Skip to content

Commit c5a13ac

Browse files
committed
Update hardening reports for project resume route
1 parent f423750 commit c5a13ac

2 files changed

Lines changed: 20 additions & 13 deletions

File tree

reports/public-selfhost-hardening/final-report.md

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Date: 2026-06-24
44

5-
Implementation commit hash: `31eb72629d266b8b8827d1a998b482e43a84819a`
5+
Implementation commit hash: `f423750fac51ebce52dc8f5993223e0b31e93bcc`
66

77
Branch: `next-phase`
88

@@ -29,8 +29,8 @@ Branch: `next-phase`
2929
- Added Gateway run-history `scope` metadata and exposed it through the API and Console run list/detail views.
3030
- Added Gateway-observed run/audit `limit`/`offset` pagination, server-side filters, grouped lifecycle summaries, and Console previous/next controls for Runs and Audit.
3131
- Added first-class local `human_interrupts` records and `human_interrupt_created` Gateway audit events for blocker/question/approval/permission/system-action outcomes.
32-
- Added Gateway HTTP and MCP operator-response recording for Gateway-observed human interrupts, with sanitized `human_interrupt_responded` audit metadata and explicit next actions that keep true resume marked unsupported.
33-
- Added Gateway MCP audit evidence for unsupported resume attempts: `codencer.resume_project_run` now records sanitized `resume_project_run_requested` and `resume_project_run_blocked` events with run/project/relay correlation metadata while returning the structured capability blocker.
32+
- Added Gateway HTTP and MCP operator-response recording for Gateway-observed human interrupts, with sanitized `human_interrupt_responded` audit metadata and explicit next actions that keep automatic continuation separated from resume routing.
33+
- Wired project run resume through Gateway HTTP, Gateway MCP, Relay HTTP, Relay MCP, Connector project proxy, and local daemon-backed resume. Successful daemon-resumable states produce `run_resumed`; completed or otherwise non-resumable runs still return structured `run_resume_blocked` / `resume_project_run_blocked` blockers with sanitized audit metadata.
3434
- Added a Gateway Console run-detail human interrupt response panel that appears for blocked/waiting runs, records sanitized operator responses through the Gateway API, refreshes run/audit data, and keeps resume framed as a separate capability check rather than automatic restart.
3535
- Added Antigravity executor profiles so executor discovery exposes Antigravity as a real profile family.
3636
- Added isolated Antigravity proof plumbing: `CODENCER_ANTIGRAVITY_DAEMON_DIR` discovery override, preservation of explicit verifier workspace roots, and live-verifier support for `CODENCER_E2E_ANTIGRAVITY_INSTANCE_JSON`, `CODENCER_E2E_ANTIGRAVITY_INSTANCE_FILE`, and `CODENCER_E2E_ANTIGRAVITY_DAEMON_DIR`.
@@ -193,6 +193,13 @@ Branch: `next-phase`
193193
- `make verify-gateway` after exposing local run resume - passed
194194
- `make verify-public-release` after exposing local run resume - passed
195195
- `git diff --check` after exposing local run resume - passed
196+
- `go test ./internal/gateway ./internal/relay ./internal/connector ./internal/localexec ./internal/app` after routing Gateway/Relay/Connector project resume - passed
197+
- `bash -n scripts/verify_gateway.sh` after adding the project resume MCP probe - passed
198+
- `make verify-gateway` after routing Gateway/Relay/Connector project resume - passed
199+
- `go test ./...` after routing Gateway/Relay/Connector project resume - passed
200+
- `make verify-release-artifact-selfhost VERSION=v0.3.0-selfhost-artifact-verify TARGETS=host REQUIRE_TARGETS=host` after routing Gateway/Relay/Connector project resume - passed
201+
- `make verify-public-release` after routing Gateway/Relay/Connector project resume - passed
202+
- `git diff --check` after routing Gateway/Relay/Connector project resume - passed
196203
- `CODENCER_E2E_REAL_EXECUTORS=codex,claude CODENCER_E2E_CODEX_COMMAND=<codex-binary> CODENCER_E2E_CLAUDE_COMMAND=<claude-binary> make verify-public-selfhost-rc` - failed by design with `NO-GO` after Codex and Claude passed and Antigravity was missing
197204
- `cd web/gateway-console && CODENCER_E2E_BIN_DIR=../../bin CODENCER_E2E_EXECUTOR_ADAPTER=antigravity CODENCER_E2E_EXECUTOR_PROFILE=antigravity-default CODENCER_E2E_ANTIGRAVITY_INSTANCE_FILE=<temp-file> node tests/live/verify-live.mjs` - failed correctly; the provided Antigravity LS did not expose the isolated verifier repo workspace
198205
- `git diff --check` - passed
@@ -202,11 +209,11 @@ Branch: `next-phase`
202209
- Antigravity real executor proof is not proven in the public self-host RC gate.
203210
- Latest Codex real executor RC subgate passed with the configured Codex binary and simulation disabled, but the overall default public RC gate remains `NO-GO` because Claude Code and Antigravity proofs were missing from that run.
204211
- Current local Antigravity app processes expose reachable RPC endpoints, but the available candidates do not expose the isolated verifier repo workspace through `GetWorkspaceInfos`, so the verifier refuses to bind them for public release proof.
205-
- Local `codencer run resume` now routes through the daemon and succeeds for `created` or `paused_for_gate` runs supported by `RecoveryService.ResumeRun`; completed/non-resumable local runs still return a structured `run_resume_blocked` capability blocker. Gateway/Relay project-level `codencer.resume_project_run` remains a structured blocker and records sanitized `resume_project_run_requested` and `resume_project_run_blocked` audit events for run-history correlation.
212+
- Local `codencer run resume` and project-level Gateway/Relay/Connector resume now route to daemon-backed `RecoveryService.ResumeRun` for states supported by the daemon (`created` and `paused_for_gate`). Completed/non-resumable runs still return structured `run_resume_blocked` or `resume_project_run_blocked` capability blockers with sanitized audit correlation.
206213
- Project-scoped cancel now routes through Gateway, Relay, Connector, and local daemon cancellation; whether the underlying executor stops immediately remains bounded by daemon/executor cancellation semantics.
207214
- Raw log/artifact upload remains unsupported by design. `codencer sync publish --confirm` ingests metadata-only run/project summaries into Gateway history; it does not upload local reports, logs, artifacts, daemon URLs, or filesystem paths.
208215
- Run history/audit synced-scope transport now exists for explicit metadata-only `codencer sync publish`, including sanitized aggregate and per-run sync audit events; broader incremental sync policy and external source reconciliation remain incomplete.
209-
- Human interrupt lifecycle is still partial: local report/event records, local daemon-backed resume for resumable states, Gateway blocker audit, sanitized Gateway HTTP/MCP operator-response audit, unsupported Gateway resume-attempt audit, and a Console run-detail response panel now exist, but automatic continuation after human response and Gateway/Relay project resume remain incomplete.
216+
- Human interrupt lifecycle is still partial: local report/event records, local and project-level daemon-backed resume for resumable states, Gateway blocker audit, sanitized Gateway HTTP/MCP operator-response audit, resume-attempt audit, and a Console run-detail response panel now exist, but automatic continuation after human response remains incomplete.
210217
- Broader explicit JSON/debug/path surface policy proof remains incomplete. Default local human CLI output now covers init, config show, project init/status/scan, executor list, sync preview, submit, run events, run report, and run resume blocker output, and the source/artifact Gateway verifier now covers public Gateway API and MCP leak checks for core list/run/audit/activation surfaces.
211218

212219
Verdict: NO-GO

0 commit comments

Comments
 (0)