Skip to content

Commit f481b7b

Browse files
committed
Update hardening report for project cancel routing
1 parent 5ebc898 commit f481b7b

2 files changed

Lines changed: 20 additions & 10 deletions

File tree

reports/public-selfhost-hardening/final-report.md

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Date: 2026-06-24
44

5-
Implementation commit hash: `b44a5d947e30f98728e8238582705d0b02f1d8c1`
5+
Implementation commit hash: `5ebc8985b7112bb770c8d90c53c8f5e667eaea90`
66

77
Branch: `next-phase`
88

@@ -13,9 +13,10 @@ Branch: `next-phase`
1313
- Hardened the public self-host RC verifier so it emits only `GO` or `NO-GO`, rejects real-executor simulation env values, runs configured real executor gates by adapter, and fails the release gate when required real proofs are missing.
1414
- Confirmed the real Codex path invokes the configured Codex binary with `ALL_ADAPTERS_SIMULATION_MODE=0` and `CODEX_SIMULATION_MODE=0`.
1515
- Added `codencer run events`, `codencer run report`, `codencer run cancel`, and structured `codencer run resume` blocker behavior.
16-
- Added Gateway MCP async lifecycle tools: `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run`, `codencer.get_project_run_status`, `codencer.get_gateway_run_events`, and structured `codencer.cancel_project_run` / `codencer.resume_project_run` capability blockers.
16+
- Added Gateway MCP async lifecycle tools: `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run`, `codencer.get_project_run_status`, `codencer.get_gateway_run_events`, true project-scoped `codencer.cancel_project_run`, and a structured `codencer.resume_project_run` capability blocker.
1717
- Preserved `codencer.submit_project_task_and_wait` as a compatibility tool while adding non-blocking submit/start paths for planners that should not hold one long HTTP/MCP request open.
1818
- Updated Gateway Console simple-task submit to send `wait=false`, poll the run report until terminal status, display `pending` while waiting, and emit the terminal audit event once when report refresh observes completion.
19+
- Wired project run cancellation through Gateway HTTP, Gateway MCP, Relay HTTP, Relay MCP, Connector project proxy, and local daemon-backed cancellation, with Gateway run history/audit events for `cancel_project_run_requested` and terminal `run_cancelled`.
1920
- Added `codencer sync status`, `codencer sync preview`, and `codencer sync publish` as explicit metadata-only sync controls. Raw artifacts/logs are blocked, and confirmed publish ingests only sanitized metadata into Gateway run history with `scope=synced`.
2021
- Redacted local absolute repo/report paths, daemon URLs, token-like text, and unsafe executor summaries from default human CLI project/status/submit/run output while preserving explicit `--json` operator detail.
2122
- Added Gateway run-history `scope` metadata and exposed it through the API and Console run list/detail views.
@@ -65,6 +66,9 @@ Branch: `next-phase`
6566
- `reports/gateway-console-screenshots/2026-06-24-1403`
6667
- `reports/gateway-console-screenshots/2026-06-24-1553`
6768
- `reports/gateway-console-screenshots/2026-06-24-1556`
69+
- `reports/gateway-console-screenshots/2026-06-24-1616`
70+
- `reports/gateway-console-screenshots/2026-06-24-1626`
71+
- `reports/gateway-console-screenshots/2026-06-24-1631`
6872

6973
## Commands Run
7074

@@ -81,17 +85,23 @@ Branch: `next-phase`
8185
- `go test ./...` - passed
8286
- `go test ./...` after adding Gateway MCP async lifecycle tools - passed
8387
- `go test ./...` after adding Gateway Console async submit/report polling - passed
88+
- `go test ./internal/connector ./internal/gateway ./internal/relay ./internal/localexec` after adding project-scoped cancel routing - passed
89+
- `go test ./...` after adding project-scoped cancel routing - passed
8490
- `cd web/gateway-console && npm run format:check` - passed
8591
- `cd web/gateway-console && npm run lint` - passed
8692
- `cd web/gateway-console && npm run typecheck` - passed
8793
- `cd web/gateway-console && npm run test` - passed
8894
- `cd web/gateway-console && npm run test -- --run tests/schemas.test.ts` - passed
95+
- `cd web/gateway-console && npm run format:check && npm run lint && npm run typecheck && npm run test && npm run test:e2e -- --grep "project task form submits demo run"` - passed
96+
- `cd web/gateway-console && npm run format:check && npm run lint && npm run typecheck && npm run test && npm run test:e2e` - passed
8997
- `cd web/gateway-console && npm run build` - passed
9098
- `cd web/gateway-console && npm run test:e2e` - passed
9199
- `make verify-gateway` - passed
92100
- `make verify-gateway` after adding Gateway MCP async lifecycle tools - passed
93101
- `make verify-gateway` after adding Gateway Console async submit/report polling - passed
102+
- `make verify-gateway` after adding project-scoped cancel routing - passed
94103
- `make verify-gateway-console` - passed
104+
- `make verify-gateway-console` after stabilizing run-detail navigation e2e and regenerating evidence - passed
95105
- `make verify-gateway-console-live` - passed
96106
- `make verify-gateway-console-live` after adding terminal audit-on-report refresh - passed
97107
- `go test ./internal/adapters/antigravity` - passed
@@ -100,7 +110,7 @@ Branch: `next-phase`
100110
- `CODENCER_E2E_REAL_EXECUTOR=codex CODENCER_E2E_REAL_EXECUTOR_COMMAND=/Applications/Codex.app/Contents/Resources/codex make verify-public-selfhost-rc` - failed with `NO-GO` due to external Codex usage limit after invoking the real Codex binary with simulation disabled; report `reports/public-selfhost-rc/20260624T125824Z/summary.md`
101111
- `CODENCER_E2E_REQUIRED_REAL_EXECUTORS=codex CODENCER_E2E_REAL_EXECUTOR=codex CODENCER_E2E_REAL_EXECUTOR_COMMAND=<configured-codex-binary> make verify-public-selfhost-rc` - passed with scoped `GO` for Codex-only proof
102112
- `make verify-public-release` - passed
103-
- `make verify-public-selfhost-release TARGETS=host REQUIRE_TARGETS=host` - passed
113+
- `make verify-public-selfhost-release TARGETS=host REQUIRE_TARGETS=host` - passed after project-scoped cancel routing and console e2e stabilization
104114
- `CODENCER_E2E_REAL_EXECUTORS=codex,claude CODENCER_E2E_CODEX_COMMAND=<codex-binary> CODENCER_E2E_CLAUDE_COMMAND=<claude-binary> make verify-public-selfhost-rc` - failed by design with `NO-GO` after Codex and Claude passed and Antigravity was missing
105115
- `cd web/gateway-console && CODENCER_E2E_BIN_DIR=../../bin CODENCER_E2E_EXECUTOR_ADAPTER=antigravity CODENCER_E2E_EXECUTOR_PROFILE=antigravity-default CODENCER_E2E_ANTIGRAVITY_INSTANCE_FILE=<temp-file> node tests/live/verify-live.mjs` - failed correctly; the provided Antigravity LS did not expose the isolated verifier repo workspace
106116
- `git diff --check` - passed
@@ -111,7 +121,7 @@ Branch: `next-phase`
111121
- Latest Codex real executor rerun is blocked by Codex account usage limits despite invoking the real binary with `is_simulation=false`; prior Codex proof remains the latest passing Codex proof.
112122
- Current local Antigravity app processes expose reachable RPC endpoints, but the available candidates do not expose the isolated verifier repo workspace through `GetWorkspaceInfos`, so the verifier refuses to bind them for public release proof.
113123
- `codencer run resume` and Gateway MCP `codencer.resume_project_run` are exposed as structured blockers because the daemon/Relay path does not yet expose a true resume route.
114-
- Gateway MCP `codencer.cancel_project_run` is currently a structured capability blocker for project-level Gateway routing; local CLI cancellation support remains separate and limited by daemon/executor capability.
124+
- Project-scoped cancel now routes through Gateway, Relay, Connector, and local daemon cancellation; whether the underlying executor stops immediately remains bounded by daemon/executor cancellation semantics.
115125
- Raw log/artifact upload remains unsupported by design. `codencer sync publish --confirm` ingests metadata-only run/project summaries into Gateway history; it does not upload local reports, logs, artifacts, daemon URLs, or filesystem paths.
116126
- Run history/audit synced-scope transport now exists for explicit metadata-only `codencer sync publish`; broader incremental sync policy and external source reconciliation remain incomplete.
117127
- Human interrupt lifecycle is still partial: local report/event records and Gateway blocker audit exist, but complete operator answer/resume UI/MCP flows are not fully proven.

reports/public-selfhost-hardening/implementation-audit.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ the exact package was not available in the current attachment cache.
3737
| Local-first source of truth | Partially implemented | Local daemon/CLI exists; default project/status/run/submit human output is redacted, while explicit JSON/debug outputs still carry local state for operator tooling. |
3838
| Explicit sync/publish | Partially implemented | `codencer sync status/preview/publish` now provides metadata-only preview; confirmed publish ingests sanitized metadata into Gateway run history. Raw logs/artifacts remain blocked. |
3939
| Local CLI submit UX | Partially implemented | `codencer submit` exists and is local-first; default human output redacts local paths, but progress UX remains narrow. |
40-
| Async run lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists; Gateway MCP exposes async start/submit/list/status/report/events and structured cancel/resume capability blockers. Gateway Console now submits simple tasks with `wait=false`, polls run reports, and records terminal audit events on report refresh. |
40+
| Async run lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists; Gateway/Relay/Connector now route true project-scoped cancel, Gateway MCP exposes async start/submit/list/status/report/events/cancel, and resume remains a structured capability blocker. Gateway Console now submits simple tasks with `wait=false`, polls run reports, and records terminal audit events on report refresh. |
4141
| Human interrupt lifecycle | Partially implemented | Local reports/events now expose first-class `human_interrupts`, Gateway blocker outcomes emit `human_interrupt_created` audit events, and Antigravity unsafe permission waits now fail fast as manual-attention results; complete answer/resume UI/MCP lifecycle remains incomplete. |
4242
| Real executor proofs | Partially implemented | Codex has prior artifact-backed proof and latest rerun invoked the real Codex binary with simulation disabled but failed on an external Codex usage-limit error; earlier Claude Code proof exists; Antigravity remains unproven and now fails early when the provided LS workspace does not match the isolated verifier repo. |
4343
| Run history/audit/console | Partially implemented | Gateway-observed run history/audit now includes scope, limit/offset pagination, server-side filters, and grouped lifecycle summaries; synced/local ingest transport remains incomplete. |
@@ -72,10 +72,10 @@ the exact package was not available in the current attachment cache.
7272

7373
| Requirement | Status | Evidence |
7474
| --- | --- | --- |
75-
| Submit/status/events/report/cancel/resume lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists. Gateway MCP now exposes `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run_status`, `codencer.get_run_report`, `codencer.get_gateway_run_events`, and structured `cancel_project_run`/`resume_project_run` capability blockers. |
75+
| Submit/status/events/report/cancel/resume lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists. Gateway MCP now exposes `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run_status`, `codencer.get_run_report`, `codencer.get_gateway_run_events`, and project-scoped `codencer.cancel_project_run`; `resume_project_run` remains a structured capability blocker. |
7676
| Long-running tasks not dependent on one blocking request | Partially implemented | Local submit can run without `--wait`, Relay MCP has async project tools, Gateway MCP has a non-blocking async lifecycle, and Gateway Console simple-task submit now returns after submission and polls reports until terminal evidence is available. Manifest mode remains a blocking advanced path. |
7777
| `get_run_report` for simple and manifest runs | Implemented for covered Gateway paths | Gateway tests cover submit/get report and manifest report paths. |
78-
| Run state transitions include waiting/canceled/resumed | Partially implemented | Domain has states/gates in daemon tests; Gateway MCP preserves non-terminal `submitted/running` states and exposes structured cancel/resume blockers where project-level Relay support is absent. |
78+
| Run state transitions include waiting/canceled/resumed | Partially implemented | Domain has states/gates in daemon tests; Gateway MCP preserves non-terminal `submitted/running` states, forwards project-scoped cancel, records `run_cancelled`, and still exposes structured resume blockers where true resume support is absent. |
7979

8080
### 03 - Human Interrupts and Permissions
8181

@@ -85,7 +85,7 @@ the exact package was not available in the current attachment cache.
8585
| Clarifying questions | Partially implemented | Question blockers now produce `clarifying_question_required` interrupt records and Gateway `human_interrupt_created` audit; no first-class answer/resume command. |
8686
| Permission requests | Partially implemented | Dangerous executor confirmation exists in Gateway Console, unsafe-action blockers map to `permission_request_required`, and Antigravity unsupported/out-of-workspace permission waits now become manual-attention results instead of timeouts; no generalized permission-request lifecycle. |
8787
| OS/system human action required | Partially implemented | Daemon-not-running blockers map to `os_system_human_action_required` records; no full OS-action resolver flow. |
88-
| Resume/cancel/audit interrupt lifecycle | Partially implemented | Local events include `human_interrupt_created`; Gateway audit records blocker interrupts; resume still returns a structured unsupported/capability blocker. |
88+
| Resume/cancel/audit interrupt lifecycle | Partially implemented | Local events include `human_interrupt_created`; Gateway audit records blocker interrupts; project-scoped cancel is forwarded and audited; resume still returns a structured unsupported/capability blocker. |
8989

9090
### 04 - CLI Commands and Control Plane
9191

@@ -95,7 +95,7 @@ the exact package was not available in the current attachment cache.
9595
| `codencer run status` | Implemented | `run status` exists. |
9696
| `codencer run events` | Implemented | `run events` returns local run timeline/events for known run plan records. |
9797
| `codencer run report` | Implemented | `run report` returns the local run report without relying on a Gateway call. |
98-
| `codencer run cancel` | Partially implemented | `run cancel` is exposed and returns structured local capability behavior where true cancellation is unsupported. |
98+
| `codencer run cancel` | Partially implemented | `run cancel` is exposed locally, and project-scoped Gateway/Relay/Connector cancel now reaches daemon-backed cancellation; executor-specific cancellation behavior still depends on the active executor/daemon state. |
9999
| `codencer run resume` | Partially implemented | `run resume` is exposed as a structured unsupported blocker until daemon HTTP resume exists. |
100100
| `codencer executor list/scan/test/default` | Implemented | Implemented in `cmd/codencer/main.go`. |
101101
| `codencer sync` or publish equivalent | Partially implemented | `codencer sync status/preview/publish` exists with metadata-only preview and no raw upload. |
@@ -137,7 +137,7 @@ the exact package was not available in the current attachment cache.
137137
The release remains `NO-GO` until at least these are resolved:
138138

139139
1. Antigravity real executor proof must pass or the final verdict must remain `NO-GO`.
140-
2. Async lifecycle now covers local, Relay MCP, Gateway MCP, and Gateway Console simple-task submit/report polling; manifest mode, true remote cancel, and true resume remain incomplete or structured blockers.
140+
2. Async lifecycle now covers local, Relay MCP, Gateway MCP, Gateway Console simple-task submit/report polling, and project-scoped cancel; manifest mode and true resume remain incomplete or structured blockers.
141141
3. Human interrupt lifecycle still needs complete operator answer/resume UI/MCP flows; first-class local interrupt records and Gateway audit now exist for blocker outcomes.
142142
4. Full redaction proof across every CLI/MCP/UI/Gateway surface remains incomplete, although default local human CLI output and sync preview are now covered.
143143
5. Raw log/artifact sync remains unsupported by design; only sanitized metadata-only `codencer sync publish --confirm` is implemented.

0 commit comments

Comments
 (0)