feat: deployment-wide default model and default plan model

[bleleve]

Summary

Extends the existing model_preferences table with default_model and default_plan_model columns. Surfaces them via a new section in Settings → Models so the deployment-wide defaults are configurable from the UI instead of being scattered across Terraform env vars on each worker.

Why: with plan-mode (PR #671), every deployment now needs two default models — one for build turns, one for plan turns. The control-plane is the natural source of truth (already serves enabledModels via /model-preferences). The bots and the web UI read from this single place instead of each worker carrying its own DEFAULT_MODEL env var that must be kept in sync.

What's in this PR

• D1 migration 0021_add_default_models_to_model_preferences.sql adds two nullable columns via ALTER TABLE ADD COLUMN. Existing deployments keep working because the read path falls back to the env var, then to the shared library constant.
• db/model-preferences.ts extended to read/write the new fields atomically across the three-field tuple.
• GET /model-preferences now returns { enabledModels, defaultModel, defaultPlanModel }; PUT validates defaultModel ∈ enabledModels.
• Web Settings → Models gets a new "Default Models" section with two combobox pickers. Disabling a model that's the current default is blocked inline.
• Terraform: production workers gain DEFAULT_MODEL (control-plane, which didn't have one) and DEFAULT_PLAN_MODEL (all four). These remain fallbacks — the DB value wins when set.
• docs/GETTING_STARTED.md gets a "Configure Default Models" subsection.

Stack

Stack: A → B → { C | D | E | F }
Depends on: A (#671) — plan-mode backend (foundation)
Required by: C / D / E / F (each reads defaultPlanModel for plan-mode flows)

Test plan

• npm run typecheck (workspace) — green
• npm run lint — green
• npm test -w @open-inspect/shared — 183/183
• npm test -w @open-inspect/control-plane — 1162/1162 (incl. 14 new model-preferences tests)
• npm test -w @open-inspect/web — 259/259

Migration safety

The ALTER TABLE ADD COLUMN ... DEFAULT NULL migration is purely additive. Code reads defaultModel / defaultPlanModel with fallback chain DB > env var > shared constant, so un-migrated instances keep working transparently.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Plan mode: save versioned agent plans that persist, require approval/rejection/amendment, and can gate execution; plan vs build model selection with resume context.
  • Model preferences: web UI pickers for default plan/build models with fallback when control plane is unreachable.

• Documentation

  • Updated getting-started Terraform/CI steps and detailed plan-mode + prompt-safety guides.

• Tests

  • Expanded unit/integration tests covering plan workflows, model-preferences, and prompt-safety.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds plan-first HITL: persisted versioned plans, approval/amend flows, model-preferences defaults with fallback, control-plane plan APIs and internal routes, message-queue dispatch gating with resumeContext, sandbox plan saving and prompt-safety wrappers, web UI defaults, DB migrations, and tests.

Changes

Plan-Mode HITL Workflows

Layer / File(s)	Summary
Type contracts, shared defaults, prompt-safety, and docs packages/shared/src/types/index.ts, packages/shared/src/models.ts, packages/shared/src/model-defaults.ts, packages/shared/src/prompt-safety.ts, docs/PLAN_MODE.md, docs/HOW_IT_WORKS.md, docs/GETTING_STARTED.md	Adds plan-related types, model-default utilities with per-field fallback, prompt-safety helpers for embedding untrusted content, model alias/command parsing, and documentation for plan-mode behavior and setup.
Database schema & migrations packages/control-plane/src/session/schema.ts, terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql	Adds plans table and session plan columns (plan_mode, plan_approval_status, plan_model, plan_cost_snapshot), updates migrations, and adjusts test cleanup.
Model preferences store & API packages/control-plane/src/db/model-preferences.ts, packages/control-plane/src/routes/model-preferences.ts, packages/control-plane/src/routes/model-preferences.test.ts, packages/control-plane/test/integration/model-preferences.test.ts	Implements ModelPreferences shape, getPreferences()/setPreferences() with validation, GET/PUT routes computing effective defaults via DB→env→shared fallback, and unit/integration tests.
Session repository: plan persistence & helpers packages/control-plane/src/session/repository.ts, packages/control-plane/src/session/repository.test.ts	Extends UpsertSessionData with plan fields, persists plan columns, normalizes branch names, adds plan CRUD (savePlan, getCurrentPlan, listPlans, getPlanByVersion), approval/status helpers, and tests.
PlanService: save/approve/reject packages/control-plane/src/session/services/plan.service.ts, packages/control-plane/src/session/services/plan.service.test.ts	Implements PlanService (trim/size/dedup semantics, approval gating, approve/reject with optional model/effort overrides, snapshots, events) and tests covering edge cases.
Control-plane plans handler & router wiring packages/control-plane/src/session/http/handlers/plans.handler.ts, packages/control-plane/src/session/http/handlers/plans.handler.test.ts, packages/control-plane/src/router.ts, packages/control-plane/src/session/http/routes.ts	Adds PlansHandler factory with save/get/list/approve/reject endpoints, strict parsing/validation, broadcasting, error mapping; router exposes public plan endpoints and forwards to session internal routes; tests added.
Session internal routes and init packages/control-plane/src/session/contracts.ts, packages/control-plane/src/session/initialize.ts, packages/control-plane/src/session/http/handlers/session-lifecycle.handler.ts, packages/control-plane/src/session/http/routes.ts	Adds internal path constants and internal routes for plan actions; extends SessionInitInput and lifecycle handler to accept/validate planMode/planModel and persist them on init.
Session Durable Object plan wiring packages/control-plane/src/session/durable-object.ts	DO lazily creates PlanService/PlansHandler, wires internal plan routes, enriches session state with plan-mode fields and currentPlan, and centralizes inactivity-timeout parsing.
Message queue gating & failures packages/control-plane/src/session/message-queue.ts, packages/control-plane/src/session/message-queue.test.ts	Adds per-prompt planMode flag, toggles session plan state, gates dispatch into planning turns selecting plan-preferred model and adding resumeContext, and refactors failure handling to map structured reasons to user-facing messages; tests updated.
Sandbox runtime: AgentBridge plan saving & prompt safety packages/sandbox-runtime/src/sandbox_runtime/bridge.py, packages/sandbox-runtime/tests/*	AgentBridge builds resume/planning preambles, escapes closing tags, buffers OpenCode token snapshots, best-effort POSTs assembled plan to control plane, appends PROMPT_SUFFIX only on first prompt, adds SSE watchdog/observability and retries; unit tests added.
Web UI model settings & hooks packages/web/src/components/settings/models-settings.tsx, packages/web/src/hooks/use-enabled-models.ts, packages/web/src/lib/session-list.test.ts	ModelsSettings supports defaultModel/defaultPlanModel, blocks disabling current defaults, adds combobox pickers; useEnabledModels returns effective defaults with shared fallbacks; tests updated.
Tests, fixtures, Terraform various packages/control-plane and packages/sandbox-runtime tests, terraform/environments/production/*.tf	Extensive tests added/updated for plans flow, fixtures include plan-related session fields, and Terraform plaintext bindings add DEFAULT_MODEL and DEFAULT_PLAN_MODEL for workers.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant ControlPlane
  participant SessionDO
  participant Repository
  participant Sandbox
  Client->>ControlPlane: POST /sessions/:id/plan (savePlan)
  ControlPlane->>SessionDO: forward to /internal/plan (savePlan)
  SessionDO->>Repository: savePlan -> insert plan row
  SessionDO->>ControlPlane: broadcast plan_status (awaiting_approval)
  Client->>ControlPlane: POST /plan/approve
  ControlPlane->>SessionDO: forward to /internal/planApprove
  SessionDO->>Repository: updatePlanApprovalStatus & snapshotPlanCost
  SessionDO->>Sandbox: dispatch implementation prompt (flush)
  Sandbox->>SessionDO: execution_complete (with plan artifact)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• ColeMurray/background-agents#587: Introduced SessionInitInput refactor used when adding planMode/planModel.

Suggested reviewers

• ColeMurray
• open-inspect

🐰 "I hid the plan in tokens neat,
then posted it for teams to meet;
with safety wraps and defaults set,
approvals steer where agents get."

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/web/src/components/settings/models-settings.tsx (1)

61-62: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Only set dirty when a toggle actually changes state.

Line 61 and Line 88 mark the form dirty even when disabling is blocked (default model guard) or the action is a no-op. That enables “Save” despite unchanged preferences.

Proposed adjustment

   const toggleModel = (modelId: string) => {
     setToggleError(null);
     setEnabledModels((prev) => {
       const next = new Set(prev);
       if (next.has(modelId)) {
         if (next.size <= 1) return prev;
         if (modelId === defaultModel || modelId === defaultPlanModel) {
           setToggleError(
             `"${formatModelNameLower(modelId)}" is the current default — pick a different default before disabling.`
           );
           return prev;
         }
         next.delete(modelId);
+        setDirty(true);
       } else {
         next.add(modelId);
+        setDirty(true);
       }
       return next;
     });
-    setDirty(true);
   };
...
   const toggleCategory = (category: (typeof MODEL_OPTIONS)[number], enable: boolean) => {
     setToggleError(null);
     setEnabledModels((prev) => {
       const next = new Set(prev);
       let blockedDefault: string | null = null;
+      let changed = false;
       for (const model of category.models) {
         if (enable) {
-          next.add(model.id);
+          if (!next.has(model.id)) {
+            next.add(model.id);
+            changed = true;
+          }
         } else {
           if (model.id === defaultModel || model.id === defaultPlanModel) {
             blockedDefault = model.id;
             continue;
           }
-          next.delete(model.id);
+          if (next.delete(model.id)) changed = true;
         }
       }
       if (next.size === 0) return prev;
       if (blockedDefault) {
         setToggleError(
           `"${formatModelNameLower(blockedDefault)}" is the current default — pick a different default before disabling.`
         );
       }
+      if (changed) setDirty(true);
       return next;
     });
-    setDirty(true);
   };

Also applies to: 88-89

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/components/settings/models-settings.tsx` around lines 61 -
62, The handler currently calls setDirty(true) even when a toggle is a no-op or
disabled by the default-model guard; update the toggle logic (the function that
updates models and calls setDirty, e.g., the model-toggle handler that calls
setModels and setDirty) to first compare the intended new enabled state with the
current state and return early if they are identical or if disabling is blocked,
only proceeding to call setModels and then setDirty(true) when an actual change
occurs; ensure the default-model guard prevents state changes and that setDirty
is only invoked after a successful state mutation.

🧹 Nitpick comments (2)

packages/web/src/components/settings/models-settings.tsx (1)

36-41: ⚡ Quick win

Move initial SWR-to-state sync out of render.

Line 36 performs render-phase state updates. In React, this is safer and more predictable in an effect.

Proposed refactor

-import { useMemo, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
...
-  // Sync SWR data into local state once on initial load
-  if (data && !initialized) {
-    setEnabledModels(new Set(data.enabledModels));
-    if (data.defaultModel) setDefaultModel(data.defaultModel);
-    if (data.defaultPlanModel) setDefaultPlanModel(data.defaultPlanModel);
-    setInitialized(true);
-  }
+  useEffect(() => {
+    if (!data || initialized) return;
+    setEnabledModels(new Set(data.enabledModels));
+    if (data.defaultModel) setDefaultModel(data.defaultModel);
+    if (data.defaultPlanModel) setDefaultPlanModel(data.defaultPlanModel);
+    setInitialized(true);
+  }, [data, initialized]);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/components/settings/models-settings.tsx` around lines 36 -
41, The render is performing state updates when SWR data arrives; move that sync
into an effect: create a useEffect that depends on [data, initialized], and
inside it, if (data && !initialized) call setEnabledModels(new
Set(data.enabledModels)), setDefaultModel(data.defaultModel) (if present),
setDefaultPlanModel(data.defaultPlanModel) (if present), and
setInitialized(true); remove the inline state updates from the render path so
only the useEffect containing setEnabledModels, setDefaultModel,
setDefaultPlanModel, and setInitialized handles initializing state from data.

packages/control-plane/src/session/durable-object.ts (1)

779-779: ⚡ Quick win

Extract the default inactivity timeout into a named constant.

Line 779 restates the default timeout literal inline. Please define it once as a constant and reuse it here.

♻️ Proposed refactor

+const DEFAULT_SANDBOX_INACTIVITY_TIMEOUT_MS = 900_000;
+
 const config = {
   ...DEFAULT_LIFECYCLE_CONFIG,
@@
       inactivity: {
         ...DEFAULT_LIFECYCLE_CONFIG.inactivity,
-        timeoutMs: parseInt(this.env.SANDBOX_INACTIVITY_TIMEOUT_MS || "900000", 10),
+        timeoutMs: parseInt(
+          this.env.SANDBOX_INACTIVITY_TIMEOUT_MS ||
+            String(DEFAULT_SANDBOX_INACTIVITY_TIMEOUT_MS),
+          10
+        ),
       },

As per coding guidelines, "Define each default timeout value exactly once as a named constant and import it everywhere rather than restating literal values".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/control-plane/src/session/durable-object.ts` at line 779, Define a
single named constant for the default sandbox inactivity timeout (e.g.,
SANDBOX_INACTIVITY_TIMEOUT_MS_DEFAULT = 900000) and export it from a shared
constants module or at top of this file, then replace the inline literal in the
existing timeout parsing (the expression currently:
parseInt(this.env.SANDBOX_INACTIVITY_TIMEOUT_MS || "900000", 10)) to use the
constant (e.g., parseInt(this.env.SANDBOX_INACTIVITY_TIMEOUT_MS ??
String(SANDBOX_INACTIVITY_TIMEOUT_MS_DEFAULT), 10)), updating any other
occurrences to import/use the same constant.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/PLAN_MODE.md`:
- Around line 133-150: The fenced ASCII diagram block starting with "`@mention` /
label / web prompt" and ending with "approve / reject / amend  ──▶ next prompt
runs as build" is missing a language tag (MD040); update the opening fence to
include a language label such as text (e.g., change ``` to ```text) so
markdownlint is satisfied while leaving the diagram content unchanged.

In `@packages/control-plane/README.md`:
- Around line 75-77: Update the sentence starting "When a session opts into plan
mode the agent emits a markdown plan and the message queue is gated until the
user approves, rejects, or amends." to clarify that the queue is not completely
stalled: state that the agent emits a markdown plan and non-plan messages are
gated pending user approval, but amendments can still be dispatched as planning
turns while approval is pending (i.e., the system holds non-planning messages
rather than hard-blocking all message activity); keep the reference to
docs/PLAN_MODE.md intact.

In `@packages/control-plane/src/session/http/handlers/plans.handler.ts`:
- Around line 156-162: The parser in readApprovalBody can return non-object
values (e.g., JSON.parse("null") => null) which later causes approvePlan to
dereference properties and crash; inside readApprovalBody (and its try block)
validate that the parsed value is a non-null object (typeof parsed === "object"
&& parsed !== null) and only return it cast as ApprovalRequestBody when that
check passes, otherwise return {} so malformed-but-valid JSON does not lead to
runtime errors.

In `@packages/control-plane/src/types.ts`:
- Line 94: Update the comment for the SANDBOX_INACTIVITY_TIMEOUT_MS property to
reference the shared default constant instead of repeating the literal (900000);
change the comment from "Inactivity timeout in ms (default: 900000 = 15 min)" to
something like "Inactivity timeout in ms (Defaults to
DEFAULT_SANDBOX_INACTIVITY_TIMEOUT_MS)" so it references the named constant used
elsewhere.

In `@packages/sandbox-runtime/src/sandbox_runtime/bridge.py`:
- Around line 744-747: The token event handler is appending cumulative token
text to text_buffer, causing duplicated/ corrupted plan_text when planMode=True;
to fix it, change the logic in the token-handling block (the code that uses
text_buffer when handling token events and later builds plan_text) to append
only the incremental delta instead of the full cumulative value—e.g., keep a
last_text (or reuse the last element of text_buffer) and compute new_chunk =
event_value[len(last_text):] and append new_chunk, or replace the last entry
with the latest full value rather than appending it; update the code that
constructs plan_text from text_buffer accordingly so it no longer double-counts
tokens (references: text_buffer, the token event handler, and the code that
produces plan_text when planMode is True).
- Around line 639-643: The returned XML-like wrappers inject raw plan text
(plan_content and previous plan content) which can include closing tags like
</saved_plan> or </previous_plan>; fix by escaping those sequences before
embedding: create a safe variable (e.g., safe_plan =
plan_content.strip().replace("</saved_plan>",
"&lt;/saved_plan&gt;").replace("</previous_plan>", "&lt;/previous_plan&gt;"))
and use safe_plan in the string construction; apply the same escaping logic to
the other embedded plan variable (the previous plan insertion) so no raw closing
tags are emitted into the wrapper.
- Line 844: The call using a hardcoded 30.0 timeout (resp = await
self.http_client.post(..., timeout=30.0)) should use a single named timeout
constant instead; replace the literal with a module- or package-level constant
(e.g., DEFAULT_HTTP_TIMEOUT or PLAN_SAVE_TIMEOUT) and import it where needed, or
if a suitable constant already exists elsewhere in the codebase, import that
constant into sandbox_runtime.bridge and use it in the self.http_client.post
call so the timeout value is defined exactly once.

In `@packages/shared/src/model-defaults.ts`:
- Around line 50-57: The current logic treats the control-plane response as
valid only if both data.defaultModel and data.defaultPlanModel are present,
causing both fallbacks to be discarded when one field is missing; change the
code to apply per-field fallbacks instead: when res.ok and data is parsed
(ModelPreferencesResponse), set defaultModel = data.defaultModel ??
existingFallbackDefaultModel and defaultPlanModel = data.defaultPlanModel ??
existingFallbackDefaultPlanModel (i.e., preserve whichever fallback remains when
the other CP value is absent), and apply the same per-field pattern for the
second occurrence around the 62-65 block so each field is independently chosen
from data or fallback.

In `@packages/shared/src/prompt-safety.ts`:
- Around line 55-60: The current escapedContent replacements only match exact
"<user_content" and "</user_content>" strings and miss variants with extra
whitespace, attributes, or casing; change the logic that builds escapedContent
to use case-insensitive regex replacements that match opening and closing
user_content tags with optional whitespace/attributes (e.g. use regex like
/<\s*\/\s*user_content\b[^>]*>/gi for closing and /<\s*user_content\b[^>]*>/gi
for opening) and replace them with their neutralized forms (preserving the
existing escaped-backslash/slash pattern used in the code) so all variants such
as "</user_content >", "<USER_CONTENT>", or "<user_content attr='x'>" are
correctly neutralized; update the variable escapedContent accordingly where it
is defined.

In `@terraform/environments/production/workers-linear.tf`:
- Line 49: The environment variable DEFAULT_PLAN_MODEL is using
"claude-opus-4-6" while other configs expect the vendor-prefixed format; update
the value of DEFAULT_PLAN_MODEL to "anthropic/claude-opus-4-6" to match
control-plane and GitHub-bot, and also verify/update DEFAULT_MODEL to the same
"anthropic/claude-opus-4-6" format so both variables use a consistent
vendor-prefixed model identifier.

In `@terraform/environments/production/workers-slack.tf`:
- Line 51: DEFAULT_PLAN_MODEL is using "claude-opus-4-6" without the required
provider prefix; update the value of DEFAULT_PLAN_MODEL to
"anthropic/claude-opus-4-6" to match other workers, and also check and align
DEFAULT_MODEL (the sibling variable) to use the same "anthropic/..." prefixed
model string so formats are consistent across Slack-bot, control-plane and
GitHub-bot.

---

Outside diff comments:
In `@packages/web/src/components/settings/models-settings.tsx`:
- Around line 61-62: The handler currently calls setDirty(true) even when a
toggle is a no-op or disabled by the default-model guard; update the toggle
logic (the function that updates models and calls setDirty, e.g., the
model-toggle handler that calls setModels and setDirty) to first compare the
intended new enabled state with the current state and return early if they are
identical or if disabling is blocked, only proceeding to call setModels and then
setDirty(true) when an actual change occurs; ensure the default-model guard
prevents state changes and that setDirty is only invoked after a successful
state mutation.

---

Nitpick comments:
In `@packages/control-plane/src/session/durable-object.ts`:
- Line 779: Define a single named constant for the default sandbox inactivity
timeout (e.g., SANDBOX_INACTIVITY_TIMEOUT_MS_DEFAULT = 900000) and export it
from a shared constants module or at top of this file, then replace the inline
literal in the existing timeout parsing (the expression currently:
parseInt(this.env.SANDBOX_INACTIVITY_TIMEOUT_MS || "900000", 10)) to use the
constant (e.g., parseInt(this.env.SANDBOX_INACTIVITY_TIMEOUT_MS ??
String(SANDBOX_INACTIVITY_TIMEOUT_MS_DEFAULT), 10)), updating any other
occurrences to import/use the same constant.

In `@packages/web/src/components/settings/models-settings.tsx`:
- Around line 36-41: The render is performing state updates when SWR data
arrives; move that sync into an effect: create a useEffect that depends on
[data, initialized], and inside it, if (data && !initialized) call
setEnabledModels(new Set(data.enabledModels)),
setDefaultModel(data.defaultModel) (if present),
setDefaultPlanModel(data.defaultPlanModel) (if present), and
setInitialized(true); remove the inline state updates from the render path so
only the useEffect containing setEnabledModels, setDefaultModel,
setDefaultPlanModel, and setInitialized handles initializing state from data.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1908a84e-fc9a-4b70-ba44-702777be5ccf

📥 Commits

Reviewing files that changed from the base of the PR and between 90473af and 26491b5.

📒 Files selected for processing (52)

• docs/GETTING_STARTED.md
• docs/HOW_IT_WORKS.md
• docs/PLAN_MODE.md
• packages/control-plane/README.md
• packages/control-plane/src/db/model-preferences.ts
• packages/control-plane/src/router.ts
• packages/control-plane/src/routes/model-preferences.test.ts
• packages/control-plane/src/routes/model-preferences.ts
• packages/control-plane/src/sandbox/lifecycle/manager.test.ts
• packages/control-plane/src/session/contracts.ts
• packages/control-plane/src/session/durable-object.ts
• packages/control-plane/src/session/http/handlers/child-sessions.handler.test.ts
• packages/control-plane/src/session/http/handlers/plans.handler.test.ts
• packages/control-plane/src/session/http/handlers/plans.handler.ts
• packages/control-plane/src/session/http/handlers/pull-request.handler.test.ts
• packages/control-plane/src/session/http/handlers/session-lifecycle.handler.test.ts
• packages/control-plane/src/session/http/handlers/session-lifecycle.handler.ts
• packages/control-plane/src/session/http/routes.test.ts
• packages/control-plane/src/session/http/routes.ts
• packages/control-plane/src/session/initialize.ts
• packages/control-plane/src/session/message-queue.test.ts
• packages/control-plane/src/session/message-queue.ts
• packages/control-plane/src/session/openai-token-refresh-service.test.ts
• packages/control-plane/src/session/pull-request-service.test.ts
• packages/control-plane/src/session/repository.test.ts
• packages/control-plane/src/session/repository.ts
• packages/control-plane/src/session/schema.ts
• packages/control-plane/src/session/services/plan.service.test.ts
• packages/control-plane/src/session/services/plan.service.ts
• packages/control-plane/src/session/types.ts
• packages/control-plane/src/types.ts
• packages/control-plane/src/utils/models.ts
• packages/control-plane/test/integration/cleanup.ts
• packages/control-plane/test/integration/model-preferences.test.ts
• packages/sandbox-runtime/src/sandbox_runtime/bridge.py
• packages/sandbox-runtime/tests/test_bridge_message_tracking.py
• packages/sandbox-runtime/tests/test_bridge_resume_context.py
• packages/shared/src/index.ts
• packages/shared/src/model-defaults.test.ts
• packages/shared/src/model-defaults.ts
• packages/shared/src/models.ts
• packages/shared/src/prompt-safety.test.ts
• packages/shared/src/prompt-safety.ts
• packages/shared/src/types/index.ts
• packages/web/src/components/settings/models-settings.tsx
• packages/web/src/hooks/use-enabled-models.ts
• packages/web/src/lib/session-list.test.ts
• terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql
• terraform/environments/production/workers-control-plane.tf
• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/control-plane/src/routes/model-preferences.test.ts`:
- Line 145: The test currently asserts plan fallback against DEFAULT_MODEL;
change the assertion in model-preferences.test (the expect on
body.defaultPlanModel) to use the plan-specific constant DEFAULT_PLAN_MODEL
instead of DEFAULT_MODEL so the test verifies the dedicated plan fallback
contract (update the expect call to toBe(DEFAULT_PLAN_MODEL)).

In `@packages/control-plane/src/routes/model-preferences.ts`:
- Around line 35-47: resolveDefaults currently picks
defaultModel/defaultPlanModel from env/shared fallbacks without ensuring those
values are present in the enabledModels set, violating the same invariant
enforced by setPreferences; after computing defaultModel and defaultPlanModel in
resolveDefaults (and in the analogous fallback logic at lines 57-69), reconcile
them against the enabledModels you will return by either adding any missing
defaultModel/defaultPlanModel into enabledModels or choosing a fallback from
enabledModels (e.g., first enabled) and update the returned defaults accordingly
so the returned defaults are always members of the enabledModels set.

In `@packages/control-plane/src/session/http/handlers/plans.handler.ts`:
- Around line 115-131: The handler currently treats a null return from
deps.validateReasoningEffort as an explicit “clear” sentinel; change this so
that after calling validateReasoningEffort(implementationModel,
body.implementationReasoningEffort) you check whether the return is null but the
incoming body.implementationReasoningEffort was not null/undefined, and if so
return the 400 Response with code "invalid_reasoning_effort"; keep the existing
behavior that only an explicit body.implementationReasoningEffort === null
clears the stored value. Ensure you reference the implementationReasoningEffort
variable, validateReasoningEffort call, and implementationModel existence check
when making this change.

In
`@packages/control-plane/src/session/http/handlers/session-lifecycle.handler.ts`:
- Around line 115-129: When planMode is true, don't hardcode DEFAULT_PLAN_MODEL
here; instead resolve the deployment-wide effective default (the DB > env >
shared fallback) before initializing planModel and use that value when
body.planModel is omitted. Update the logic around planMode/planModel to call
the existing configuration lookup (e.g., a getEffectiveDefaultPlanModel() or
equivalent config/service method) to populate the fallback, keep the
isValidModel() check for an explicitly provided body.planModel and emit the
deps.getLog().warn only when an invalid plan was requested, and assign the
resolved effective default when no planModel is provided.

In `@packages/sandbox-runtime/src/sandbox_runtime/bridge.py`:
- Line 651: Replace the unsafe xml_escape usage for attribute values with a
proper attribute-quoting helper: use quoteattr() (e.g.,
xml.sax.saxutils.quoteattr) when inserting the version into the saved_plan and
previous_plan attributes so embedded double quotes won’t break the XML-like
attribute boundary; locate the f-string that builds '<saved_plan version="...">'
and the analogous previous_plan construction and wrap the version value with
quoteattr(str(version)) instead of xml_escape(str(version)).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0301759-5532-4418-b3c4-01d0a0f87175

📥 Commits

Reviewing files that changed from the base of the PR and between 26491b5 and 572e4bb.

📒 Files selected for processing (30)

• docs/GETTING_STARTED.md
• docs/PLAN_MODE.md
• packages/control-plane/README.md
• packages/control-plane/src/db/model-preferences.ts
• packages/control-plane/src/router.ts
• packages/control-plane/src/routes/model-preferences.test.ts
• packages/control-plane/src/routes/model-preferences.ts
• packages/control-plane/src/session/durable-object.ts
• packages/control-plane/src/session/http/handlers/plans.handler.test.ts
• packages/control-plane/src/session/http/handlers/plans.handler.ts
• packages/control-plane/src/session/http/handlers/session-lifecycle.handler.ts
• packages/control-plane/src/session/repository.test.ts
• packages/control-plane/src/session/services/plan.service.test.ts
• packages/control-plane/src/session/services/plan.service.ts
• packages/control-plane/src/session/types.ts
• packages/control-plane/src/types.ts
• packages/control-plane/test/integration/cleanup.ts
• packages/control-plane/test/integration/model-preferences.test.ts
• packages/sandbox-runtime/src/sandbox_runtime/bridge.py
• packages/sandbox-runtime/tests/test_bridge_resume_context.py
• packages/shared/src/model-defaults.test.ts
• packages/shared/src/model-defaults.ts
• packages/shared/src/prompt-safety.ts
• packages/web/src/components/settings/models-settings.tsx
• packages/web/src/hooks/use-enabled-models.ts
• terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql
• terraform/environments/production/workers-control-plane.tf
• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

✅ Files skipped from review due to trivial changes (4)

• terraform/environments/production/workers-github.tf
• docs/PLAN_MODE.md
• packages/control-plane/README.md
• docs/GETTING_STARTED.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Honor the deployment-wide plan default here.

When plan mode is enabled and the caller omits planModel, this always persists DEFAULT_PLAN_MODEL. That bypasses the new DB > env > shared fallback chain, so server-created sessions won't respect a configured defaultPlanModel unless every caller sends it explicitly. Please resolve the effective default before this init path, rather than hardcoding the shared fallback here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/control-plane/src/session/http/handlers/session-lifecycle.handler.ts`
around lines 115 - 129, When planMode is true, don't hardcode DEFAULT_PLAN_MODEL
here; instead resolve the deployment-wide effective default (the DB > env >
shared fallback) before initializing planModel and use that value when
body.planModel is omitted. Update the logic around planMode/planModel to call
the existing configuration lookup (e.g., a getEffectiveDefaultPlanModel() or
equivalent config/service method) to populate the fallback, keep the
isValidModel() check for an explicitly provided body.planModel and emit the
deps.getLog().warn only when an invalid plan was requested, and assign the
resolved effective default when no planModel is provided.

[bleleve]

Acknowledging this — confirmed valid concern, but deferring this one as a follow-up.

The DO-side lifecycle handler doesn't currently take ModelPreferencesStore (or any D1-accessing dep) — it works through a pinned set of repository methods. Wiring the deployment default through here means:

• adding a resolveDefaultPlanModel: () => Promise<string | null> dep on SessionLifecycleHandlerDeps
• constructing it in the DO's durable-object.ts with new ModelPreferencesStore(env.DB)
• updating all unit-test fixtures that build the handler

In practice, every current caller (web home, GitHub bot, Linear bot, Slack bot) already resolves defaultPlanModel via fetchModelDefaults before calling POST /sessions and passes it explicitly as planModel. The DO falling back to the shared constant for callers that omit planModel is a defensive last-resort path, not the happy path.

Tracked as a separate follow-up so this PR doesn't grow into the DO-deps refactor surface. Happy to address in a stacked PR once #671 + #672 land. Marking this thread as something to revisit.

[coderabbitai]

@bleleve, that's a well-reasoned deferral — the "callers already resolve via fetchModelDefaults before the session POST" invariant is a solid reason to keep this PR scope-contained. The DEFAULT_PLAN_MODEL fallback remaining as a last-resort safety net is acceptable for now.

Would you like me to open a GitHub issue to track the follow-up work? It could capture the specific changes needed:

• Add resolveDefaultPlanModel: () => Promise<string | null> to SessionLifecycleHandlerDeps
• Wire new ModelPreferencesStore(env.DB) in durable-object.ts
• Update unit-test fixtures for the handler

Just say the word and I'll create it.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/shared/src/model-defaults.ts`:
- Around line 65-67: fetchModelDefaults currently returns env.DEFAULT_MODEL /
env.DEFAULT_PLAN_MODEL verbatim on the fallback path (used to set
defaultModel/defaultPlanModel), which can be unqualified; modify
fetchModelDefaults to validate and normalize any fallback env values into
canonical provider/model IDs (e.g., call a new or existing
normalizeModelId(model) helper) before assigning defaultModel and
defaultPlanModel, falling back to DEFAULT_MODEL / DEFAULT_PLAN_MODEL constants
only after normalization/validation fails, and update model-defaults tests to
assert canonical (fully-qualified) IDs are returned when env variables are used;
reference fetchModelDefaults, defaultModel, defaultPlanModel, env.DEFAULT_MODEL,
env.DEFAULT_PLAN_MODEL, DEFAULT_MODEL, and DEFAULT_PLAN_MODEL in your changes.

In `@packages/web/src/components/settings/models-settings.tsx`:
- Around line 45-100: The updater mutates an outer `changed` flag which is
unsafe; instead compute change purely inside the updater (or compute the next
set before calling setEnabledModels) and only call setDirty when the new Set
actually differs from the previous Set. Update toggleModel and toggleCategory:
stop writing to the outer `changed`, build a local next Set inside the updater
(or compute next outside), determine whether prev and next differ by comparing
sizes and membership, call setToggleError from inside the updater when blocking
a default (using defaultModel/defaultPlanModel and formatModelNameLower), return
prev when no change is needed, and call setDirty(true) only if the comparison
shows a real change. Ensure you reference setEnabledModels, setDirty,
setToggleError, toggleModel, toggleCategory, defaultModel, defaultPlanModel, and
formatModelNameLower when making these edits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 63eb8d19-4faa-44e4-bcdb-26126bca2b8c

📥 Commits

Reviewing files that changed from the base of the PR and between 572e4bb and d03dab5.

📒 Files selected for processing (17)

• docs/GETTING_STARTED.md
• packages/control-plane/src/db/model-preferences.ts
• packages/control-plane/src/routes/model-preferences.test.ts
• packages/control-plane/src/routes/model-preferences.ts
• packages/control-plane/src/session/http/handlers/plans.handler.test.ts
• packages/control-plane/src/session/http/handlers/plans.handler.ts
• packages/control-plane/test/integration/cleanup.ts
• packages/control-plane/test/integration/model-preferences.test.ts
• packages/shared/src/model-defaults.test.ts
• packages/shared/src/model-defaults.ts
• packages/web/src/components/settings/models-settings.tsx
• packages/web/src/hooks/use-enabled-models.ts
• terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql
• terraform/environments/production/workers-control-plane.tf
• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

✅ Files skipped from review due to trivial changes (1)

• docs/GETTING_STARTED.md

[coderabbitai]

♻️ Duplicate comments (1)

packages/control-plane/src/routes/model-preferences.test.ts (1)

165-168: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the plan fallback constant in this assertion.

Line 167 should assert the plan fallback contract (DEFAULT_PLAN_MODEL), not DEFAULT_MODEL, otherwise this test can miss plan-specific fallback regressions.

Suggested fix

-    expect(body.defaultPlanModel).toBe(DEFAULT_MODEL);
+    expect(body.defaultPlanModel).toBe(DEFAULT_PLAN_MODEL);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/control-plane/src/routes/model-preferences.test.ts` around lines 165
- 168, The test currently asserts plan fallback using DEFAULT_MODEL; change the
assertion to use the plan-specific constant DEFAULT_PLAN_MODEL so the
getValidModelOrDefault / plan fallback contract is validated: update the
expectation in the model-preferences.test.ts unit where it checks
body.defaultPlanModel to compare against DEFAULT_PLAN_MODEL instead of
DEFAULT_MODEL.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@packages/control-plane/src/routes/model-preferences.test.ts`:
- Around line 165-168: The test currently asserts plan fallback using
DEFAULT_MODEL; change the assertion to use the plan-specific constant
DEFAULT_PLAN_MODEL so the getValidModelOrDefault / plan fallback contract is
validated: update the expectation in the model-preferences.test.ts unit where it
checks body.defaultPlanModel to compare against DEFAULT_PLAN_MODEL instead of
DEFAULT_MODEL.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8cf7706d-27da-4e81-bdef-c95932072118

📥 Commits

Reviewing files that changed from the base of the PR and between d03dab5 and 935b3af.

📒 Files selected for processing (17)

• docs/GETTING_STARTED.md
• packages/control-plane/src/db/model-preferences.ts
• packages/control-plane/src/routes/model-preferences.test.ts
• packages/control-plane/src/routes/model-preferences.ts
• packages/control-plane/src/session/http/handlers/plans.handler.ts
• packages/control-plane/test/integration/cleanup.ts
• packages/control-plane/test/integration/model-preferences.test.ts
• packages/sandbox-runtime/src/sandbox_runtime/bridge.py
• packages/shared/src/model-defaults.test.ts
• packages/shared/src/model-defaults.ts
• packages/web/src/components/settings/models-settings.tsx
• packages/web/src/hooks/use-enabled-models.ts
• terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql
• terraform/environments/production/workers-control-plane.tf
• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

✅ Files skipped from review due to trivial changes (3)

• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/control-plane/src/db/model-preferences.ts (1)

56-107: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Normalize model IDs before deduping and persisting them.

isValidModel() is paired with normalization elsewhere because bare aliases are accepted inputs. Here Line 57 dedupes raw strings and writes them verbatim, so alias and canonical forms of the same model can survive as separate enabledModels entries, and defaultModel / defaultPlanModel can be stored in non-canonical form. Normalize first, then dedupe and validate membership against the normalized set so this row stays canonical for every caller.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/control-plane/src/db/model-preferences.ts` around lines 56 - 107, In
setPreferences, normalize model IDs before deduping, validating, and persisting:
map prefs.enabledModels through the canonicalizer (e.g., normalizeModel(id) or
the existing normalization helper used elsewhere), then build the unique list
from those normalized IDs, validate via isValidModel against the normalized
values, and create enabledSet from the normalized unique list; also normalize
prefs.defaultModel and prefs.defaultPlanModel (and validate they exist in the
normalized enabledSet) and persist the JSON of the normalized unique list and
the normalized default values so stored rows always contain canonical model IDs.

♻️ Duplicate comments (1)

packages/web/src/components/settings/models-settings.tsx (1)

45-100: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep the setEnabledModels updaters pure and derive dirty from committed state.

changed and setToggleError(...) are both mutated from inside the updater callback, then changed is read after setEnabledModels(...) returns. In React this callback can run more than once in development, so these handlers can mark the form dirty even when they return prev (for example, blocking the current default or refusing to remove the last enabled model). Compute next from the current render state before calling setEnabledModels, or compare prev/next in a pure helper and only call setDirty(true) when a real change is committed.

In React 19, can a useState updater function be invoked multiple times in development/Strict Mode, and should it avoid side effects like mutating outer variables or calling other state setters?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/components/settings/models-settings.tsx` around lines 45 -
100, The updater callbacks in toggleModel and toggleCategory are impure: they
mutate outer var changed and call setToggleError inside the setEnabledModels
updater; make them pure by computing the new Set (next) and any
blockedDefault/changed result outside the state updater (or in a pure helper
that takes prev and returns {next, blockedDefault, changed}), then call
setEnabledModels with the resulting next only once and call setToggleError and
setDirty after setEnabledModels based on the computed blockedDefault/changed; in
short, stop mutating changed or invoking setToggleError inside the
setEnabledModels updater in functions toggleModel and toggleCategory and instead
derive and apply side effects from the committed next state.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/control-plane/src/session/services/plan.service.ts`:
- Around line 175-179: approvePlanAndFlush currently calls approvePlan() which
persists the "approved" state before calling the non-idempotent
this.deps.onDispatchImplementationPrompt(result.plan.version), so a thrown error
leaves the session committed but dispatch never queued; change the flow to
ensure the dispatch is durably retried or made idempotent: either perform the
dispatch enqueue inside the same DB transaction/update as approvePlan (e.g.,
extend approvePlan to set an extra "dispatch_pending" flag or write the dispatch
job record atomically), or have approvePlan return a transactional token and
only persist final "approved" after successful enqueue; update approvePlan,
approvePlanAndFlush and the onDispatchImplementationPrompt usage to use this
atomic enqueue/flag approach so retries won’t leave the session in an
invalid_status.

In `@packages/control-plane/test/integration/plan-approval.test.ts`:
- Around line 1-3: This test file is missing D1 cleanup; add a beforeEach that
calls cleanD1Tables() to ensure D1 state is reset between tests. Import or
reference the existing cleanD1Tables helper and add beforeEach(async () => {
await cleanD1Tables(); }) at the top-level of the suite (next to
initSession/queryDO usage) so tests using defineWorkersConfig with
isolatedStorage: false don't leak state; ensure the call runs before any
initSession or test logic.

---

Outside diff comments:
In `@packages/control-plane/src/db/model-preferences.ts`:
- Around line 56-107: In setPreferences, normalize model IDs before deduping,
validating, and persisting: map prefs.enabledModels through the canonicalizer
(e.g., normalizeModel(id) or the existing normalization helper used elsewhere),
then build the unique list from those normalized IDs, validate via isValidModel
against the normalized values, and create enabledSet from the normalized unique
list; also normalize prefs.defaultModel and prefs.defaultPlanModel (and validate
they exist in the normalized enabledSet) and persist the JSON of the normalized
unique list and the normalized default values so stored rows always contain
canonical model IDs.

---

Duplicate comments:
In `@packages/web/src/components/settings/models-settings.tsx`:
- Around line 45-100: The updater callbacks in toggleModel and toggleCategory
are impure: they mutate outer var changed and call setToggleError inside the
setEnabledModels updater; make them pure by computing the new Set (next) and any
blockedDefault/changed result outside the state updater (or in a pure helper
that takes prev and returns {next, blockedDefault, changed}), then call
setEnabledModels with the resulting next only once and call setToggleError and
setDirty after setEnabledModels based on the computed blockedDefault/changed; in
short, stop mutating changed or invoking setToggleError inside the
setEnabledModels updater in functions toggleModel and toggleCategory and instead
derive and apply side effects from the committed next state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5bde1f79-5b3b-4b0f-9122-08e449f47b0f

📥 Commits

Reviewing files that changed from the base of the PR and between 935b3af and a72780b.

📒 Files selected for processing (21)

• docs/GETTING_STARTED.md
• packages/control-plane/src/db/model-preferences.ts
• packages/control-plane/src/routes/model-preferences.test.ts
• packages/control-plane/src/routes/model-preferences.ts
• packages/control-plane/src/session/durable-object.ts
• packages/control-plane/src/session/services/plan.service.test.ts
• packages/control-plane/src/session/services/plan.service.ts
• packages/control-plane/test/integration/cleanup.ts
• packages/control-plane/test/integration/helpers.ts
• packages/control-plane/test/integration/model-preferences.test.ts
• packages/control-plane/test/integration/plan-approval.test.ts
• packages/shared/src/model-defaults.test.ts
• packages/shared/src/model-defaults.ts
• packages/shared/src/types/index.ts
• packages/web/src/components/settings/models-settings.tsx
• packages/web/src/hooks/use-enabled-models.ts
• terraform/d1/migrations/0021_add_default_models_to_model_preferences.sql
• terraform/environments/production/workers-control-plane.tf
• terraform/environments/production/workers-github.tf
• terraform/environments/production/workers-linear.tf
• terraform/environments/production/workers-slack.tf

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Avoid committing approval before a non-idempotent dispatch step.

approvePlan() persists "approved" before onDispatchImplementationPrompt(...) runs. If that callback throws, this method returns an error after the state change is already committed; a retry then fails with "invalid_status" and the implementation prompt may never be queued. This needs a durable retry/idempotency path so approved sessions cannot get stranded between the DB write and the follow-up dispatch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/control-plane/src/session/services/plan.service.ts` around lines 175
- 179, approvePlanAndFlush currently calls approvePlan() which persists the
"approved" state before calling the non-idempotent
this.deps.onDispatchImplementationPrompt(result.plan.version), so a thrown error
leaves the session committed but dispatch never queued; change the flow to
ensure the dispatch is durably retried or made idempotent: either perform the
dispatch enqueue inside the same DB transaction/update as approvePlan (e.g.,
extend approvePlan to set an extra "dispatch_pending" flag or write the dispatch
job record atomically), or have approvePlan return a transactional token and
only persist final "approved" after successful enqueue; update approvePlan,
approvePlanAndFlush and the onDispatchImplementationPrompt usage to use this
atomic enqueue/flag approach so retries won’t leave the session in an
invalid_status.

[bleleve]

Considered but declining the structural change. Rationale:

• onDispatchImplementationPrompt resolves to messageService.enqueuePrompt(...), which is a sequence of SQL writes on the DO's local SQLite. Under the Cloudflare DO model (single-threaded V8 isolate, transactional storage) the exception path is extremely narrow — a storage-layer failure here would also fail the approvePlan write that preceded it.
• The failure mode is recoverable without operator intervention: the gate is now "approved" so any subsequent user prompt to the session (web typing, Slack follow-up, etc.) dispatches normally. The only loss is the auto-fired "Implement the plan vN" prompt — the user can type "go" and continue.
• The proposed atomic alternatives (single-transaction approve+enqueue, or two-phase commit with a dispatch_pending flag) cross the plan-service ↔ message-service boundary and add real complexity. Not justified for a near-zero-probability, easily-recoverable failure.

If we ever start seeing dispatch failures in logs (none observed in onboardiq production since #65 merged), we'd revisit with an idempotent re-dispatch path keyed off plan_approval_status === "approved" + absence of source === "system" message for the current plan version — that's a smaller delta than a full transaction.

Note: this comment surfaced on #672 but the code lives in #671 (the foundation diff). All upstream PRs target base=main, so #672's cumulative diff includes foundation's changes — that's why CodeRabbit flagged it here when the foundation fix was force-pushed during the rebase.

[coderabbitai]

@bleleve, understood — the rationale holds up well. The shared SQLite failure domain under the Cloudflare DO model does meaningfully narrow the gap between the two writes, and the graceful degradation path (session left in "approved", next user prompt dispatches normally) is a reasonable trade-off against crossing the plan-service ↔ message-service boundary. The future recovery heuristic (plan_approval_status === "approved" + no source === "system" message for the current plan version) is also a clean signal if a retry path ever becomes necessary.

Thanks for the context on the #671/#672 diff layering — noted.

(´･ω･`)

---

✏️ Learnings added

Learnt from: bleleve
Repo: ColeMurray/background-agents PR: 672
File: packages/control-plane/src/session/services/plan.service.ts:175-179
Timestamp: 2026-05-22T23:47:38.393Z
Learning: In `packages/control-plane/src/session/services/plan.service.ts`, the `approvePlanAndFlush` method intentionally persists `"approved"` status before calling `onDispatchImplementationPrompt`. This is a deliberate design decision: under the Cloudflare Durable Object model (single-threaded V8 isolate, transactional local SQLite), a storage failure during `onDispatchImplementationPrompt` (which resolves to `messageService.enqueuePrompt` — also a sequence of SQLite writes) would also fail the preceding `approvePlan` write, making the exception path extremely narrow. The failure is considered recoverable without operator intervention: with status `"approved"`, any subsequent user message dispatches normally; only the auto-fired synthetic implementation prompt is lost. The proposed atomic alternatives (dispatch_pending flag, two-phase commit across plan-service and message-service) were explicitly rejected as adding unjustified complexity. A future idempotent re-dispatch path keyed off `plan_approval_status === "approved"` + absence of a `source === "system"` message for the current plan version was noted as the preferred remediation if dispatch failures are ever observed in production.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.