Proj/channel protocol (POC)

[ngduyanhece]

brv channel + bridge - multi-agent collaboration over a wire protocol

proj/channel-protocol → main. 204 commits. Lands the entire channel-protocol body of work for internal-test rollout.

Summary

• Problem: Each agentic CLI (Claude Code, codex, kimi, opencode, brv itself) lives in its own working directory with no way to address another agent as an @mention or share context across them. Cross-machine collaboration between teammates' agents is impossible.
• Why it matters: Two failure modes today: (1) Manual copy-paste of agent output between CLIs is the only way to combine them, breaks any agentic flow that wants to fan-out / quorum / second-opinion. (2) Teammates' agents have no shared transcript or way to ask each other questions — every cross-person agent interaction is a human relay.
• What changed: Full brv channel subsystem (Phases 1–5), agent-driven skill connector (Phase 8), cross-machine brv bridge over libp2p with TOFU identity (Phase 9 demo target + post-merge heartbeat hardening), agent quorum Tier 1 + 2 (Phase 10), transcript-storage migration. New brv bridge, brv trust, brv alias CLI surfaces. New bridge-config.json persistence. SDK packages @brv/agent-sdk (TS) + brv-agent (Py). Pi-extension SDK consumer.
• What did NOT change (scope boundary):
  • No web UI for channels — CLI / agent-driven only in this cut. Pi's web-UI design remains compatible if re-introduced later.
  • No native /channel:* slash commands in CLIs other than Pi. Other CLIs use the byterover skill to drive brv channel mention from their shell tool.
  • No libp2p kad-dht backend (Slice 9.6 interface only) — peers manually pinned via brv trust pin --multiaddr ....
  • No HTTP byterover-hosted registry client (Slice 9.7 interface only).
  • No libp2p AutoNAT / DCUtR / Circuit-Relay-v2 wiring (Slice 9.8 reachability classifier only) — Tailscale / same-LAN / public-IP works; raw double-NAT does not.
  • No /brv/parley/delegate/v1 wire handler (Slice 9.9 policy gate + startup warnings only) — cross-bridge agents can answer queries but cannot perform write actions on the dialer's behalf.
  • No browser-channel UI changes.

Type of change

• New feature
• Bug fix (heartbeat keep-alive, env-var persistence, cross-merge typecheck repair)
• Refactor (no behavior change)
• Documentation (INTERNAL_TEST.md, design + PHASES update)
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL (no v1 changes; channels are oclif-only)
• Agent / Tools (skill connector, byterover memory tools, ACP driver pool)
• LLM Providers (no provider-specific changes; provider-agnostic by design)
• Server / Daemon (channel orchestrator, parley server/client, libp2p host, bridge transcript service, auto-provision policy, bridge config store)
• Shared (constants, types, transport events) — new ChannelEvents, BridgeEvents, TrustEvents
• CLI Commands (oclif) — new topics: channel, bridge, trust, alias
• Hub / Connectors — new brv connectors install <agent> --type skill flow
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes: N/A — internal channel-protocol epic, no single tracking issue
• Related: plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, plan/channel-protocol/IMPLEMENTATION_PHASE_9_CLOUD_BRIDGE.md

Root cause

N/A — primarily new-feature work. The handful of bug fixes (heartbeat keep-alive, env-var persistence, channel-events test fixture lag) have their root causes documented in their individual commit messages.

Test plan

• Coverage added:
  • Unit test (9603+ tests passing; new tests under test/unit/server/infra/channel/bridge/ for: bridge-config-store, audit-parley-seal, parley-verifier, parley-server, parley-end-to-end, bridge-reachability, bridge-transcript-service, bridge-driver-pool, delegate-policy, peer-multiaddr-resolver, registry-client + nonce-lru, rate-limit)
  • Integration test (channel-phase{1..10}-* integration tests, cross-bridge end-to-end)
  • Manual verification — live two-daemon cross-bridge test on 2026-05-20: mario-team-v4, ctx-exchange-v2, bobs-side-v2 channels, multiple kimi/codex agents, round-trip queries + context-tree exchange, heartbeat verified across multi-minute idle gaps that previously triggered TRANSCRIPT_TERMINAL_MISSING
• Test file(s): 50+ new test files under test/{unit,integration}/; see commit-by-commit log for which slice each belongs to
• Key scenarios:
  • Single-machine multi-agent channel + fan-out
  • Cross-machine bridge: handshake, TOFU pin, signed parley round-trip, transcript persistence on both sides
  • Auto-provision policy (auto / pinned-only / deny)
  • Cancel mid-stream + permission flow
  • Heartbeat keep-alive during slow agent generators
  • Daemon respawn config persistence (NEW — eliminates the silent mock-echo degradation)

User-visible changes

New CLI surfaces:

• brv channel new|invite|mention|cancel|show|list|members|onboard|doctor|approve|deny|archive|leave (full Phases 1–5 surface)
• brv channel mention --mode sync --suppress-thoughts --json --timeout <ms> for agent-driven invocations (Phase 8)
• brv channel mention --quorum N for fan-out + agreement merging (Phase 10 Tier 1)
• brv bridge listen|whoami|pin|ping|verify for cross-machine peer setup
• brv trust pin|list|verify with --multiaddr + --alias flags
• brv alias add|list|remove for short-name routing
• brv connectors install <agent> --type skill writes byterover skill (.agents/skills/byterover/SKILL.md) into a project so the host LLM can drive brv channel mention from its shell tool

New persisted state:

• <dataDir>/identity/install.{key.enc,cert.json,master.key,peer-id} — L1 identity (auto-generated on first brv bridge whoami)
• <dataDir>/identity/tree-default.{key.enc,cert.json,master.key} — L2 peer-tree identity
• <dataDir>/identity/known-peers.jsonl — TOFU pin store (alias / peer-id / pin-state)
• <dataDir>/identity/aliases.json — local alias map
• <dataDir>/state/bridge-config.json — NEW persistent operator-prefs for BRV_BRIDGE_* env vars (survives daemon respawns)
• <projectRoot>/.brv/channel-history/<channelId>/turns/<turnId>.ndjson — channel transcript (Phase 9 storage migration; was under .brv/context-tree/channel/)

New behavioural defaults:

• BRV_BRIDGE_AUTO_PROVISION defaults to pinned-only (spec §7.3) — first-contact peers must be pinned via brv trust pin before they can dispatch into a channel
• BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=1 per agent; excess inbound parleys reject with signed PARLEY_LOCAL_AGENT_BUSY
• BRV_BRIDGE_DELEGATE_POLICY=prompt default (mutating-tool wire is deferred so this is type-level only)
• Daemon emits heartbeat_ping every 10s during idle bridge streams so libp2p Yamux substreams don't time out on multi-minute LLM calls

Deprecated: none.

Breaking: none on main's existing CLI surface — channels are net-new commands. Internal: WaitForTaskOptions.timeoutMs was removed in main f14047cae; reconciled in the cross-merge against proj/byterover-tool-mode.

Evidence

• Failing test before / passing after: see commit 75b6c58b5 (heartbeat keep-alive) — added unit test that reliably fails on pre-fix code (cross-bridge tool-using turn dies with TRANSCRIPT_TERMINAL_MISSING after ~120s) and passes on post-fix code (heartbeats keep the substream alive indefinitely)
• Live cross-bridge transcript: Bridge-handshake completed in 4.3s, cross-tree exchange completed in 7.7–33.3s round-trip, design+engineering notes successfully exchanged between two daemons (mario-team-v4 + ctx-exchange-v2 + bobs-side-v2 channels) on 2026-05-20
• Daemon respawn persistence test: Live verified — kill daemon, respawn WITHOUT any BRV_BRIDGE_* env vars, daemon reads persisted <dataDir>/state/bridge-config.json and resumes with codex profile + auto provision + cap=3 instead of silently falling back to mock-echo + pinned-only. See INTERNAL_TEST.md §5.1 for the operational story
• Test summary: 9603 unit + integration passing, 26 pending (22 pre-existing + 4 newly-skipped orphans with rationale in each describe.skip comment), 0 failing

Checklist

• Tests added or updated and passing (npm test): 9603 passing, 26 pending, 0 failing
• Lint passes (npm run lint)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated — plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, new INTERNAL_TEST.md at repo root
• No breaking changes (or clearly documented above)
• Branch is up to date with main — last main sync c897ee00f (Release 3.15.0 merged)

Risks and mitigations

• Risk: Operators set up the bridge on heterogeneous-NAT laptops and connections silently fail.
  • Mitigation: INTERNAL_TEST.md §3 recommends Tailscale upfront. brv channel doctor surfaces reachability (public / wildcard-unconfirmed / behind-nat-with-relay / loopback-only / unreachable) honestly. The libp2p AutoNAT/DCUtR/Circuit-Relay-v2 wire is explicitly deferred.
• Risk: Cross-bridge agents try to write to dialer's repo and get a confusing rejection.
  • Mitigation: INTERNAL_TEST.md §5 lists this as a known limitation. The delegate_policy startup log makes the unwired state visible. The error path returns a clear CHANNEL_AUTO_PROVISION_DECLINED or PARLEY_REJECTED rather than hanging.
• Risk: Peer's multiaddr rotates (laptop sleep/wake / network change) and the pinned entry breaks.
  • Mitigation: brv trust pin <peer-id> --multiaddr <new-addr> re-pins idempotently. brv channel doctor surfaces stale-cache state. DHT-driven multiaddr refresh ships in a follow-up slice (Phase 9.6 backend).
• Risk: Operator confused by env-var vs. persisted config precedence.
  • Mitigation: New bridge-config.json resolver logs [Daemon] Bridge config persisted to ... whenever env supplies a value that changes the file. Revert path documented in INTERNAL_TEST.md §5.1 (rm <dataDir>/state/bridge-config.json).
• Risk: 4 integration tests are describe.skipped — looks worse than it is on CI.
  • Mitigation: Each skip has a per-file rationale comment. 3 are pre-existing test-only orphans (BRV_FORCE_ORIGIN consumer never implemented; Phase 10 surface change made the multi-mention rejection assertion obsolete; channel-history storage migration made the cancel-ordering integration probe stale). The actual code paths these tested are covered by unit-level tests. None are Phase-9 regressions.

---

How to use it

A. Local multi-agent channel (single machine)

The basic flow. No network setup needed. Two terminals.

# One-time per agent type — probes its ACP install:
brv channel onboard codex -- codex-acp
brv channel onboard kimi -- kimi acp
brv channel onboard opencode -- opencode acp

# Create a channel + invite two local agents:
brv channel new code-review
brv channel invite code-review @codex --profile codex
brv channel invite code-review @kimi --profile kimi

# Address one agent:
brv channel mention code-review "@codex review src/foo.ts for null-safety bugs" \
  --mode sync --suppress-thoughts --json --timeout 300000

# Quorum across both (Phase 10):
brv channel mention code-review "@codex @kimi rate the diff: solid / risky / unsafe" \
  --quorum 2 --json

# Live tail any time:
brv channel watch code-review --from-tail 5
brv channel show code-review <turnId>
brv channel list-turns code-review --tail 10

Inside another agentic CLI (Claude Code, codex, kimi-cli, opencode, Pi) the host LLM calls these commands from its bash tool — install the byterover skill once per project and the LLM picks them up:

brv connectors install Codex --type skill           # or Claude Code / Cursor / Gemini CLI / etc.

After that the host agent reads .agents/skills/byterover/SKILL.md and learns to call brv channel mention --mode sync --suppress-thoughts --json whenever the user says "ask @Kimi to review this" or similar.

B. Cross-machine bridge (two laptops, two agents)

Prerequisite: both peers need a routable path to each other. Internal-test recommendation is Tailscale — install on every team member's laptop, join the same tailnet, every peer gets a stable IP that punches through every NAT. Free for ≤3 users; trivial setup. Bare-internet over heterogeneous NAT will NOT work in this cut (libp2p AutoNAT/DCUtR/Circuit-Relay-v2 are deferred).

# ─── Each peer (Alice + Bob) sets up the bridge ───
# In a shell rc (`~/.zshrc` / `~/.bashrc`), once:
export BRV_BRIDGE_PARLEY_PROFILE=codex     # the agent that answers parley calls; or kimi / opencode
export BRV_BRIDGE_AUTO_PROVISION=auto      # accept first-contact peers; switch to pinned-only after the team is up
export BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=2

# Each peer: confirm bridge identity (auto-generates L1 + L2 keys on first run)
brv bridge whoami --format json
# {"data":{"multiaddrs":["/ip4/100.x.x.x/tcp/61234/p2p/12D3KooW..."], "peerId":"12D3KooW...", ...}}
# Share that multiaddr line with the other peer out-of-band (Slack, etc.)

# ─── Alice pins Bob (and Bob pins Alice) ───
brv trust pin <BOB-PEER-ID> --multiaddr <BOB-MULTIADDR> --alias bob
# verify:
brv trust list

# ─── Alice creates a channel and invites Bob as a remote peer ───
brv channel new team-review
brv channel invite team-review @alice --profile codex                                    # local member
brv channel invite team-review @bob --multiaddr <BOB-MULTIADDR> --peer <BOB-PEER-ID> --display-name "Bob"

# ─── Alice addresses Bob's agent across the bridge ───
brv channel mention team-review "@bob what's your team's preferred test runner? \
  Use your byterover skill (brv query) to consult your local context tree." \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Bob's daemon receives the parley call, codex on Bob's side runs `brv query` against
#   Bob's `.brv/context-tree/`, replies inline with text. Alice sees the reply in
#   ~5–30s depending on agent latency.

# ─── Alice ingests Bob's reply into her own context tree ───
brv channel mention alice-local "@alice ingest Bob's reply under shared_from_bob/ using brv curate" \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Alice's codex calls `brv curate` locally to persist the note.

# Verify with a search later:
brv search "test runner" --limit 5 --format json

That's the full cross-bridge loop. Two agents on different laptops exchange context via signed parley envelopes; both daemons persist the transcript; the receiver's context tree gains the shared knowledge.

C. What's the difference between brv channel and brv bridge?

• brv channel is the user-facing surface: create a channel, invite members (local or remote), mention them, see transcripts.
• brv bridge is the low-level libp2p surface: bring up your install's bridge identity, pin remote peers, ping them, verify TOFU promotions.

You almost always interact via brv channel and brv trust. brv bridge is for debugging (e.g. brv bridge whoami to share your multiaddr, brv bridge ping <peer-id> to test reachability).

---

What's left for a full-fledged release

Below is the list of follow-up slices that are NOT in this PR but are designed for and the next obvious work. Internal-test feedback will inform priority.

Within Phase 9 (cross-machine bridge) — 4 follow-up slices

These have interfaces + policy gates in this PR but no live backends:

1. Slice 9.6 — DHT-driven multiaddr resolution. Wire @libp2p/kad-dht into Libp2pHost, implement DhtPeerMultiaddrResolver, daemon publishes signed peer-record every announce interval. Replaces manual brv trust pin --multiaddr re-pinning when IPs rotate. Effort: ~1 week. Worth doing only if internal-test feedback says manual re-pinning hurts.
2. Slice 9.7 — HTTP byterover registry client. Implement HttpRegistryClient against BRV_REGISTRY_BASE_URL, allows handle-based peer discovery. Requires backend deployment (registry endpoint not yet hosted by ByteRover). Effort: ~1 week of CLI + backend infra outside this repo.
3. Slice 9.8 — libp2p NAT-traversal wiring. Enable autoNAT() + dcutr() + circuitRelayClient/Server() libp2p services in Libp2pHost. Ship default ByteRover-hosted relay multiaddrs. Effort: ~3–5 days CLI + ops work to deploy relays. Likely unnecessary if teams adopt Tailscale; track internal-test feedback before committing.
4. Slice 9.9 — /brv/parley/delegate/v1 wire protocol handler. Today: policy gate (delegate_policy: auto / prompt / deny) is enforced at the type level + logged at daemon startup, but the actual cross-bridge permission_request → permission_decision wire is unimplemented. Implementing this enables Alice asking Bob's agent to write to Bob's repo with cross-bridge consent. Effort: ~1 week. High-value if team's flagship use case is cross-machine delegation.

Within Phase 7 (native CLI integrations) — upstream-gated

• 7.1b — kimi-cli upstream PR (native /channel:* slash command). Effort: ~200–500 LOC; merge timeline depends on Moonshot maintainers.
• 7.2 — claude-code native integration. Effort: similar; depends on Anthropic.
• 7.3 — opencode native integration. Same shape; depends on opencode maintainers.

These work without us — the skill connector in this PR (brv connectors install <agent> --type skill) makes every ACP-speaking CLI usable via shell-tool calls. Native slash commands are quality-of-life, not load-bearing.

Within Phase 8 (agent-driven channel) — upstream-async

• 8.3 — upstream skill distribution. Currently the skill ships from this repo; longer-term distribution channels (Anthropic skills registry, etc.) are async.

Pre-existing tech debt outside Phase 9 scope

• 3 integration tests skipped with rationale (channel-phase{2,3}-* reference orphan code paths like BRV_FORCE_ORIGIN that were never implemented, or test against the pre-storage-migration layout). Implement the missing consumer side OR delete the tests in a small follow-up PR.
• No brv channel kick @<handle> / member-remove command. Today a multiaddr/port change forces creating a new channel. Effort: ~half day. Worth doing soon if teams cycle multiaddrs frequently.
• Heartbeat counter metric for prod observability (kimi sign-off note, non-blocking).

Out of scope but tracked for v1.1+

• @everyone / @all semantics in channel mentions
• Per-channel ACLs
• Threaded sub-conversations within a channel
• Account-abstracted cross-channel identity ("same @kimi-cli across all channels")
• Web UI for channels (Pi's design remains compatible)
• Web-UI permission prompts (CLI is the only consent surface in this cut)

Out of scope indefinitely

• Cross-CA federation (v1 trusts one CA root; multi-org bridging is v2)
• End-to-end channel-content encryption at rest
• Strong cross-machine consistency (transcripts are append-only by author; eventual consistency is the contract)
• Group-chat semantics across channels
• Claude Managed Agents driver class C-prime runtime (schema-only in v1)

[github-actions]

nit (robustness): accessSync(candidate, constants.X_OK) returns success for directories that happen to be executable (which most directories are on POSIX). If a user has a directory named brv on their PATH ahead of the real binary, resolveBrvBin will happily bake the directory path into SKILL.md, and every shell invocation from the LLM will then fail with EACCES / is a directory.

Cheap fix:

const stat = statSync(candidate, {throwIfNoEntry: false})
if (stat && stat.isFile() && (stat.mode & 0o111)) return candidate

Same fileset already imports existsSync from node:fs, so adding statSync is a one-line change.

[github-actions]

threat-model (security, important to document): This dispatcher hands Alice's envelope.prompt directly to Bob's local ACP subprocess (codex/kimi/opencode) as a normal turn. Whatever tools that agent has access to in Bob's environment, Alice can drive via the prompt. The agent's system prompt + tool gating is the only thing between Alice and Bob's local filesystem / shell.

This is by design (the PR description acknowledges read-only is the intent for query protocol), but two concrete gaps in the current code:

1. No protocol: 'query' vs 'delegate' enforcement. The verifier at parley-verifier.ts:150 only checks acceptModes for the tree-cert kind; it does not gate on envelope.protocol. A dialer who sends protocol: 'delegate' will reach this generator and Bob's agent will be prompted the same way — with full tool access. delegate-policy.ts's policyPermitsDelegation is exported but parley-server.ts doesn't call it.

2. Prompt-injection of Bob's agent. Even with intent of "read-only Q&A", a sufficiently capable agent given a prompt like "use brv curate to commit the following file" will happily do it. Unless Bob's profile passes restricted-tool flags to the ACP subprocess, the agent retains its normal capability set.

Neither is a blocker for an internal-test rollout (operators are setting BRV_BRIDGE_PARLEY_PROFILE themselves and consenting), but INTERNAL_TEST.md §5 should call out the trust model more loudly than "cross-bridge agents can answer queries but cannot perform write actions on the dialer's behalf" — the constraint is "Bob's agent runs Alice's prompts in Bob's environment with Bob's tools", which is a much stronger claim than "read-only Q&A".

Recommend (for a follow-up, not this PR): wire policyPermitsDelegation at parley-server.ts:114 between the verifier and the auto-provision check, so delegate_policy: 'deny' short-circuits today, and prompt becomes the wire-handler hook later.

[github-actions]

nit (correctness): buildRawResponse overwrites the original result.response.usage (if present) with the synthetic usage block, because of object-spread ordering:

return {
  ...responseObj,           // may contain `usage` from upstream
  providerMetadata: ...,
  usage,                    // wins
}

That's the intended behaviour here — extractUsage is built around the AI-SDK-normalized field names — but if any direct-provider adapter ever passes rawResponse: result.response and the SDK upstream starts including its own usage block, the synthetic block will silently mask the upstream one. Adding a brief comment ("synthetic usage intentionally shadows any upstream usage") would make the intent explicit and survive a future refactor.

Also: Number.isFinite check in readAnthropicCacheCreation rejects negative numbers — desired — but it also rejects 0. A cacheCreationInputTokens: 0 would be silently dropped, leaving the synthetic block without the field. If telemetry consumers distinguish "0 cache-creation tokens" from "unknown", you'll lose that distinction. Minor.

[github-actions]

Claude finished @ngduyanhece's task in 2m 27s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-22 push)

Overall: 4 / 5 (unchanged from 2026-05-20). Scope of this re-review is narrow: only one substantive commit landed since the previous pass.

• Identify commits added since previous review
• Diff the new commits against the prior review point
• Verify the previous round of inline findings — were any addressed?
• Spot-check new code (persistent bridge-config, INTERNAL_TEST.md, uninvite)
• Post final summary + any new inline findings

---

Diff since the 2026-05-20 13:17 UTC review

Only one substantive commit landed after the prior review wall-clock:

SHA	Change
a851f620	Expand brv channel uninvite description + examples; update INTERNAL_TEST.md §5.1 with the stale-multiaddr recovery workflow; delete the BRV_FORCE_ORIGIN orphan integration test; add 6 contract tests for uninvite.

(c897ee00 is a clean Release 3.15.0 merge from main; 975a83d7 predates the prior review wall-clock by ~2 hours and was already in scope.)

Total delta: 4 files, +57 / -54.

What's good in this delta

• Orphan test deletion is correct and complete. Confirmed independently — grep -rn BRV_FORCE_ORIGIN src/ test/ returns zero hits after the delete. Replacing a describe.skip with a real delete is the right call when the consumer was never wired; the skip-with-rationale framing in 975a83d7 was less honest.
• uninvite description expansion is operator-load-bearing. The old one-line "Remove an agent member from a channel (Phase 2)" hid the most important property: that this is a clean stop (cancels in-flight deliveries, releases the warm driver). For a team about to dogfood multiaddr-rotation on day one, this is exactly the right place to surface the semantics — the host LLM reads --help output via the skill.
• INTERNAL_TEST.md §5.1 update replaces the "no kick command yet" admonition with the actual uninvite + invite recovery sequence. Good operator UX.
• 6 contract tests are appropriately defensive against silent regression of the host-LLM-facing surface (description / examples / args / flags).

New inline finding (1)

• test/commands/channel/uninvite.test.ts:43-50 — Test name promises runtime rejection coverage but the assertion only checks that the arg's description string contains @. The actual this.error(...) rejection at uninvite.ts:30-32 has no coverage. Suggest either renaming the test to match what it asserts, or adding a real runtime case. Non-blocking.

Prior-round findings — status

None of the 9 files flagged in the 2026-05-20 review were modified by a851f620. All prior findings still apply as written:

• install-identity-service.ts:56 — master key colocated with encrypted key (threat-model doc gap) — still open
• identity-client.ts:507 — NFC normalisation only on writer side — still open
• parley-nonce-lru.ts:31 / parley-rate-limit.ts:51 — outer per-sender Map unbounded — still open
• process-lock.ts:52 — comment says "recurse" but code doesn't — still open
• alias-store.ts:198 — non-unique tmp path — still open
• discovery.py:80 — isinstance(port, int) accepts bool — still open
• channel-skill/install-lib.js:105 — accessSync(X_OK) accepts directories — still open
• local-agent-response-generator.ts:127 — delegate-policy gate not wired; threat-model documentation gap — still open (acknowledged in the PR body's "Slice 9.9" deferral)
• ai-sdk-content-generator.ts:390 — synthetic usage masks upstream — still open

This is consistent with the PR's "internal-test cut, follow-ups tracked" framing — the deferred slices (9.6 / 9.7 / 9.8 / 9.9) and the open robustness nits are explicitly out-of-scope for this ship. The earlier review's score (4 / 5) stands.

Verdict for this push

LGTM-incremental. The a851f620 commit is small, focused, and addresses a real operator-UX gap surfaced during live cross-bridge testing. The one inline nit on the test naming is a polish item, not a blocker.
· branch

[github-actions]

nit (test/code drift): The test name promises runtime behaviour ("rejects non-@-prefixed values via run-time validation") but the assertion only checks that the arg's description string contains @. The actual rejection at uninvite.ts:30-32 (if (!args.handle.startsWith('@')) { this.error(...) }) has no coverage from this suite.

Either:

1. Rename the test to match what it asserts — e.g. 'documents the @-prefix requirement in the handle arg description', or
2. Add a second case that actually exercises the rejection (oclif's Command.run is awaitable; the existing chai-only setup makes this a few-line addition):

it('rejects non-@-prefixed handles at runtime with exit code 1', async () => {
  try {
    await ChannelUninvite.run(['some-channel', 'bob'])
    expect.fail('expected ChannelUninvite to reject a bare handle')
  } catch (error) {
    expect((error as Error).message).to.match(/must start with @/i)
  }
})

Not blocking — the static contract tests are useful — but a test whose name doesn't match its assertion will mislead the next person who greps for "@-prefix" expecting to find the live coverage.

[github-actions]

Claude finished @ngduyanhece's task in 2m 57s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-22 15:17 UTC push)

Overall: 4 / 5 (unchanged from prior reviews). Scope is narrow: one substantive commit since the previous wall-clock.

• Identify commits added since prior review
• Diff the new commits
• Spot-check new code (BRV_BRIDGE_LISTEN_ADDRS wiring)
• Post inline findings
• Post final summary + score

---

Diff since the 2026-05-22 14:08 UTC review

SHA

Change

d5c1e14f

Add BRV_BRIDGE_LISTEN_ADDRS env var (comma-separated multiaddrs), threaded through bridge-config-store.ts and applied to the daemon-integrated libp2p host so a remote peer can actually reach Bob's bridge. Closes a real gap — the previous default of /ip4/127.0.0.1/tcp/0 made the daemon-integrated bridge effectively single-machine-only. INTERNAL_TEST.md §3.1 updated with the Tailscale story. 5 new unit tests.

Total delta: 4 files, +140 / -12.

What's good in this delta

• The core fix is correct and load-bearing. Without this, the "real cross-machine bridge" claim in the PR title was true only for the standalone brv bridge listen path (which doesn't share the daemon's transcript store) — the daemon-integrated bridge silently bound to loopback. The commit message explains the live-test discovery (GCP VM ↔ laptop over Tailscale, ECONNREFUSED) honestly.
• Reuses the same resolver scaffolding that already persists BRV_BRIDGE_PARLEY_PROFILE etc., so a respawn without env vars inherits the operator's listen_addrs from bridge-config.json. That's the right shape — env > file > built-in default — and the relocation of resolveBridgeRuntimeConfig to before host construction (with the explanatory comment at brv-server.ts:904-910) is well-motivated and visible.
• Defensive copy on persist (overlay.listenAddrs = [...args.env.listenAddrs] at line 208) — small but worth noting.
• 5 new tests exercise comma-list parsing (incl. whitespace + empty entries), undefined fallback, file-only respawn recovery, and env-overrides-file precedence. Coverage matches the addition.
• Documentation update in INTERNAL_TEST.md §3.1 covers both the 0.0.0.0 (any-interface) and 100.x.x.x (Tailscale-pinned) recipes.

New inline finding (1)

• src/server/infra/channel/bridge/bridge-config-store.ts:37 — listenAddrs: z.array(z.string().min(1)) skips the multiaddr() refinement that the canonical BridgeConfigSchema (bridge-config.ts:11-16,63) deliberately added so libp2p's opaque runtime error becomes a useful parse-time error. The literal-spread at brv-server.ts:916-920 also bypasses parseBridgeConfig, so a malformed BRV_BRIDGE_LISTEN_ADDRS=:60001 gets persisted and then trips the next respawn too. Either validate the multiaddr at the resolver (preferred — also blocks persisting bad state) or route the constructed config through parseBridgeConfig. Non-blocking for the internal-test cut.

Minor / not inlined

• Log-prefix inconsistency — the new line log(\Bridge listen_addrs: ${...}`)atbrv-server.ts:922drops the[Daemon] prefix that every other bridge-startup log in the same block uses (Bridge auto-provision policy: ..., Bridge parley dispatcher: ...). Note that the prefix-less logs are the dominant pattern further down — but the new line sits between persistence + host-start where [Daemon]` is in scope. Cosmetic.
• Security ergonomics in INTERNAL_TEST.md §3.1 — binding /ip4/0.0.0.0/tcp/60001 exposes the bridge on every interface, including the public WAN if the machine has a public IP and no firewall. The TOFU + BRV_BRIDGE_AUTO_PROVISION policy is the real security boundary, but for operators copy-pasting the doc snippet onto a GCP VM, a one-line warning ("0.0.0.0 listens on every interface — pin to the Tailscale IP if your VM has a public address and AUTO_PROVISION=auto") would prevent the operator from accidentally opening a global TOFU-trust window during internal-test.

Prior-round findings — status

d5c1e14f did not touch any of the files flagged in the 2026-05-20 review. All 9 prior findings still open as written and remain consistent with the PR's "internal-test cut, follow-ups tracked" framing — see earlier review summary above.

Verdict for this push

LGTM-incremental. d5c1e14f closes a real cross-machine gap that the PR title implicitly promised. The one inline finding (multiaddr validation parity) is a defensive polish item, not a ship blocker.
· branch

[github-actions]

issue (validation gap, low-medium): This new listenAddrs field is validated as z.array(z.string().min(1)) — i.e. "non-empty strings" only. The canonical BridgeConfigSchema at src/server/infra/channel/bridge/bridge-config.ts:11-16,63 deliberately uses a multiaddrString refinement that calls multiaddr(s) so a malformed value fails at parse time, with the explicit rationale ("Libp2p rejects invalid multiaddrs at runtime with opaque errors; failing at config-parse time gives the user a useful pointer").

The new wiring at brv-server.ts:916-920 constructs the live config with a literal-object spread:

const bridgeListenConfig: typeof DEFAULT_BRIDGE_CONFIG =
  bridgeRuntime.listenAddrs === undefined
    ? DEFAULT_BRIDGE_CONFIG
    : {...DEFAULT_BRIDGE_CONFIG, listen_addrs: [...bridgeRuntime.listenAddrs]}

so the canonical schema's refinement never runs on the env-supplied multiaddrs. End state: an operator who sets BRV_BRIDGE_LISTEN_ADDRS=:60001 (forgetting the /ip4/.../tcp/ prefix), or BRV_BRIDGE_LISTEN_ADDRS=/ip4/0.0.0.0/tcp/60001/extra-junk, gets the value persisted to bridge-config.json, and the first lazy ensureBridgeHost call dies inside createLibp2p({addresses: {listen: [...]}}) (libp2p-host.ts:304) with the exact opaque error the refinement was meant to prevent. The persisted bad value will keep tripping the next daemon respawn too.

Two reasonable fixes — either is fine:

1. Validate at the resolver — reuse the same refinement here:

   import {multiaddr} from '@multiformats/multiaddr'
   const multiaddrString = z.string().refine((s) => {
     try { multiaddr(s); return true } catch { return false }
   })
   // …
   listenAddrs: z.array(multiaddrString).min(1).optional(),

   And in readCommaListEnv (or a new readMultiaddrListEnv), validate per-entry with an onInvalid callback that logs the same [Daemon] invalid BRV_BRIDGE_LISTEN_ADDRS="..." shape the other env readers use, so a bad input is rejected at resolve time rather than persisted.

2. Route through parseBridgeConfig at construction — parseBridgeConfig({...DEFAULT_BRIDGE_CONFIG, listen_addrs: [...]}) would trigger the canonical refinement and throw with a clear Zod error, which ensureBridgeHost already has to catch anyway.

(1) is preferable because it ALSO prevents bad values from being persisted to disk in the first place, which closes the "stuck on a bad config across respawns" failure mode.

Non-blocking for the internal-test ship — operators of this PR are technical and will figure out the multiaddr shape. But the friendlier error path is cheap.

[github-actions]

Claude finished @ngduyanhece's task in 6m 17s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 10:34 UTC push)

Overall: 4 / 5 (unchanged). The Phase 9.5 work is substantial (+5500 / -209 across 42 files, codex-reviewed across 7 rounds), well-tested, and structurally sound. New findings are robustness/threat-model documentation gaps, not blockers.

• Identify commits added since prior review
• Diff the new commits
• Spot-check new code (Claude Code adapter, adapter registry, session store, auto-create quota, bridge-connect, multiaddr classifier, parley-server integration, daemon respawn rebind)
• Post inline findings (5 new buffered)
• Post final summary + score

---

Diff since 2026-05-22 15:17 UTC

Two commits, only one substantive:

SHA	Change
21f8dbf2	Phase 9.5 — parley adapter abstraction. ParleyAdapter interface + InMemoryParleyAdapterRegistry; MockEchoAdapter + AcpAdapter wrappers of existing logic; ClaudeCodeHeadlessAdapter that spawns claude -p --dangerously-skip-permissions (gated behind BRV_BRIDGE_CLAUDE_UNSAFE=1); ProfileConcurrencyGate semaphore; ParleyAdapterSessionStore (0600, atomic write, in-process mutex); auto-create trust gate (user-confirmed / ca-bound only); per-peer sliding 1h quota; shared channelId regex validator; brv bridge connect one-command setup; brv bridge pin --verify shortcut; brv bridge whoami annotates multiaddrs with kind (loopback/lan/tailscale/wan) + iface; bridge listener rebound on daemon respawn. Deletes local-agent-response-generator.ts.
21437c58	Docs only — plan/bridge-smoothness/PLAN.md + docs/channel-events.md.

Total delta: +5542 / -209 across 42 files.

What's good

• Adapter abstraction is well-shaped. Strict resolution at startup (explicit profile that doesn't resolve → ParleyAdapterNotFoundError, not silent mock-echo fallback) is the right call; the prior pattern of "config typo → silent echo on a live bridge" was exactly the kind of failure that's hard to spot. Per-profile hint table on the error class makes the error self-documenting.
• warm() fail-fast at startup for claude-code — operator learns at daemon boot, not on the first verified peer's first parley call.
• Abort plumbing is now real — requestAbortController fires on success/error/cancel/heartbeat-send-failure/stream-write-failure. Post-acquire and pre-spawn abort checks in ClaudeCodeHeadlessAdapter.runOnce prevent the queued-abort race (codex round-4 finding). child.kill('SIGTERM') is wired through addEventListener('abort', onAbort, {once: true}) with matching removeEventListener in finally.
• Session store discipline. Composite key (projectRoot \0 channelId \0 senderPeerId \0 adapterProfile) uses the verified senderPeerId from the Noise handshake, not the spoofable display_handle. 0600 perms set on write + reasserted via ensurePermissions(). Schema-validated on read with empty-fallback. gc() prunes entries for unknown channelIds.
• Auto-create trust gate in BridgeTranscriptService.beginTurn requires user-confirmed or ca-bound for NEW channels — auto-tofu first-contact peers can still answer queries on existing channels but can't seed arbitrary new channelIds on Bob. The reason-string surfaces a clear operator hint (run brv bridge verify <peer>) that travels back to the dialer.
• Daemon respawn rebind (hasBridgePersistedState) is gated to "operator has actually used the bridge" rather than firing the libp2p startup cost on every fresh install.
• Concurrency gate semantics are correct — fast/slow path symmetric, inFlight increment before resolving the next waiter prevents overcommitment.
• Test coverage matches the addition — claude-code-headless-adapter.test.ts is 594 lines; parley-adapter-registry.test.ts is 378; bridge-connect.test.ts is 279; bridge-auto-create.test.ts is 286. Net +77 tests since phase start.

New inline findings (5 buffered)

1. claude-code-headless-adapter.ts:207 — env: process.env passthrough leaks daemon environment (potential BRV_API_KEY, BRV_BILLING_*, shell secrets) to a subprocess running with --dangerously-skip-permissions. A user-confirmed peer can read everything Claude can read. Threat model is the same as the prior local-agent-response-generator.ts finding, but the consequence is higher now that we're spawning --dangerously-skip-permissions. INTERNAL_TEST.md §5 should call this out explicitly. Mitigation: env allowlist before spawn.
2. auto-create-quota.ts:53 — windows: Map<string, number[]> is unbounded, same shape as the prior parley-nonce-lru.ts:31 / parley-rate-limit.ts:51 findings. reset() only fires on operator-side channel uninvite; ordinary churn doesn't prune. Cheap fix: periodic sweep or LRU cap.
3. parley-adapter-session-store.ts:126 — ${filePath}.tmp non-unique tmp path, same shape as the prior alias-store.ts:198 finding. install-identity-service.ts:427 already has the pid+random pattern; extracting a shared atomicWrite() helper would close the family.
4. claude-code-headless-adapter.ts:357-361 — flushStdoutBuffer is called inside the exit case before break; items it enqueues are never yielded. Speculative against a claude version that ever omits a trailing newline on the final event; harmless in practice today.
5. claude-code-headless-adapter.ts:18-20 — file-level invocation comment shows --cwd <projectRoot> in argv, but buildSpawnArgs doesn't emit it (cwd is set via spawn options at line 206). Doc/code drift.

Prior-round findings — status

21f8dbf2 did not touch any of the files flagged in earlier reviews. All 9 prior findings still open as written:

• install-identity-service.ts:56 (master-key colocation) — still open
• identity-client.ts:507 (NFC normalization only on writer side) — still open
• parley-nonce-lru.ts:31 + parley-rate-limit.ts:51 (unbounded outer Map) — still open, now joined by auto-create-quota.ts:53
• process-lock.ts:52 (comment says "recurse" but code doesn't) — still open
• alias-store.ts:198 (non-unique tmp path) — still open, now joined by parley-adapter-session-store.ts:126
• discovery.py:80 (isinstance(port, int) accepts bool) — still open
• channel-skill/install-lib.js:105 (accessSync(X_OK) accepts directories) — still open
• local-agent-response-generator.ts:127 (delegate-policy gate not wired) — file deleted; the threat-model gap MOVES to claude-code-headless-adapter.ts and is sharper (--dangerously-skip-permissions)
• ai-sdk-content-generator.ts:390 (synthetic usage masks upstream) — still open
• bridge-config-store.ts:37 (listenAddrs not multiaddr-refined) — still open

This is consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Verdict for this push

LGTM-incremental. Phase 9.5 closes the operator-UX gaps surfaced during the 2026-05-22 live test (silent-drop on respawn, mock-echo confusion on bad profile, 4-step setup ceremony, auto-create from unverified peers). The Claude Code adapter is the largest new surface and deserves its UNSAFE gate + explicit operator opt-in; the env-passthrough threat-model gap is documented above.
· branch

[github-actions]

issue (security, medium — BRV_BRIDGE_CLAUDE_UNSAFE=1-gated path): the child Claude process inherits the entire daemon environment, including any BRV_API_KEY, BRV_BILLING_*, ANTHROPIC_*, or shell secrets that happen to be set. With --dangerously-skip-permissions the agent has full Bash/Read/Write access, so a verified peer can issue prompts like "print every env var with API or KEY in the name" and exfiltrate them.

The file-level comment ("Operators should run this only on a dedicated VM or sandbox") frames this as an op concern, but the threat model is sharper than that wording suggests: user-confirmed peers can read everything the daemon could read, not just whatever the operator put in projectRoot. That's the same gap the prior round flagged on local-agent-response-generator.ts — except deletion of the legacy generator means the surface is now --dangerously-skip-permissions rather than read-only-ish text streaming.

Concrete mitigation for follow-up: filter to an explicit allowlist (PATH, HOME, USER, LANG, TERM, ANTHROPIC_API_KEY if present, and a curated BRV_* subset) before spawn:

const childEnv: NodeJS.ProcessEnv = {
  HOME: process.env.HOME,
  PATH: process.env.PATH,
  USER: process.env.USER,
  ...pickAnthropicEnv(process.env), // ANTHROPIC_API_KEY etc.
}

Non-blocking for the internal-test cut (the entire adapter is opt-in), but INTERNAL_TEST.md §5 should call out the env-passthrough explicitly so operators don't enable BRV_BRIDGE_CLAUDE_UNSAFE=1 on a laptop with their personal credentials in ~/.zshrc.

[github-actions]

issue (resource, low — same shape as prior parley-nonce-lru.ts:31 / parley-rate-limit.ts:51 findings): windows: Map<string, number[]> has no global cap. A user-confirmed peer (or, post auto-trust changes, a malicious entity that has reached user-confirmed via the verify step) can attempt auto-creates from many cycled identities — the inner prunedWindow filter discards old timestamps on access, but the outer windows.set(peerId, current) call grows the map without bound. current.length === 0 arrays accumulate too — once a peer is past their 1h window, prunedWindow returns [] but the entry is still in the map; only reset() (called on channel uninvite) ever deletes.

Two cheap fixes:

1. After prunedWindow, if current.length === 0 AND the new push would be the only entry, fine — but periodically iterate windows, prune each entry, and drop empties.
2. Cap windows.size and LRU-evict the oldest entry.

Same structural concern still applies to parley-nonce-lru.ts and parley-rate-limit.ts from the prior round — a shared cap/sweep policy across all three would close the family.

Non-blocking for internal-test (the actual memory cost per entry is small), but worth tracking.

[github-actions]

nit (consistency, same shape as prior alias-store.ts:198 finding): const tmp = \${filePath}.tmp`is a non-unique tmp path. The in-process write mutex serialises mutations from this daemon, but two daemon instances (a stale process from a crash + a freshly-spawned replacement during the briefrespawn-rebind` window) would race on the same path and silently overwrite each other's in-flight tmp.

install-identity-service.ts:427 already uses the pid+random pattern:

const tmp = `${target}.tmp.${process.pid}.${randomBytes(4).toString('hex')}`

Replicating that pattern here (and extracting an atomicWrite() helper that both call) would close the prior round's finding and prevent the same pattern from spreading further. Non-blocking, polish.

[github-actions]

nit (robustness, low): flushStdoutBuffer(stdoutBuffer, processEvent) is called inside the exit branch immediately before break. Any items processEvent enqueues during the flush (a trailing result event without a trailing newline, e.g.) are added to the queue but the loop exits without yielding/handling them.

In practice claude's stream-json emits newlines after every event, so this is unlikely to bite. But if it does, the symptom is "subprocess exited without a result event" → ADAPTER_SUBPROCESS_FAILED thrown, and the session ID from the trailing system_init is lost. Specifically, the success-path resultSessionId assignment at line 354 never fires.

Two fixes — either is fine:

1. Drain the queue after flush:

   } else if (item.kind === 'exit') {
     flushStdoutBuffer(stdoutBuffer, processEvent)
     while (queue.length > 0) {
       const drained = queue.shift()
       if (drained?.kind === 'result_success') {
         resultReceived = true
         resultSessionId = drained.newSessionId
       } else if (drained?.kind === 'result_error') {
         resultError = true
       }
     }
     break
   }

2. Run flushStdoutBuffer BEFORE the close handler enqueues exit (move into close handler before enqueue), so the items go onto the queue in order.

Non-blocking — speculative against a claude version that ever omits a trailing newline.

[github-actions]

nit (doc/code drift): The file-level invocation comment shows:

claude -p --output-format stream-json --dangerously-skip-permissions \
  --cwd <projectRoot> [--resume <sessionId>]

…but buildSpawnArgs (line 429–441) does not emit --cwd. The actual cwd is set via the spawn options bag at line 206 (cwd: ctx.projectRoot). The two paths converge to the same result in practice, but the comment will mislead the next reviewer who tries to grep for --cwd in the args.

Suggest just dropping the --cwd snippet from the comment, or adding "(set via spawn options, not argv)" inline.

[github-actions]

nit (operator UX, low): When BRV_BRIDGE_CLAUDE_UNSAFE=1 is set but sessionStore or concurrencyGate is missing, the code logs a warning and continues without registering the adapter. If BRV_BRIDGE_PARLEY_PROFILE=claude-code is ALSO set, the strict-resolution path at brv-server.ts:1025-1027 will then throw ParleyAdapterNotFoundError with Available: ["mock-echo", ...] — and the operator sees "the env flag I set didn't take effect" without an obvious clue that the cause was the upstream wiring rather than their flag.

The PROFILE_HINTS['claude-code'] table tells them to set BRV_BRIDGE_CLAUDE_UNSAFE=1, but if they ALREADY did and it still didn't register, the hint is misleading.

Cheap fix: in this branch, also throw (or surface a second hint line) so the operator learns the registration failed despite the env flag. The current "log + continue" pattern is fine when daemon-wide registration is a soft-fail concern, but for an explicitly-requested profile with an explicitly-set unsafe flag, the wiring being broken should fail loud.

Non-blocking. In practice the daemon's own DI wiring at brv-server.ts:980-994 always provides both deps when the env flag is set, so the branch is effectively unreachable today — but it would silently misbehave if future wiring drift drops one of them.

[github-actions]

Claude finished @ngduyanhece's task in 2m 28s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 11:01 UTC push)

Overall: 4 / 5 (unchanged from prior reviews). Scope of this re-review is narrow: one substantive commit since the previous pass.

• Identify commits added since prior review (2026-05-23 10:34 UTC)
• Diff the new commits
• Spot-check new code (--verbose argv, stderr collection, claim that --verbose doesn't affect stdout)
• Post inline findings (3 new buffered)
• Post final summary + score

---

Diff since 2026-05-23 10:34 UTC review

Only one substantive commit landed:

SHA	Change
1e23de6c	ClaudeCodeHeadlessAdapter.buildSpawnArgs now passes --verbose alongside --output-format stream-json. Required by Claude Code 2.x; without it every cross-bridge mention into a Claude-driven peer dies with ADAPTER_SUBPROCESS_FAILED: ... Error: When using --print, --output-format=stream-json requires --verbose. Live two-machine test (laptop → VM, 2026-05-23) surfaced it.

Total delta: 1 file, +6 / -0.

What's good in this delta

• The fix is correct and well-anchored. Claude Code 2.x explicitly requires --verbose with --print --output-format stream-json — the addition is the minimum-viable spawnargs change, with a justification comment that survives future "argv cleanup" refactors.
• Commit message documents the root cause completely — exact stderr error string, version requirement, and the load-bearing claim that --verbose only adds stderr noise (not stdout parsing risk). That last claim is correct: Claude Code's stream-json output format means structured events still emit one-per-line on stdout regardless of --verbose.
• Tight blast radius — only the live cross-bridge Claude path needs this; the mock-echo and ACP adapter paths are unaffected.

New inline findings (3 buffered)

1. claude-code-headless-adapter.ts:439 — no unit test asserts --verbose is in the spawnargs. A trivial argv-capture assertion would prevent the next "discovered via remote VM" rediscovery if someone reorders / drops the line during a future refactor.
2. claude-code-headless-adapter.ts:229 — stderrChunks accumulates unbounded for the lifetime of the turn, but only the last 500 chars are ever read. With --verbose now adding stderr noise on every turn, this becomes a small per-turn memory tax that's trivial to bound to a rolling 4KB tail.
3. claude-code-headless-adapter.ts:20 — file-level invocation comment now drifts in two ways: doesn't show --verbose (added in this commit), still shows --cwd <projectRoot> which buildSpawnArgs doesn't emit (cwd is set via spawn options; this was flagged in the prior round too). Comment is becoming actively misleading.

Prior-round findings — status

1e23de6c did not touch any of the files flagged in earlier reviews. All 9 prior-round findings still open as written:

• install-identity-service.ts:56 (master-key colocation) — still open
• identity-client.ts:507 (NFC normalization only on writer side) — still open
• parley-nonce-lru.ts:31 + parley-rate-limit.ts:51 + auto-create-quota.ts:53 (unbounded outer Map family) — still open
• process-lock.ts:52 (comment says "recurse" but code doesn't) — still open
• alias-store.ts:198 + parley-adapter-session-store.ts:126 (non-unique tmp path) — still open
• discovery.py:80 (isinstance(port, int) accepts bool) — still open
• channel-skill/install-lib.js:105 (accessSync(X_OK) accepts directories) — still open
• claude-code-headless-adapter.ts:207 (env-passthrough to --dangerously-skip-permissions subprocess) — still open
• claude-code-headless-adapter.ts:357-361 (flushStdoutBuffer race on exit) — still open
• bridge-config-store.ts:37 (listenAddrs not multiaddr-refined) — still open

This is consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Verdict for this push

LGTM-incremental. 1e23de6c closes a real CLI-compatibility gap that broke every cross-bridge Claude turn in the wild. The fix is one of the cleanest possible — six lines, the five-line justification comment carrying the why, and a structural reason (Claude Code 2.x interface contract) that's unlikely to need future re-evaluation. The three inline findings are polish items: test coverage parity, a small per-turn memory bound, and doc/code drift on the file-level comment. None are ship blockers.
· branch

[github-actions]

nit (test coverage, low): the --verbose addition is the kind of one-line ordering tweak that silently breaks the live cross-bridge path if anyone refactors buildSpawnArgs later (e.g. an "argv reorder for readability" PR that drops a line). The live integration path tested it the hard way on 2026-05-23 (ADAPTER_SUBPROCESS_FAILED: ... requires --verbose); a one-line unit assertion would prevent the next round of "discovered via remote VM failure".

Existing claude-code-headless-adapter.test.ts already builds FakeChild + a spawn() factory — adding an args capture is trivial:

it('passes --verbose with --output-format stream-json (Claude Code 2.x compat)', () => {
  let capturedArgs: string[] = []
  // spawn factory: spawn: (_bin, args) => { capturedArgs = args; return child }
  // … drive one turn …
  expect(capturedArgs).to.include('--verbose')
  expect(capturedArgs).to.include('-p')
  expect(capturedArgs).to.include('stream-json')
})

Non-blocking; the live-test catch is documented and the fix is correct.

[github-actions]

nit (resource, low — surfaced by the --verbose addition): stderrChunks: string[] grows unbounded for the full lifetime of the turn, but only the last 500 chars (stderr.slice(-500)) are ever used (lines 397, 415). With --verbose now adding stderr noise on every turn (the PR-of-record reason for the prior commit), this becomes a small per-turn memory tax on every cross-bridge mention.

For a long-running daemon serving many parley turns, the cumulative effect is bounded (chunks are GC'd at turn end) but the peak per-turn allocation now scales with whatever Claude Code logs to stderr. Cheap fix — keep a rolling tail:

const STDERR_TAIL_BYTES = 4096
let stderrTail = ''
child.stderr?.on('data', (chunk: Buffer) => {
  stderrTail = (stderrTail + chunk.toString('utf8')).slice(-STDERR_TAIL_BYTES)
})
// …
const stderr = stderrTail

4KB is plenty headroom for the existing 500-char slice and the stale-session pattern matcher in isStaleSessionError. Non-blocking; the per-turn cost is small. Worth tracking with the prior round's unbounded-Map family of findings.

[github-actions]

nit (doc/code drift, low): the file-level invocation comment is now drifting in two ways:

claude -p --output-format stream-json --dangerously-skip-permissions \
  --cwd <projectRoot> [--resume <sessionId>]

1. --verbose (added in this commit) is not shown — the next reviewer who tries to grep for the canonical argv will be confused.
2. --cwd is still shown but buildSpawnArgs does not emit it (cwd is set via spawn options at line 206). This was flagged in the prior review round as well.

Both fixes are one-line; the comment is becoming the "stale doc that lies" hazard rather than load-bearing context. Either drop the invocation snippet entirely (the real argv is right there at buildSpawnArgs, with the --verbose justification comment now anchoring intent) or update it to match. Non-blocking.

[github-actions]

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 12:09 UTC push)

• Identify commits added since the prior review (2026-05-23 11:01 UTC)
• Diff the new commits
• Spot-check new code
• Verify prior-round findings (any addressed?)
• Post inline findings
• Post final summary + score

Single commit since last pass: 49bc3784 (docs only — INTERNAL_TEST.md Phase 9.5 refresh, +166 / -64). Posting inline findings now.

View job run · branch

[github-actions]

nit (threat-model documentation parity, low-medium): the security callout calls out "Bob's filesystem and process permissions" but doesn't explicitly flag the environment-variable exfiltration vector that prompted the prior round's claude-code-headless-adapter.ts:207 finding. The adapter spawns Claude with env: process.env (full daemon-env passthrough), and --dangerously-skip-permissions gives the peer Bash access — so a verified peer prompt like Run "env | grep -iE 'key|token|secret|api'" exfiltrates every API key the operator has in ~/.zshrc, including ANTHROPIC_API_KEY, BRV_API_KEY, OPENAI_API_KEY, cloud creds, etc. That's a credential-theft surface — distinct from (and sharper than) the filesystem-access one.

The "dedicated VM/sandbox" mitigation is correct but doesn't tell operators what specifically not to put on that VM. Suggest expanding the callout with one concrete bullet:

> **Concretely:** the responder VM's environment is fully exposed. Do NOT put your personal `ANTHROPIC_API_KEY`, `BRV_API_KEY`, cloud creds, or shell secrets in the responder's `~/.bashrc` / `~/.zshrc`. A verified peer can extract them with one Bash prompt (`env | grep -i key`). Either run the responder in a clean VM with only the env vars listed above, or wait for the env-allowlist work tracked in [the prior review's `claude-code-headless-adapter.ts:207` finding].

Also worth surfacing in §7 (feedback) — operators are unlikely to spot this on their own, and the env-passthrough is the kind of footgun that scales badly with the first non-VM internal-test setup. Non-blocking; the gate keeps the surface opt-in, but the docs are the only mitigation between operators and credential theft right now.

[github-actions]

nit (security/UX interaction, low): the recommended internal-test combination is BRV_BRIDGE_AUTO_PROVISION=auto (§3.1, line 37) plus BRV_BRIDGE_CLAUDE_UNSAFE=1 (§3.5, line 158). Phase 9.5.4 hardened the trust gate so auto-tofu peers can't seed new channels — but they CAN still dispatch into existing channels they've been invited to, which means an unverified first-contact peer can drive the headless Claude through any pre-existing channel-member relationship.

For internal-test where channels are short-lived and the team is small, the combination is fine. But the §3.5 security callout reads as if --verify alone is the trust boundary, when in practice the AUTO_PROVISION policy is the upstream gate. Worth one extra sentence in §3.5 along the lines of:

Tighten BRV_BRIDGE_AUTO_PROVISION=pinned-only (the production default) once the team is set up — auto is convenient for first-contact pinning but lets any peer-id-cycling attacker rotate identities cheaply through existing channels.

Non-blocking; this is doc-clarity polish, not a code change.

[github-actions]

nit (operator-doc race, low): the pkill -f brv-server || true; sleep 2; brv bridge whoami --format json >/dev/null pattern relies on the soft assumption that 2s is enough for the dying daemon to release the libp2p port + Socket.IO daemon-discovery file. On a loaded laptop (or a VM running other work), this race occasionally loses — the next brv bridge whoami either auto-spawns a new daemon while the old one's port-bind is still tearing down (causes EADDRINUSE deep in the log), or finds the dying daemon and hits a half-shutdown state.

Two reasonable fixes — either is fine:

1. Loop until pgrep -f brv-server returns empty (matches the existing daemon-discovery.ts pattern):

   pkill -f brv-server || true
   while pgrep -f brv-server >/dev/null 2>&1; do sleep 0.2; done
   brv bridge whoami --format json >/dev/null

2. Use brv restart if that command exists in this cut (it does — see oclif/commands/restart.ts), which has the right shutdown-then-spawn ordering wired in.

Non-blocking — operators who hit the race will just re-run the command. But the doc snippet is going to be copy-pasted into many onboarding sessions, and a deterministic version is one extra line.

[github-actions]

Claude finished @ngduyanhece's task in 1m 43s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 12:13 UTC push)

Overall: 4 / 5 (unchanged). Latest push is a clean merge from origin/main (Release 3.15.1, d903cb39) — no channel/bridge code touched. The 3 inline comments posted at 12:12 UTC on INTERNAL_TEST.md stand as the substantive findings for the docs-only 49bc3784 cycle that prompted this review window.

• Identify commits added since the prior review wall-clock (2026-05-23 12:09 UTC)
• Diff the new commits
• Spot-check new code
• Verify prior-round findings (any addressed?)
• Post inline findings (3 already buffered against INTERNAL_TEST.md)
• Post final summary + score

---

Diff since 2026-05-23 12:09 UTC

SHA	Change
8219e368	Merge origin/main into proj/channel-protocol. Touches 9 files (AGENTS.md, CHANGELOG.md, CLAUDE.md, package.json, postrun hook rename restart-after-update.ts → after-update.ts, +130-line tidy-update-plugin-client-cache.test.ts, 2-line webui VC page bump). Zero channel/bridge/trust code touched.
d903cb39	(Brought in by the merge — Release 3.15.1 on main.)

Total delta on the branch: 9 files, +262 / -59 — entirely from the main sync.

What's good in this delta

• Clean main sync. git diff 49bc3784..HEAD -- 'src/server/infra/channel/**' 'src/agent/core/trust/**' 'src/server/infra/channel/bridge/**' returns empty. The merge is mechanical — no resolution work, no cross-contamination between Release 3.15.1's postrun-hook rework and Phase 9's channel surface.
• Tracks the prior pattern of keeping proj/channel-protocol rebased on main so the eventual squash-merge is conflict-free.

Inline findings buffered on this branch (from the 12:12 UTC pass on 49bc3784)

The prior review window opened the docs-only 49bc3784 (INTERNAL_TEST.md +166 / -64) and posted three nits before the summary stage:

1. INTERNAL_TEST.md:183 — security callout for BRV_BRIDGE_CLAUDE_UNSAFE=1 doesn't explicitly call out the env-passthrough vector (verified peer can env | grep -iE 'key|secret' to exfiltrate ANTHROPIC_API_KEY / BRV_API_KEY / cloud creds). Distinct from the filesystem-access surface the §5 wording already covers.
2. INTERNAL_TEST.md:37 — BRV_BRIDGE_AUTO_PROVISION=auto (recommended for §3.1 setup) + BRV_BRIDGE_CLAUDE_UNSAFE=1 (§3.5) interact: unverified peers can drive headless Claude through pre-existing channels they've been invited to. Worth a one-line pinned-only migration note for operators past first-contact.
3. INTERNAL_TEST.md:165 — pkill ...; sleep 2; brv bridge whoami snippet has a port/socket-release race on loaded machines. A while pgrep loop or just brv restart (which exists in this cut) is deterministic.

All three are operator-doc polish, non-blocking. They remain consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Prior-round findings — status

8219e368 did not touch any of the files flagged across the prior six review rounds (2026-05-20 through 12:09 UTC). All earlier findings still open as written:

• install-identity-service.ts:56 (master-key colocation) — still open
• identity-client.ts:507 (NFC normalization only on writer side) — still open
• parley-nonce-lru.ts:31 + parley-rate-limit.ts:51 + auto-create-quota.ts:53 (unbounded outer Map family) — still open
• process-lock.ts:52 (comment says "recurse" but code doesn't) — still open
• alias-store.ts:198 + parley-adapter-session-store.ts:126 (non-unique tmp path) — still open
• discovery.py:80 (isinstance(port, int) accepts bool) — still open
• channel-skill/install-lib.js:105 (accessSync(X_OK) accepts directories) — still open
• claude-code-headless-adapter.ts:207 (env-passthrough to --dangerously-skip-permissions subprocess) — still open
• claude-code-headless-adapter.ts:229 (stderrChunks unbounded — surfaced by the --verbose addition) — still open
• claude-code-headless-adapter.ts:357-361 (flushStdoutBuffer race on exit) — still open
• claude-code-headless-adapter.ts:20 (file-level comment now drifts on both --verbose and --cwd) — still open
• claude-code-headless-adapter.ts:439 (no unit test asserts --verbose is in the spawnargs) — still open
• bridge-config-store.ts:37 (listenAddrs not multiaddr-refined) — still open
• parley-adapter-registry.ts:167 (UNSAFE=1 + missing deps logs-and-continues instead of failing loud) — still open
• ai-sdk-content-generator.ts:390 (synthetic usage masks upstream) — still open
• INTERNAL_TEST.md §3.1 / §3.5 / §5 / §5.1 doc-polish trio above

Verdict for this push

LGTM-incremental. 8219e368 is a hygienic main sync; no new branch code to review, no conflicts touching the channel/bridge surface. The earlier 4 / 5 score stands.
· branch