Warning
HISTORICAL FINISH LOG: This log records an earlier cloud hardening pass and is not the current release contract. Use README, Local Quickstart, and Self-Host Relay Quickstart for current guidance.
Last updated: 2026-04-15
Mission for this pass:
- add a cloud-scoped canonical remote surface decision and implementation
- harden tenancy with memberships, roles, and better audit attribution
- deepen the priority connector lifecycle without adding more connector breadth
- add a real Docker-based self-host baseline and deployment smoke
Exact blockers locked for this pass:
- Cloud-scoped runtime control had no cloud MCP surface
- Tenancy lacked first-class memberships, roles, and ownership semantics
- Provider installations lacked stronger owner/health/timestamp lifecycle depth
- The repo had no Docker deployment baseline for the cloud stack
- Access and cloud MCP:
internal/cloud/auth.gointernal/cloud/router.gointernal/cloud/server.gointernal/cloud/mcp_server.gointernal/cloud/mcp_tools.gointernal/cloud/membership_api.gocmd/codencer-cloudctl/main.go
- Connector lifecycle hardening:
internal/cloud/connectors/*internal/cloud/worker.go
- Deployment baseline:
deploy/cloud/*Makefile
- Truth/docs:
README.mddocs/CLOUD.mddocs/CLOUD_CONNECTORS.mddocs/CLOUD_SELF_HOST.md- this file
| Merge | Scope | Checks | Result | Notes |
|---|---|---|---|---|
| 1 | membership + role + audit attribution + cloud MCP | go test ./internal/cloud/... ./cmd/codencer-cloudctl ./cmd/codencer-cloudd ./cmd/codencer-cloudworkerd |
passed | API and cloud MCP coverage landed together |
| 2 | connector lifecycle hardening | go test ./internal/cloud/connectors ./internal/cloud/... |
passed | provider config validation and lifecycle persistence remained green |
| 3 | deployment baseline | docker compose --env-file deploy/cloud/.env.example -f deploy/cloud/docker-compose.yml config |
passed | compose file, env wiring, mounts, and healthcheck syntax validated |
| 4 | compose smoke | ./deploy/cloud/smoke.sh |
blocked | Docker CLI was installed, but the Docker daemon/socket was unavailable in this environment, so the stack could not be started live |
This pass is narrower than the original cloud-foundation push.
Mission for the current pass:
- make cloud the tenant-aware control plane for Codencer runtime when cloud mode is used
- keep the local daemon, relay, and connector execution doctrine intact
- deepen the priority provider connectors instead of adding more shallow breadth
- keep claims about connector and cloud maturity exact
This pass does not add UI, billing, or new low-priority connectors.
Current code truth at the start of this pass:
- cloud control-plane APIs exist under
/api/cloud/v1/* - relay runtime APIs still exist separately under
/api/v2/*,/mcp, and/ws/connectors codencer-clouddcan compose relay in-process, but that is still process composition rather than tenant-aware runtime ownership- cloud token scope governs cloud admin APIs only
- relay planner tokens still govern runtime routing and instance visibility
- cloud stores provider connector installations, but not tenant-scoped Codencer runtime connector installations or runtime instances
Exact blockers locked for this pass:
-
No cloud-side Codencer runtime installation model
- missing tenant-scoped record for local Codencer connector identity, machine metadata, enabled state, last seen, health, and last error
-
No cloud-side runtime instance registry
- missing tenant-scoped record for shared instances, instance metadata, connector ownership, enabled state, and last seen
-
No cloud-scoped runtime API surface
- missing cloud routes for runtime connectors, instances, and runtime inspection under org/workspace/project scope
-
No cloud/relay auth alignment
- composed cloud mode does not translate tenant ownership and cloud token scope into runtime visibility
-
Provider connectors still remain thin alpha integrations
- GitHub, GitLab, Linear, and Slack each expose one minimal action
- Jira remains polling-first with limited health depth
- docs compress code existence and verified depth too aggressively
- Owner: write worker
- Scope:
- add tenant-scoped Codencer runtime installation and runtime instance models
- extend cloud store and migrations
- add store tests for runtime registry behavior
- Files:
internal/cloud/models.gointernal/cloud/store.gointernal/cloud/*_test.gofor runtime model/store coverage
- Status: completed
- Owner: Lead
- Scope:
- cloud runtime routes
- cloud token scope enforcement for runtime resources
- composed relay alignment and tenant-scoped runtime visibility
- cloudctl runtime admin surfaces
- Files:
internal/cloud/auth.gointernal/cloud/server.gointernal/cloud/router.gocmd/codencer-cloudd/main.gocmd/codencer-cloudctl/main.gointernal/relay/*as needed for composed cloud alignment
- Status: completed
- Owner: write worker
- Scope:
- stronger validation and provider-specific status detail where practical
- richer action surface for priority providers
- stronger normalization tests
- no new providers
- Files:
internal/cloud/connectors/types.gointernal/cloud/connectors/common.gointernal/cloud/connectors/github.gointernal/cloud/connectors/gitlab.gointernal/cloud/connectors/jira.gointernal/cloud/connectors/linear.gointernal/cloud/connectors/slack.go- matching tests under
internal/cloud/connectors/*_test.go
- Status: completed
- Owner: Lead
- Scope:
- update cloud docs and connector matrix
- record exact verification after each merge
- keep claims narrow and evidence-based
- Files:
docs/CLOUD.mddocs/CLOUD_CONNECTORS.mddocs/CLOUD_SELF_HOST.md- this finish log
- Status: completed
- Update runtime blocker lock and ownership log
- Merge cloud runtime model/store foundation
- Re-run
go test ./internal/cloud/... - Merge cloud runtime API/auth/alignment work
- Re-run focused cloud + relay tests
- Merge provider connector deepening
- Re-run
go test ./internal/cloud/connectors ./internal/cloud/... - Update docs and self-host/cloud truth
- Run broad verification:
go test ./...,make build,make build-cloud
Implemented in this pass:
- cloud-side runtime registry foundation:
RuntimeConnectorInstallationRuntimeInstance- runtime registry migrations and store methods
- cloud-scoped runtime routes under
/api/cloud/v1/runtime/* - cloud-scoped runtime connector claim/sync/enable/disable flows
- cloud-scoped runtime instance inspection and instance-scoped HTTP proxying for runs, steps, gates, and artifacts
- relay helper support for trusted in-process planner principals used by the cloud daemon
- deeper provider connector action surface and stronger connector tests
- updated cloud docs and optional runtime-claim smoke wiring
| Merge | Scope | Checks | Result | Notes |
|---|---|---|---|---|
| 1 | runtime blocker lock + ownership map | log update only | passed | this file is the canonical pass log |
| 2 | runtime model/store foundation + connector depth slices merged | go test ./internal/cloud/... ./internal/cloud/connectors |
passed | worker slices landed cleanly |
| 3 | relay in-process planner injection helper | `go test ./internal/relay -run 'TestPlanner | TestServeAsPlanner'` | passed |
| 4 | cloud runtime API + cloudctl | go test ./internal/cloud/... ./cmd/codencer-cloudctl ./internal/relay ./cmd/codencer-cloudd ./cmd/codencer-cloudworkerd |
passed | claim/list/disable runtime flows covered |
| 5 | broad verification | go test ./... |
passed | repo-wide tests remained green |
| 6 | build verification | make build and make build-cloud |
passed | core binaries and cloud binaries build |
| 7 | operator smoke | bash -n scripts/cloud_smoke.sh and make cloud-smoke |
passed | runtime-claim smoke path remains optional and env-driven |
Take the current Codencer repository from:
- practical self-host v2 alpha with daemon, connector, relay, relay MCP, and operator tooling
to:
- first-class open-source-based cloud backend/control-plane foundation without UI
- while preserving the current self-host relay/connector/daemon path
- and keeping docs, runtime behavior, and public claims truthful
Current repo truth at the start of this cloud run:
- Codencer is still explicitly documented and implemented as a local-first bridge.
- The current shipped runtime is:
- local daemon:
orchestratord - local operator CLI:
orchestratorctl - self-host relay:
codencer-relayd - local outbound connector:
codencer-connectord - optional Windows-side
agent-broker
- local daemon:
- The repo does not currently contain a true cloud domain or tenancy model.
- The repo does not currently contain a SaaS connector platform for GitHub, GitLab, Jira, Linear, or Slack.
- The repo does not currently contain a packaged cloud deployment stack.
Primary supporting file references:
- README.md
- docs/01_product_scope.md
- docs/02_architecture.md
- docs/SELF_HOST_REFERENCE.md
- docs/RELAY.md
- internal/relay/server.go
- internal/relay/store/store.go
- internal/storage/sqlite/migrations.go
The existing repo already provides reusable cloud-adjacent foundations:
- narrow relay control-plane patterns:
- planner bearer-token auth
- connector enrollment tokens
- signed connector challenge/response
- connector presence/session hub
- instance registry and route hints
- audit persistence
- stable local execution model:
- repo-bound daemon
- worktree isolation
- runs / steps / attempts / gates
- evidence retrieval
- operator CLI patterns:
codencer-relaydadmin helperscodencer-connectordadmin helpers- smoke-script pattern for end-to-end verification
These are reusable as a cloud runtime/control-plane substrate.
The following blockers must be addressed before Codencer can be truthfully described as a cloud backend/control-plane:
-
No cloud domain model
- missing
org,workspace,project, membership, role, and ownership entities - existing
project_idis only an execution label on runs/tasks
- missing
-
No cloud token / access model
- current relay planner auth is static config token auth only
- no tenant-scoped API token lifecycle, disable/revoke, or attribution model
-
No cloud persistence layer
- no cloud DB schema for tenants, tokens, connector installations, external events, or action history
- no cloud migration strategy beyond inline sqlite DDL in current local/relay stores
-
No cloud control-plane service
- no
codencer-cloudd-style backend - no cloud admin API
- no cloud admin CLI
- no
-
No external connector platform
- current connector is a local daemon bridge, not a SaaS integration framework
- no installation model, no secrets/config model, no normalized event model, no action dispatch model
-
No top-tier connector implementations
- no GitHub, GitLab, Jira, Linear, or Slack connector packages exist in repo code
-
No webhook/polling ingest plane
- no provider webhook endpoints
- no signature verification routes
- no sync cursor or polling state
-
No deployment/self-host cloud story
- no packaged cloud service startup flow
- no cloud env/config examples
- no cloud smoke flow
-
Public docs still say “no cloud”
- current docs explicitly position Codencer as local-first and non-cloud
- any cloud additions must reconcile this honestly without breaking self-host truth
Given current repo reality, the maximum safe target for this run is:
- add a real cloud backend foundation to the repo
- keep existing self-host v2 runtime intact
- make the new cloud backend reuse the existing relay path where possible
- implement a reusable external connector platform
- implement real minimal connectors for the priority set
- prove what is actually verified
- explicitly list whatever remains partial
This run must not overclaim:
- enterprise IAM
- fully managed SaaS maturity
- full connector parity with vendor ecosystems
- cloud-hosted execution replacing local execution truth
- Owner: Lead
- Scope:
- this finish log
- blocker lock
- ownership map
- merge plan
- Files:
docs/internal/cloud_v1_finish_log.md
- Status: completed
- Owner: Helmholtz
- Scope:
- cloud config
- tenant domain model
- token model
- installation model
- secrets model
- audit attribution
- cloud store and migrations
- Files:
internal/cloud/config.gointernal/cloud/models.gointernal/cloud/store.gointernal/cloud/auth.gointernal/cloud/secrets.go- tests under
internal/cloud/*_test.go
- Status: completed
- Owner: Lead
- Scope:
- cloud HTTP admin API
- cloud admin CLI
- bootstrap flows for org/workspace/project/token/installations
- Files:
internal/cloud/server.gointernal/cloud/router.gocmd/codencer-cloudd/main.gocmd/codencer-cloudctl/main.go- tests under
cmd/codencer-cloudctl/*andinternal/cloud/*_test.go
- Status: completed
- Owner: Lovelace
- Scope:
- connector registry
- connector contract
- normalized events/actions
- install/validate/action/ingest helpers
- Files:
internal/cloud/connectors/registry.gointernal/cloud/connectors/types.gointernal/cloud/connectors/common.go- tests under
internal/cloud/connectors/*_test.go
- Status: completed
- Owner: split
- Scope:
- GitHub
- GitLab
- Jira
- Linear
- Slack
- Files:
internal/cloud/connectors/github.gointernal/cloud/connectors/gitlab.gointernal/cloud/connectors/jira.gointernal/cloud/connectors/linear.gointernal/cloud/connectors/slack.go- tests under
internal/cloud/connectors/*_test.go
- Status: completed
Connector ownership:
- Lovelace:
internal/cloud/connectors/github.gointernal/cloud/connectors/gitlab.go
- Ramanujan:
internal/cloud/connectors/jira.gointernal/cloud/connectors/linear.gointernal/cloud/connectors/slack.go
- Owner: Lead
- Scope:
- keep existing relay intact
- align cloud service composition with current relay
- preserve explicit instance targeting and local execution truth
- Files:
cmd/codencer-cloudd/main.gointernal/cloud/server.gointernal/cloud/router.godocs/RELAY.md
- Status: completed
- Owner: Lead with docs worker support
- Scope:
- cloud docs
- cloud examples
- cloud smoke path
- startup/dependency flow
- Files:
- cloud docs and scripts to be added after runtime shape is concrete
- Status: completed
- Owner: Lead
- Scope:
- formatting
- targeted tests after each merge
- broad builds/tests
- final truth summary
- Status: completed
- Repo truth + cloud gap lock
- Cloud domain / tenancy / auth foundation
- Cloud control-plane API / admin surfaces
- Connector platform foundation
- Top-tier connector implementations
- Relay / cloud alignment
- Deployment / self-host / operator docs and smoke
- Final hardening, broad tests/builds, and truth pass
Implemented in this pass:
- new cloud domain, store, auth, and secret foundation under
internal/cloud - cloud admin/control-plane binaries:
cmd/codencer-clouddcmd/codencer-cloudctlcmd/codencer-cloudworkerd
- cloud admin HTTP surface under
/api/cloud/v1/* - connector registry plus provider implementations for:
- GitHub
- GitLab
- Jira
- Linear
- Slack
- provider webhook ingest routes where implemented
- Jira polling-first worker path
- installation enable/disable surfaces
- cloud docs, setup docs, and smoke script
Cloud-focused checks run during this pass:
go test ./internal/cloud/...go test ./internal/cloud/... ./cmd/codencer-cloudctl ./cmd/codencer-cloudd ./cmd/codencer-cloudworkerdgo build ./cmd/codencer-cloudctl ./cmd/codencer-cloudd ./cmd/codencer-cloudworkerdmake build-cloudbash -n scripts/cloud_smoke.shmake cloud-smoke
Broad preservation checks run after cloud integration:
go test ./...make buildmake build-brokergit diff --check
Verification outcome:
- cloud control-plane binaries build
- cloud smoke path passed end-to-end
- repo-wide tests passed
- existing local/self-host build targets still pass
The cloud backend is real and usable for operator self-use, but these limitations remain explicit:
- bootstrap of the first org is local/store-driven via
codencer-cloudctl bootstrap; there is no fully HTTP-only first-org bootstrap token flow in this pass - the cloud store is SQLite-backed in this alpha pass; Postgres/Redis/object-storage-backed deployment is not implemented
- identity is service-token/operator-token based; there is no user membership or enterprise IAM model yet
- GitHub, GitLab, Linear, and Slack connector behavior is unit-tested in-repo, but this pass does not claim live end-to-end verification against hosted provider accounts
- Jira is intentionally polling-first through
codencer-cloudworkerd; Jira webhook ingest is not implemented in this pass - the cloud control plane does not replace the local daemon/relay execution truth and must not be described as a planner or generic cloud workflow brain
- Final hardening / tests / truth pass
| Merge | Scope | Checks | Result | Notes |
|---|---|---|---|---|
| 1 | repo truth + cloud gap lock | pending | pending | this row will be updated after merge |
- Storage driver:
- locked for this pass: sqlite-backed alpha cloud backend using isolated cloud store code
- note clearly in docs that this is alpha self-host cloud persistence, not a production HA database posture
- Relay composition:
- locked for this pass:
codencer-clouddcomposes the existing relay handler rather than rewriting relay internals
- locked for this pass:
- Connector auth depth:
- token bootstrap first, OAuth/app-model only where safe and proven
These must be resolved in code and docs, not by aspiration.