fix: enforce agent session safety contracts#104
Conversation
|
Adversarial exact-head review: NO-GO despite green CI. Required P1 fixes before re-review: (1) reject provider-managed/security-sensitive extraArgs overrides, including split and --flag=value forms; (2) include Claude/Cursor/AICopilot/OpenCode bypass modes in break-glass + non-empty safetyReason + persisted contract enforcement; (3) fix route-policy validation so safetyReason is a non-empty string rather than boolean true; (4) derive/validate runner agent_session_contract server-side and reject command-step, mismatch, duplicate, or fabricated events; (5) define fail-closed compatibility/migration behavior for pre-change stored records and older clients. P2: correct OpenAPI/docs typed guidance and direct-loop versus workflow-event claims. Remediation is currently blocked by @hasna/hooks worktree-guard v0.1.0 rejecting mandatory apply_patch inside valid ~/.hasna managed leases; tracked in Todos 57d2d144-6ae7-425a-9981-e848a41f803c. Do not merge until a new exact head passes two fresh independent reviews. |
|
Remediation pushed at exact head de50226. This closes the prior P1 contract findings: protected provider-managed execution options including split/equal/attached aliases; consistent manual break-glass plus non-empty reason handling; server-derived and atomically deduplicated workflow contract events; fail-closed legacy-run backfill and recovery; public typed event validation across source/OpenAPI/SDK; and corrected route defaults/docs. Evidence: stable full suite 872 pass, 27 expected opt-in live-Postgres skips, 0 fail before the final parser-only delta; post-delta focused 49/0; independent final verifier 70/0 and GO; typecheck, build/declarations, boundary, storage contracts, SDK generation, diff, Gitleaks, high-confidence credential, and CoAuth scans clean. A real two-connection PostgreSQL race regression is included in the opt-in suite and will be exercised by hosted PostgreSQL CI. Keep draft until exact-head hosted checks complete; no merge/publish/deploy/install performed. |
|
Exact-head hosted CI is green (Ubuntu, macOS, PostgreSQL including the two-connection race regression, runner image), but the second independent readiness review is NO-GO. Remaining corrective scope: complete the documented protected-option aliases; prevent legacy idempotent runs from deriving contracts from a mutable current workflow definition; make new-run creation plus complete contract persistence atomic; and require explicit break-glass evidence on the route-policy-evidence path. PR remains draft. No merge/publish/deploy/install. |
|
Corrective commit pushed at exact head 800e307. It resolves the second readiness NO-GO: complete evidenced provider aliases, explicit manual-break-glass route evidence, immutable workflow-definition provenance, atomic run+contract creation, legacy/mutated/corrupt retry conflicts, PostgreSQL concurrent first-create winner handling, and rollback after a prior contract insert. Evidence: 177 focused pass/28 opt-in live-Postgres skips/0 fail; typecheck/build/SDK/contracts/boundary/diff/credential scans green; fresh adversarial GO with no P0/P1/P3. PR remains draft until all exact-head hosted checks, especially PostgreSQL, pass. |
Summary
manualBreakGlass=trueand a non-empty safety reason for relaxed Codewith/Codex and Cursor sandboxesproviderEnforced=falseTask evidence
7ec3b0fb-fcff-4895-bf3f-cd45c2e927fb06ed0e1d-3899-4c25-a57b-a954432018d5b9bc058bc208b27a449f8b368c9b524342c6e5a0Validation
bun test: 861 passed, 26 expected live-Postgres skips, 0 failed; 887 tests, 11 snapshotsbun run typecheck: passedbun run build: passedbun run test:boundary: passedbun run check:contracts: passedgit diff --cached --check: passed before commitSafety and scope
No provider, deployment, database, release, payment, or credential mutations were performed. This PR only pushes the task feature branch and does not merge it.