as-is; flagging for parity with create.

# Delete audit write in ctrl has no integration test

## Affected sites
- `svc/ctrl/services/project/delete_project.go:50-72` — `project.delete` audit insert, untested
- `svc/ctrl/integration/create_project_test.go` — the pattern to mirror (`TestCreateProjectWritesAuditLog`)
- `svc/api/routes/v2_projects_delete_project/200_test.go:51-56` — API test only asserts the mocked RPC call, not the audit row

## Required outcome
- An `//go:build integration` test in `svc/ctrl/integration/` that calls `project.Service.DeleteProject` with a valid actor and asserts a `project.delete` audit log lands in the outbox with the expected `WorkspaceID`, actor id/type, and resource meta (`name`/`slug`).

## Open questions for the human
- Is a ctrl integration test for delete in scope for this PR, or deferred to a follow-up? Create having one and delete not is the only asymmetry.

｜ Using Claude Opus

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

✅ No new issues found.

Reviewed changes — incremental review of the refactor: use id instead of slug commit (db48c18) since the prior pullfrog review at fce9d28. The delete endpoint now identifies the target project by projectId rather than by slug.

• Switch delete identifier slug → id — handler.go resolves via FindProjectByWorkspaceAndId (was FindProjectByWorkspaceAndSlug), keyed on req.ProjectId and principal.WorkspaceID; the RBAC tuple still uses the resolved project.ID, so authorization is unaffected.
• Align OpenAPI request body — V2ProjectsDeleteProjectRequestBody field slug→projectId with minLength: 8, maxLength: 255, pattern: "^[a-zA-Z0-9_]+$", mirroring getProject/updateProject byte-for-byte (split + generated YAML + gen.go struct).
• Update test inputs — 200/401/403/404/412 now pass ProjectId: project.ID; 400 swaps the slug-shape cases for id-shape cases (projectId too short proj_1, invalid-char proj-1234abc, too-long 256 chars) and the malformed-JSON body to {"projectId": }.

The dashboard tRPC delete router already keyed on projectId, so it stays consistent. The remaining Slug: references in the test files are all on seed.CreateProjectRequest setup (projects still carry slugs), not on the handler request. The prior review's notes (audit write in ctrl is non-transactional / lacks an integration test) are untouched by this commit and remain non-blocking.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}