runtime: add zero-idle provider broker client#7
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ad8ba5995d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5903ad835f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 994880f546
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3df84ea2c6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
3df84ea to
e96ce56
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e96ce56d41
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f98eea5c2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if hashlib.sha256(prior_raw).hexdigest() != restore_record["plist_sha256"]: | ||
| raise ValueError("prior provider broker plist digest mismatch") | ||
| _write_private_atomic(plist_path, prior_raw, mode=0o600) | ||
| if not _bootstrap_broker(plist_path) or not _broker_job_loaded(): |
There was a problem hiding this comment.
Verify restored broker before publishing rollback state
When a failed update restores the prior broker, this branch treats launchctl bootstrap plus a successful print as enough to publish the restored state, but the normal activation path also requires the socket identity and a broker ping before it reports success. If launchd accepts the prior plist but the socket is not recreated or the restored runtime exits on activation, the CLI returns restored_previous: true and writes the old state even though subsequent brokered routes remain unavailable; reuse the same socket/ping proof before declaring the previous version restored.
Useful? React with 👍 / 👎.
Summary
Add the public fail-closed client and explicit lifecycle for the workspace-canonical one-request provider broker. Managed Gemini, OpenCode, Grok, and Composer use a digest-bound launchd socket with no direct fallback; the client adds transactional install/status/rollback/uninstall, zero-idle verification, per-request OpenCode model selection, and typed cancellation/timeout handling.
This is the policy/client portion of 3.2.0. It contains no provider executor source, build credential, downloader/post-install hook, or native artifact. It does not activate a runtime.
Boundary declaration
Cross-repo and merge order
f7b584bc66b1884f873074446e73a170ab0898a1.092f49c5e51a90ee78aec9d85bbf357a25311cee; this branch was rebased onto thatmain.5f98eea5c25da1d918eaded9b2ee9b03b9194540(GitHub signature verification: valid).0b918e090290-12cbb801df0dremain downstream/provisional and were not edited, rebased, merged, rebuilt, reinstalled, activated, rolled back, or removed.Repository configuration
Generated and release surfaces
SKILL.mdfiles are in parity (build_skills.py --check).build_marketplace.py --check).changelog.d/2026-07-13-provider-broker.mdfragment present; generatedCHANGELOG.mdunchanged.Verification
python3 scripts/build_skills.py --checkpython3 scripts/build_marketplace.py --checkpython3 scripts/build-changelog.py --dry-runpython3 -m unittest discover -s tests -t . -v— 273 passedpython3 -m unittest discover -s scripts -p 'test_*.py' -v— 254 passedpython3 scripts/check_release_consistency.pypython3 scripts/secret_scan.py— 175 source text files cleanpython3 scripts/check-public-export-safety.py --active-tree --history— safepython3 -m py_compile plugins/agent-collab/runtime_client.py plugins/agent-collab/runtime_setup.py plugins/agent-collab/host_policy.pygit diff --checkNo plugin install, activation, host restart, rollback, native build, or downstream PR/build mutation was performed.
Review and post-condition
Tier 3: security-sensitive signed-runtime client, launchd lifecycle, digest/state verification, cancellation, and provider authority routing. Managed distinct-family xAI review attempts failed closed (
Cancelledwithout a verdict, then typedteardown_error), so no independent verdict is fabricated. The operator explicitly directed completion, self-merge, and release with that limitation disclosed; required deterministic and repository checks remain binding.Seven Codex review P2s were reproduced and fixed with regressions: OpenCode preflight/issuance parity, absent-root typing, full rollback restoration, no-op rollback preservation, artifact-plus-manifest immutable identity, exclusion of unverified rollback targets, and typed bounded-launchctl failures across every lifecycle entry point.
After merge, a separate generated-changelog release PR will compile 3.2.0. The signed tag publishes a policy-only archive and must not install or activate any runtime. PR #1886 remains for its owning session.
Compliance trace
author: Codex
standing_directives: public/private execution boundary, no raw or retired fallback, generated parity, fragment-only changelog, deterministic release/public-export validation, workspace-first dependency order
tier: 3
cross_check: FAILOVER — managed xAI final review returned Cancelled without a verdict, then typed teardown_error; no independent approval is claimed, and the operator explicitly directed completion after disclosure
post_condition: exact head 5f98eea passes 273 public tests, 254 script tests, policy archive/evidence, secret scan, and active/history export safety; no artifact install/activation/build or PR #1886 mutation
mcp_coverage_gap: NONE
contributor_rights: OWNER-AUTHORED
operator_reserved: yes