Below are real world sequences of actions that exist in an application I'm working with that would cause the /annotations API to throw a 401 or 403 (in order of oldest to newest).

I suggest:

1. Ignore Custom Cleanser actions;
2. Ignore 401 and 403 responses on the /annotations api and let the Mitigation Copier log failure but keep processing actions.

Observed messy mitigation histories:

Approved before proposed

1. APPROVED <- Illegal, no mitigation proposal yet
2. APPDESIGN
3. APPROVED

Custom cleanser

1. CUSTOMCLEANSERPROPOSED <- Illegal, not supported through API
2. CUSTOMCLEANSERUSERCOMMENT
3. APPROVED

Multiple approvals

1. CUSTOMCLEANSERPROPOSED
2. CUSTOMCLEANSERUSERCOMMENT
3. APPROVED
4. CUSTOMCLEANSERUSERCOMMENT <- Illegal, already approved
5. CUSTOMCLEANSERPROPOSED
6. CUSTOMCLEANSERUSERCOMMENT
7. CUSTOMCLEANSERUSERCOMMENT
8. APPROVED
9. CUSTOMCLEANSERUSERCOMMENT
10. CUSTOMCLEANSERUSERCOMMENT

Proposal after approval

1. APPDESIGN
2. APPROVED
3. APPDESIGN
4. COMMENT
5. APPROVED
6. APPDESIGN
7. COMMENT
8. APPROVED
9. APPROVED
10. APPDESIGN
11. APPROVED
12. APPDESIGN
13. APPROVED
14. APPDESIGN
15. COMMENT
16. APPROVED
17. ...