ci: improve workflow validation parity (#145)

Author: ignatov

.github/workflows/build_registry.py

@@ -12,11 +12,11 @@
 from pathlib import Path
 
 from registry_utils import (
-    SKIP_DIRS,
     extract_npm_package_name,
     extract_npm_package_version,
     extract_pypi_package_name,
     normalize_version,
+    should_skip_dir,
 )
 
 try:
@@ -535,7 +535,7 @@ def build_registry(dry_run: bool = False):
         print("  Install with: pip install jsonschema")
 
     for entry_dir in sorted(registry_dir.iterdir()):
-        if not entry_dir.is_dir() or entry_dir.name in SKIP_DIRS:
+        if not entry_dir.is_dir() or should_skip_dir(entry_dir.name):
             continue
 
         agent_json_path = entry_dir / "agent.json"

.github/workflows/daily-protocol-matrix.yml

@@ -70,7 +70,7 @@ jobs:
           XDG_CONFIG_HOME: ${{ runner.temp }}/xdg-config
         run: |
           AGENTS_INPUT=""
-          SKIP_INPUT="crow-cli"
+          SKIP_INPUT=""
           TABLE_MODE="capabilities"
           CHANGED_ONLY="false"
 
@@ -86,7 +86,7 @@ jobs:
           ARGS=(
             --sandbox-dir .matrix-sandbox
             --output-dir .protocol-matrix
-            --init-timeout 45
+            --init-timeout 120
             --rpc-timeout 5
             --table-mode "$TABLE_MODE"
           )

.github/workflows/docker/registry-entrypoint.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+set -eu
+
+find_nss_wrapper() {
+  for candidate in /usr/lib/*/libnss_wrapper.so /lib/*/libnss_wrapper.so; do
+    if [ -f "$candidate" ]; then
+      printf '%s\n' "$candidate"
+      return 0
+    fi
+  done
+  return 1
+}
+
+setup_user() {
+  uid="$(id -u)"
+  gid="$(id -g)"
+  home_dir="${HOME:-/tmp}"
+  passwd_file="$home_dir/.nss-passwd"
+  group_file="$home_dir/.nss-group"
+
+  mkdir -p "$home_dir"
+  export USER="${USER:-codex}"
+  export LOGNAME="${LOGNAME:-$USER}"
+
+  if grep -Eq "^[^:]*:[^:]*:${uid}:" /etc/passwd; then
+    return 0
+  fi
+
+  cp /etc/passwd "$passwd_file"
+  cp /etc/group "$group_file"
+
+  if ! grep -Eq "^[^:]*:[^:]*:${gid}:" "$group_file"; then
+    printf '%s:x:%s:\n' "$USER" "$gid" >> "$group_file"
+  fi
+
+  printf '%s:x:%s:%s:Codex Container User:%s:/bin/sh\n' "$USER" "$uid" "$gid" "$home_dir" >> "$passwd_file"
+
+  nss_wrapper_lib="$(find_nss_wrapper || true)"
+  if [ -n "$nss_wrapper_lib" ]; then
+    export NSS_WRAPPER_PASSWD="$passwd_file"
+    export NSS_WRAPPER_GROUP="$group_file"
+    if [ -n "${LD_PRELOAD:-}" ]; then
+      export LD_PRELOAD="$nss_wrapper_lib:$LD_PRELOAD"
+    else
+      export LD_PRELOAD="$nss_wrapper_lib"
+    fi
+  fi
+}
+
+setup_user
+exec "$@"

.github/workflows/docker/registry-tools.Dockerfile

@@ -1,4 +1,6 @@
-FROM node:22-bookworm-slim
+FROM node:22-bookworm-slim AS node-runtime
+
+FROM ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive \
     PIP_DISABLE_PIP_VERSION_CHECK=1 \
@@ -12,15 +14,26 @@ RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         ca-certificates \
         git \
+        libgomp1 \
+        libnss-wrapper \
         python3 \
         python3-pip \
         python3-venv \
     && rm -rf /var/lib/apt/lists/*
 
-RUN python3 -m venv /opt/uv \
+COPY --from=node-runtime /usr/local/bin/node /usr/local/bin/node
+COPY --from=node-runtime /usr/local/lib/node_modules /usr/local/lib/node_modules
+COPY docker/registry-entrypoint.sh /usr/local/bin/registry-entrypoint.sh
+
+RUN rm -f /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack \
+    && ln -s ../lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm \
+    && ln -s ../lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx \
+    && ln -s ../lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack \
+    && python3 -m venv /opt/uv \
     && /opt/uv/bin/pip install --no-cache-dir uv \
     && ln -s /opt/uv/bin/uv /usr/local/bin/uv \
     && printf '#!/bin/sh\nexec /usr/local/bin/uv tool run "$@"\n' > /usr/local/bin/uvx \
-    && chmod +x /usr/local/bin/uvx
+    && chmod +x /usr/local/bin/uvx /usr/local/bin/registry-entrypoint.sh
 
 WORKDIR /workspace
+ENTRYPOINT ["/usr/local/bin/registry-entrypoint.sh"]

.github/workflows/protocol_matrix.py

@@ -34,8 +34,11 @@
 
 from verify_agents import build_agent_command, load_registry, prepare_binary
 
-DEFAULT_INIT_TIMEOUT = 45.0
+DEFAULT_INIT_TIMEOUT = 120.0
 DEFAULT_RPC_TIMEOUT = 5.0
+DEFAULT_EXIT_GRACE = 0.25
+EXIT_GRACE_POLL_INTERVAL = 0.05
+EXIT_GRACE_REAP_SLACK = 0.05
 DEFAULT_SANDBOX_DIR = ".matrix-sandbox"
 DEFAULT_OUTPUT_DIR = ".protocol-matrix"
 DEFAULT_TABLE_MODE = "full"
@@ -330,23 +333,79 @@ def send_jsonrpc_request(
     proc.stdin.flush()
 
 
+def process_exit_outcome(
+    exit_code: int,
+    method: str,
+) -> tuple[ProbeOutcome, dict[str, Any] | None]:
+    """Build a normalized process-exit outcome for a pending request."""
+    return (
+        ProbeOutcome(
+            status="process_error",
+            message=f"process exited with code {exit_code} before responding to {method}",
+        ),
+        None,
+    )
+
+
+def reconcile_timed_out_request(
+    proc: subprocess.Popen,
+    request_id: int,
+    method: str,
+    exit_grace: float,
+) -> tuple[ProbeOutcome, dict[str, Any] | None] | None:
+    """Reconcile a timed-out request with a near-immediate exit or late response."""
+    if exit_grace <= 0:
+        return None
+
+    deadline = time.monotonic() + exit_grace
+    while True:
+        remaining = deadline - time.monotonic()
+        if remaining <= 0:
+            break
+
+        message = read_jsonrpc_line(proc, min(remaining, EXIT_GRACE_POLL_INTERVAL))
+        if message is None:
+            exit_code = proc.poll()
+            if exit_code is not None:
+                return process_exit_outcome(exit_code, method)
+            continue
+
+        if "_decode_error" in message:
+            return (
+                ProbeOutcome(status="decode_error", message=message["_decode_error"]),
+                None,
+            )
+
+        if message.get("id") == request_id and ("result" in message or "error" in message):
+            return classify_rpc_response(message), message
+
+    exit_code = proc.poll()
+    if exit_code is not None:
+        return process_exit_outcome(exit_code, method)
+
+    if EXIT_GRACE_REAP_SLACK > 0:
+        try:
+            exit_code = proc.wait(timeout=EXIT_GRACE_REAP_SLACK)
+        except subprocess.TimeoutExpired:
+            exit_code = None
+        if exit_code is not None:
+            return process_exit_outcome(exit_code, method)
+
+    return None
+
+
 def request_with_timeout(
     proc: subprocess.Popen,
     request_id: int,
     method: str,
     params: dict[str, Any],
     timeout: float,
+    exit_grace: float = DEFAULT_EXIT_GRACE,
 ) -> tuple[ProbeOutcome, dict[str, Any] | None]:
     """Send request and wait for the response with matching id."""
     exit_code = proc.poll()
     if exit_code is not None:
-        return (
-            ProbeOutcome(
-                status="process_error",
-                message=f"process exited with code {exit_code} before {method}",
-            ),
-            None,
-        )
+        return process_exit_outcome(exit_code, method)
 
     try:
         send_jsonrpc_request(proc, request_id, method, params)
@@ -372,15 +431,7 @@ def request_with_timeout(
         if message is None:
             exit_code = proc.poll()
             if exit_code is not None:
-                return (
-                    ProbeOutcome(
-                        status="process_error",
-                        message=(
-                            f"process exited with code {exit_code} before responding to {method}"
-                        ),
-                    ),
-                    None,
-                )
+                return process_exit_outcome(exit_code, method)
             break
 
         if "_decode_error" in message:
@@ -392,6 +443,10 @@ def request_with_timeout(
         if message.get("id") == request_id and ("result" in message or "error" in message):
             return classify_rpc_response(message), message
 
+    reconciled = reconcile_timed_out_request(proc, request_id, method, exit_grace)
+    if reconciled is not None:
+        return reconciled
+
     return (
         ProbeOutcome(status="no_response", message=f"timeout after {timeout:.1f}s"),
         None,
@@ -737,11 +792,22 @@ def ensure_binary_executable(cmd: list[str], dist_type: str) -> ProbeOutcome | N
         return None
 
     exe_path = Path(cmd[0])
-    if not exe_path.exists() or os.access(exe_path, os.X_OK):
+    if not exe_path.exists():
+        return None
+
+    try:
+        current_mode = exe_path.stat().st_mode
+    except OSError as exc:
+        return ProbeOutcome(
+            status="process_error",
+            message=short_message(f"Failed to inspect executable {exe_path}: {exc}"),
+        )
+
+    if current_mode & 0o111:
         return None
 
     try:
-        exe_path.chmod(exe_path.stat().st_mode | 0o755)
+        exe_path.chmod(current_mode | 0o755)
     except OSError as exc:
         return ProbeOutcome(
             status="process_error",

.github/workflows/registry_utils.py

@@ -18,6 +18,11 @@
 }
 
 
+def should_skip_dir(name: str) -> bool:
+    """Return whether a top-level directory should be skipped during registry scans."""
+    return name in SKIP_DIRS or name.startswith(".")
+
+
 def extract_npm_package_name(package_spec: str) -> str:
     """Extract npm package name from spec like @scope/name@version."""
     if package_spec.startswith("@"):

.github/workflows/scripts/run-protocol-matrix.sh

@@ -3,17 +3,64 @@ set -euo pipefail
 
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TABLE_MODE="${ACP_PROTOCOL_MATRIX_TABLE_MODE:-capabilities}"
+SKIP_AGENTS="${ACP_PROTOCOL_MATRIX_SKIP_AGENTS:-}"
+KEEP_STATE="${ACP_PROTOCOL_MATRIX_KEEP_STATE:-0}"
+SANDBOX_DIR="${ACP_PROTOCOL_MATRIX_SANDBOX_DIR:-}"
+TEMP_STATE_DIR=""
+TEMP_SANDBOX_DIR=""
+TEMP_SANDBOX_ROOT="$ROOT/.matrix-sandbox/.tmp"
+TEMP_STATE_ROOT="$ROOT/.docker-state/.tmp"
+
+cleanup() {
+  if [[ -n "$TEMP_SANDBOX_DIR" ]]; then
+    rm -rf "$TEMP_SANDBOX_DIR"
+  fi
+  if [[ -n "$TEMP_STATE_DIR" ]]; then
+    rm -rf "$TEMP_STATE_DIR"
+  fi
+}
+
+if [[ -z "$SANDBOX_DIR" ]]; then
+  if [[ "$KEEP_STATE" == "1" ]]; then
+    SANDBOX_DIR=".matrix-sandbox"
+  else
+    mkdir -p "$TEMP_SANDBOX_ROOT"
+    TEMP_SANDBOX_DIR="$(mktemp -d "$TEMP_SANDBOX_ROOT/protocol-matrix-sandbox.XXXXXX")"
+    SANDBOX_DIR="${TEMP_SANDBOX_DIR#"$ROOT"/}"
+  fi
+fi
+
 ARGS=(
   python3
   .github/workflows/protocol_matrix.py
   --sandbox-dir
-  .matrix-sandbox
+  "$SANDBOX_DIR"
   --output-dir
   .protocol-matrix
+  --init-timeout
+  120
+  --rpc-timeout
+  5
+  --table-mode
+  "$TABLE_MODE"
 )
 
-if [[ -n "${ACP_PROTOCOL_MATRIX_SKIP_AGENTS:-}" ]]; then
-  ARGS+=(--skip-agent "$ACP_PROTOCOL_MATRIX_SKIP_AGENTS")
+if [[ -n "$SKIP_AGENTS" ]]; then
+  ARGS+=(--skip-agent "$SKIP_AGENTS")
+fi
+
+if [[ -z "${ACP_REGISTRY_STATE_DIR:-}" && "$KEEP_STATE" != "1" ]]; then
+  mkdir -p "$TEMP_STATE_ROOT"
+  TEMP_STATE_DIR="$(mktemp -d "$TEMP_STATE_ROOT/protocol-matrix-state.XXXXXX")"
+fi
+
+if [[ -n "$TEMP_SANDBOX_DIR" || -n "$TEMP_STATE_DIR" ]]; then
+  trap cleanup EXIT
+fi
+
+if [[ -n "$TEMP_STATE_DIR" ]]; then
+  export ACP_REGISTRY_STATE_DIR="${TEMP_STATE_DIR#"$ROOT"/}"
 fi
 
-exec "$SCRIPT_DIR/run-registry-docker.sh" "${ARGS[@]}" "$@"
+"$SCRIPT_DIR/run-registry-docker.sh" "${ARGS[@]}" "$@"