You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Hardened the public self-host RC verifier so it emits only `GO` or `NO-GO`, rejects real-executor simulation env values, runs configured real executor gates by adapter, and fails the release gate when required real proofs are missing.
14
14
- Confirmed the real Codex path invokes the configured Codex binary with `ALL_ADAPTERS_SIMULATION_MODE=0` and `CODEX_SIMULATION_MODE=0`.
15
15
- Added `codencer run events`, `codencer run report`, `codencer run cancel`, and structured `codencer run resume` blocker behavior.
- Preserved `codencer.submit_project_task_and_wait` as a compatibility tool while adding non-blocking submit/start paths for planners that should not hold one long HTTP/MCP request open.
18
18
- Updated Gateway Console simple-task submit to send `wait=false`, poll the run report until terminal status, display `pending` while waiting, and emit the terminal audit event once when report refresh observes completion.
19
+
- Wired project run cancellation through Gateway HTTP, Gateway MCP, Relay HTTP, Relay MCP, Connector project proxy, and local daemon-backed cancellation, with Gateway run history/audit events for `cancel_project_run_requested` and terminal `run_cancelled`.
19
20
- Added `codencer sync status`, `codencer sync preview`, and `codencer sync publish` as explicit metadata-only sync controls. Raw artifacts/logs are blocked, and confirmed publish ingests only sanitized metadata into Gateway run history with `scope=synced`.
20
21
- Redacted local absolute repo/report paths, daemon URLs, token-like text, and unsafe executor summaries from default human CLI project/status/submit/run output while preserving explicit `--json` operator detail.
21
22
- Added Gateway run-history `scope` metadata and exposed it through the API and Console run list/detail views.
-`go test ./...` after adding Gateway MCP async lifecycle tools - passed
83
87
-`go test ./...` after adding Gateway Console async submit/report polling - passed
88
+
-`go test ./internal/connector ./internal/gateway ./internal/relay ./internal/localexec` after adding project-scoped cancel routing - passed
89
+
-`go test ./...` after adding project-scoped cancel routing - passed
84
90
-`cd web/gateway-console && npm run format:check` - passed
85
91
-`cd web/gateway-console && npm run lint` - passed
86
92
-`cd web/gateway-console && npm run typecheck` - passed
87
93
-`cd web/gateway-console && npm run test` - passed
88
94
-`cd web/gateway-console && npm run test -- --run tests/schemas.test.ts` - passed
95
+
-`cd web/gateway-console && npm run format:check && npm run lint && npm run typecheck && npm run test && npm run test:e2e -- --grep "project task form submits demo run"` - passed
96
+
-`cd web/gateway-console && npm run format:check && npm run lint && npm run typecheck && npm run test && npm run test:e2e` - passed
89
97
-`cd web/gateway-console && npm run build` - passed
90
98
-`cd web/gateway-console && npm run test:e2e` - passed
-`make verify-gateway` after adding project-scoped cancel routing - passed
94
103
-`make verify-gateway-console` - passed
104
+
-`make verify-gateway-console` after stabilizing run-detail navigation e2e and regenerating evidence - passed
95
105
-`make verify-gateway-console-live` - passed
96
106
-`make verify-gateway-console-live` after adding terminal audit-on-report refresh - passed
97
107
-`go test ./internal/adapters/antigravity` - passed
@@ -100,7 +110,7 @@ Branch: `next-phase`
100
110
-`CODENCER_E2E_REAL_EXECUTOR=codex CODENCER_E2E_REAL_EXECUTOR_COMMAND=/Applications/Codex.app/Contents/Resources/codex make verify-public-selfhost-rc` - failed with `NO-GO` due to external Codex usage limit after invoking the real Codex binary with simulation disabled; report `reports/public-selfhost-rc/20260624T125824Z/summary.md`
101
111
-`CODENCER_E2E_REQUIRED_REAL_EXECUTORS=codex CODENCER_E2E_REAL_EXECUTOR=codex CODENCER_E2E_REAL_EXECUTOR_COMMAND=<configured-codex-binary> make verify-public-selfhost-rc` - passed with scoped `GO` for Codex-only proof
-`make verify-public-selfhost-release TARGETS=host REQUIRE_TARGETS=host` - passed after project-scoped cancel routing and console e2e stabilization
104
114
-`CODENCER_E2E_REAL_EXECUTORS=codex,claude CODENCER_E2E_CODEX_COMMAND=<codex-binary> CODENCER_E2E_CLAUDE_COMMAND=<claude-binary> make verify-public-selfhost-rc` - failed by design with `NO-GO` after Codex and Claude passed and Antigravity was missing
105
115
-`cd web/gateway-console && CODENCER_E2E_BIN_DIR=../../bin CODENCER_E2E_EXECUTOR_ADAPTER=antigravity CODENCER_E2E_EXECUTOR_PROFILE=antigravity-default CODENCER_E2E_ANTIGRAVITY_INSTANCE_FILE=<temp-file> node tests/live/verify-live.mjs` - failed correctly; the provided Antigravity LS did not expose the isolated verifier repo workspace
106
116
-`git diff --check` - passed
@@ -111,7 +121,7 @@ Branch: `next-phase`
111
121
- Latest Codex real executor rerun is blocked by Codex account usage limits despite invoking the real binary with `is_simulation=false`; prior Codex proof remains the latest passing Codex proof.
112
122
- Current local Antigravity app processes expose reachable RPC endpoints, but the available candidates do not expose the isolated verifier repo workspace through `GetWorkspaceInfos`, so the verifier refuses to bind them for public release proof.
113
123
-`codencer run resume` and Gateway MCP `codencer.resume_project_run` are exposed as structured blockers because the daemon/Relay path does not yet expose a true resume route.
114
-
-Gateway MCP `codencer.cancel_project_run` is currently a structured capability blocker for project-level Gateway routing; local CLI cancellation support remains separate and limited by daemon/executor capability.
124
+
-Project-scoped cancel now routes through Gateway, Relay, Connector, and local daemon cancellation; whether the underlying executor stops immediately remains bounded by daemon/executor cancellation semantics.
115
125
- Raw log/artifact upload remains unsupported by design. `codencer sync publish --confirm` ingests metadata-only run/project summaries into Gateway history; it does not upload local reports, logs, artifacts, daemon URLs, or filesystem paths.
116
126
- Run history/audit synced-scope transport now exists for explicit metadata-only `codencer sync publish`; broader incremental sync policy and external source reconciliation remain incomplete.
117
127
- Human interrupt lifecycle is still partial: local report/event records and Gateway blocker audit exist, but complete operator answer/resume UI/MCP flows are not fully proven.
Copy file name to clipboardExpand all lines: reports/public-selfhost-hardening/implementation-audit.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,7 +37,7 @@ the exact package was not available in the current attachment cache.
37
37
| Local-first source of truth | Partially implemented | Local daemon/CLI exists; default project/status/run/submit human output is redacted, while explicit JSON/debug outputs still carry local state for operator tooling. |
38
38
| Explicit sync/publish | Partially implemented |`codencer sync status/preview/publish` now provides metadata-only preview; confirmed publish ingests sanitized metadata into Gateway run history. Raw logs/artifacts remain blocked. |
39
39
| Local CLI submit UX | Partially implemented |`codencer submit` exists and is local-first; default human output redacts local paths, but progress UX remains narrow. |
40
-
| Async run lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists; GatewayMCP exposes async start/submit/list/status/report/events and structured cancel/resume capability blockers. Gateway Console now submits simple tasks with `wait=false`, polls run reports, and records terminal audit events on report refresh. |
40
+
| Async run lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists; Gateway/Relay/Connector now route true project-scoped cancel, Gateway MCP exposes async start/submit/list/status/report/events/cancel, and resume remains a structured capability blocker. Gateway Console now submits simple tasks with `wait=false`, polls run reports, and records terminal audit events on report refresh. |
41
41
| Human interrupt lifecycle | Partially implemented | Local reports/events now expose first-class `human_interrupts`, Gateway blocker outcomes emit `human_interrupt_created` audit events, and Antigravity unsafe permission waits now fail fast as manual-attention results; complete answer/resume UI/MCP lifecycle remains incomplete. |
42
42
| Real executor proofs | Partially implemented | Codex has prior artifact-backed proof and latest rerun invoked the real Codex binary with simulation disabled but failed on an external Codex usage-limit error; earlier Claude Code proof exists; Antigravity remains unproven and now fails early when the provided LS workspace does not match the isolated verifier repo. |
43
43
| Run history/audit/console | Partially implemented | Gateway-observed run history/audit now includes scope, limit/offset pagination, server-side filters, and grouped lifecycle summaries; synced/local ingest transport remains incomplete. |
@@ -72,10 +72,10 @@ the exact package was not available in the current attachment cache.
72
72
73
73
| Requirement | Status | Evidence |
74
74
| --- | --- | --- |
75
-
| Submit/status/events/report/cancel/resume lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists. Gateway MCP now exposes `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run_status`, `codencer.get_run_report`, `codencer.get_gateway_run_events`, and structured `cancel_project_run`/`resume_project_run` capability blockers. |
75
+
| Submit/status/events/report/cancel/resume lifecycle | Partially implemented | Local `run start/list/get/status/events/report/cancel/resume` exists. Gateway MCP now exposes `codencer.start_project_run`, `codencer.submit_project_task`, `codencer.list_project_runs`, `codencer.get_project_run_status`, `codencer.get_run_report`, `codencer.get_gateway_run_events`, and project-scoped `codencer.cancel_project_run`; `resume_project_run`remains a structured capability blocker. |
76
76
| Long-running tasks not dependent on one blocking request | Partially implemented | Local submit can run without `--wait`, Relay MCP has async project tools, Gateway MCP has a non-blocking async lifecycle, and Gateway Console simple-task submit now returns after submission and polls reports until terminal evidence is available. Manifest mode remains a blocking advanced path. |
77
77
|`get_run_report` for simple and manifest runs | Implemented for covered Gateway paths | Gateway tests cover submit/get report and manifest report paths. |
78
-
| Run state transitions include waiting/canceled/resumed | Partially implemented | Domain has states/gates in daemon tests; Gateway MCP preserves non-terminal `submitted/running` statesand exposes structured cancel/resume blockers where project-level Relay support is absent. |
78
+
| Run state transitions include waiting/canceled/resumed | Partially implemented | Domain has states/gates in daemon tests; Gateway MCP preserves non-terminal `submitted/running` states, forwards project-scoped cancel, records `run_cancelled`, and still exposes structured resume blockers where true resume support is absent. |
79
79
80
80
### 03 - Human Interrupts and Permissions
81
81
@@ -85,7 +85,7 @@ the exact package was not available in the current attachment cache.
85
85
| Clarifying questions | Partially implemented | Question blockers now produce `clarifying_question_required` interrupt records and Gateway `human_interrupt_created` audit; no first-class answer/resume command. |
86
86
| Permission requests | Partially implemented | Dangerous executor confirmation exists in Gateway Console, unsafe-action blockers map to `permission_request_required`, and Antigravity unsupported/out-of-workspace permission waits now become manual-attention results instead of timeouts; no generalized permission-request lifecycle. |
87
87
| OS/system human action required | Partially implemented | Daemon-not-running blockers map to `os_system_human_action_required` records; no full OS-action resolver flow. |
88
-
| Resume/cancel/audit interrupt lifecycle | Partially implemented | Local events include `human_interrupt_created`; Gateway audit records blocker interrupts; resume still returns a structured unsupported/capability blocker. |
88
+
| Resume/cancel/audit interrupt lifecycle | Partially implemented | Local events include `human_interrupt_created`; Gateway audit records blocker interrupts; project-scoped cancel is forwarded and audited; resume still returns a structured unsupported/capability blocker. |
89
89
90
90
### 04 - CLI Commands and Control Plane
91
91
@@ -95,7 +95,7 @@ the exact package was not available in the current attachment cache.
95
95
|`codencer run status`| Implemented |`run status` exists. |
96
96
|`codencer run events`| Implemented |`run events` returns local run timeline/events for known run plan records. |
97
97
|`codencer run report`| Implemented |`run report` returns the local run report without relying on a Gateway call. |
98
-
|`codencer run cancel`| Partially implemented |`run cancel` is exposed and returns structured local capability behavior where true cancellation is unsupported. |
98
+
|`codencer run cancel`| Partially implemented |`run cancel` is exposed locally, and project-scoped Gateway/Relay/Connector cancel now reaches daemon-backed cancellation; executor-specific cancellation behavior still depends on the active executor/daemon state. |
99
99
|`codencer run resume`| Partially implemented |`run resume` is exposed as a structured unsupported blocker until daemon HTTP resume exists. |
100
100
|`codencer executor list/scan/test/default`| Implemented | Implemented in `cmd/codencer/main.go`. |
101
101
|`codencer sync` or publish equivalent | Partially implemented |`codencer sync status/preview/publish` exists with metadata-only preview and no raw upload. |
@@ -137,7 +137,7 @@ the exact package was not available in the current attachment cache.
137
137
The release remains `NO-GO` until at least these are resolved:
138
138
139
139
1. Antigravity real executor proof must pass or the final verdict must remain `NO-GO`.
140
-
2. Async lifecycle now covers local, Relay MCP, Gateway MCP, and Gateway Console simple-task submit/report polling; manifest mode, true remote cancel, and true resume remain incomplete or structured blockers.
140
+
2. Async lifecycle now covers local, Relay MCP, Gateway MCP, Gateway Console simple-task submit/report polling, and project-scoped cancel; manifest mode and true resume remain incomplete or structured blockers.
141
141
3. Human interrupt lifecycle still needs complete operator answer/resume UI/MCP flows; first-class local interrupt records and Gateway audit now exist for blocker outcomes.
142
142
4. Full redaction proof across every CLI/MCP/UI/Gateway surface remains incomplete, although default local human CLI output and sync preview are now covered.
143
143
5. Raw log/artifact sync remains unsupported by design; only sanitized metadata-only `codencer sync publish --confirm` is implemented.
0 commit comments