Skip to content

runtime: add zero-idle provider broker client#7

Merged
sumitake merged 9 commits into
mainfrom
dev/codex/provider-broker-companion
Jul 13, 2026
Merged

runtime: add zero-idle provider broker client#7
sumitake merged 9 commits into
mainfrom
dev/codex/provider-broker-companion

Conversation

@sumitake

@sumitake sumitake commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

Add the public fail-closed client and explicit lifecycle for the workspace-canonical one-request provider broker. Managed Gemini, OpenCode, Grok, and Composer use a digest-bound launchd socket with no direct fallback; the client adds transactional install/status/rollback/uninstall, zero-idle verification, per-request OpenCode model selection, and typed cancellation/timeout handling.

This is the policy/client portion of 3.2.0. It contains no provider executor source, build credential, downloader/post-install hook, or native artifact. It does not activate a runtime.

Boundary declaration

  • No provider executor source, raw provider command, credential, private absolute path, retired package tree, downloader, or post-install hook is included.
  • Native-runtime changes contain no artifact; implementation and credentials remain private.
  • The change does not create a host-specific preset or provider-specific plugin.
  • Broker disconnect cancels managed work, reaps provider child groups, discards partial output, and never retries disconnect-driven cancellation.

Cross-repo and merge order

  • Upstream workspace PR #1891 merged first at f7b584bc66b1884f873074446e73a170ab0898a1.
  • Public prerequisite PR release: prepare unified signed runtime activation #6 merged at 092f49c5e51a90ee78aec9d85bbf357a25311cee; this branch was rebased onto that main.
  • Exact PR head: 5f98eea5c25da1d918eaded9b2ee9b03b9194540 (GitHub signature verification: valid).
  • Workspace PR #1886 and development build 0b918e090290-12cbb801df0d remain downstream/provisional and were not edited, rebased, merged, rebuilt, reinstalled, activated, rolled back, or removed.

Repository configuration

  • Public repository remains squash-only with merged-branch deletion, signed linear history, read-only default workflow token, required checks, review-thread resolution, CodeQL, native secret scanning/push protection, and Gitleaks.
  • Full-SHA Action pinning is now enforced at the public repository setting as well as in every checked-in workflow.
  • Workspace merge settings now match its squash-only ruleset; its default workflow token can no longer approve pull-request reviews.

Generated and release surfaces

  • Skill specs and generated SKILL.md files are in parity (build_skills.py --check).
  • Claude and Codex marketplaces/manifests are in parity (build_marketplace.py --check).
  • Unique changelog.d/2026-07-13-provider-broker.md fragment present; generated CHANGELOG.md unchanged.
  • Version metadata is 3.2.0.

Verification

  • python3 scripts/build_skills.py --check
  • python3 scripts/build_marketplace.py --check
  • python3 scripts/build-changelog.py --dry-run
  • python3 -m unittest discover -s tests -t . -v — 273 passed
  • python3 -m unittest discover -s scripts -p 'test_*.py' -v — 254 passed
  • python3 scripts/check_release_consistency.py
  • python3 scripts/secret_scan.py — 175 source text files clean
  • python3 scripts/check-public-export-safety.py --active-tree --history — safe
  • Policy-only archive and deterministic checksum/SPDX evidence rehearsal — passed
  • python3 -m py_compile plugins/agent-collab/runtime_client.py plugins/agent-collab/runtime_setup.py plugins/agent-collab/host_policy.py
  • git diff --check

No plugin install, activation, host restart, rollback, native build, or downstream PR/build mutation was performed.

Review and post-condition

Tier 3: security-sensitive signed-runtime client, launchd lifecycle, digest/state verification, cancellation, and provider authority routing. Managed distinct-family xAI review attempts failed closed (Cancelled without a verdict, then typed teardown_error), so no independent verdict is fabricated. The operator explicitly directed completion, self-merge, and release with that limitation disclosed; required deterministic and repository checks remain binding.

Seven Codex review P2s were reproduced and fixed with regressions: OpenCode preflight/issuance parity, absent-root typing, full rollback restoration, no-op rollback preservation, artifact-plus-manifest immutable identity, exclusion of unverified rollback targets, and typed bounded-launchctl failures across every lifecycle entry point.

After merge, a separate generated-changelog release PR will compile 3.2.0. The signed tag publishes a policy-only archive and must not install or activate any runtime. PR #1886 remains for its owning session.

Compliance trace

author: Codex
standing_directives: public/private execution boundary, no raw or retired fallback, generated parity, fragment-only changelog, deterministic release/public-export validation, workspace-first dependency order
tier: 3
cross_check: FAILOVER — managed xAI final review returned Cancelled without a verdict, then typed teardown_error; no independent approval is claimed, and the operator explicitly directed completion after disclosure
post_condition: exact head 5f98eea passes 273 public tests, 254 script tests, policy archive/evidence, secret scan, and active/history export safety; no artifact install/activation/build or PR #1886 mutation
mcp_coverage_gap: NONE
contributor_rights: OWNER-AUTHORED
operator_reserved: yes

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad8ba5995d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread plugins/agent-collab/host_policy.py

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5903ad835f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread plugins/agent-collab/runtime_client.py

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 994880f546

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread plugins/agent-collab/runtime_client.py Outdated
Comment thread plugins/agent-collab/runtime_client.py Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3df84ea2c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread plugins/agent-collab/runtime_client.py Outdated
Comment thread plugins/agent-collab/runtime_client.py
Base automatically changed from dev/codex/activation-prep to main July 13, 2026 05:42
@sumitake sumitake force-pushed the dev/codex/provider-broker-companion branch from 3df84ea to e96ce56 Compare July 13, 2026 05:47

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e96ce56d41

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread plugins/agent-collab/runtime_client.py
@sumitake

Copy link
Copy Markdown
Owner Author

@codex review exact head 5f98eea. Confirm the seven resolved lifecycle findings and look specifically for any remaining typed-failure, rollback-state, immutable-version, OpenCode provenance, or launchctl exception gap. This is advisory same-family review, not governance approval.

@sumitake sumitake merged commit 5519cf1 into main Jul 13, 2026
17 checks passed
@sumitake sumitake deleted the dev/codex/provider-broker-companion branch July 13, 2026 06:02

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5f98eea5c2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

if hashlib.sha256(prior_raw).hexdigest() != restore_record["plist_sha256"]:
raise ValueError("prior provider broker plist digest mismatch")
_write_private_atomic(plist_path, prior_raw, mode=0o600)
if not _bootstrap_broker(plist_path) or not _broker_job_loaded():

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Verify restored broker before publishing rollback state

When a failed update restores the prior broker, this branch treats launchctl bootstrap plus a successful print as enough to publish the restored state, but the normal activation path also requires the socket identity and a broker ping before it reports success. If launchd accepts the prior plist but the socket is not recreated or the restored runtime exits on activation, the CLI returns restored_previous: true and writes the old state even though subsequent brokered routes remain unavailable; reuse the same socket/ping proof before declaring the previous version restored.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant