Skip to content

PAN-2597#2601

Open
eltmon wants to merge 43 commits into
mainfrom
feature/pan-2597
Open

PAN-2597#2601
eltmon wants to merge 43 commits into
mainfrom
feature/pan-2597

Conversation

@eltmon

@eltmon eltmon commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Issue: #2597

Acceptance Criteria

  • Spike: pin the app-server protocol schema on codex-cli 0.144.x (checkpoint C2)
  • Contracts: add codex app-server transport kinds
  • app-server manager core: spawn, version gate, handshake, RPC plumbing
  • app-server manager: thread/turn methods, notifications state, approvals, resume fallback
  • app-server host binary: socket + token auth, status op, lifecycle, event log
  • Host ops: message/interrupt/approval/user-input, threadId persistence, per-turn model (checkpoint C3)
  • Host pane feed and stdin line input
  • Launcher: codexMode 'app-server' + codex.transport config (default app-server, tui escape hatch)
  • Readiness + spawn wiring: status-op poll replaces pane scrape
  • Delivery door: app-server socket tier ahead of PTY supervisor
  • Structured approvals: pending-input from status, answers via socket
  • Resume and deacon recovery via thread/resume
  • Kill ladder: interrupt before SIGTERM, skip C-c keystroke
  • Transcript + cost continuity under app-server (checkpoint C1)
  • Documentation: harness docs, state-planes note, module headers

Implementation Tasks

  • Documentation: harness docs, state-planes note, module headers
  • Transcript + cost continuity under app-server (checkpoint C1)
  • Resume and deacon recovery via thread/resume
  • Readiness + spawn wiring: status-op poll replaces pane scrape
  • Launcher: codexMode 'app-server' + codex.transport config (default app-server, tui escape hatch)
  • Structured approvals: pending-input from status, answers via socket
  • Host pane feed and stdin line input
  • Kill ladder: interrupt before SIGTERM, skip C-c keystroke
  • Delivery door: app-server socket tier ahead of PTY supervisor
  • Host ops: message/interrupt/approval/user-input, threadId persistence, per-turn model (checkpoint C3)
  • app-server host binary: socket + token auth, status op, lifecycle, event log
  • app-server manager: thread/turn methods, notifications state, approvals, resume fallback
  • app-server manager core: spawn, version gate, handshake, RPC plumbing
  • Contracts: add codex app-server transport kinds
  • Spike: pin the app-server protocol schema on codex-cli 0.144.x (checkpoint C2)

Summary by CodeRabbit

  • New Features

    • Codex now uses the app-server transport by default for more reliable messaging, approvals, interruptions, and session recovery.
    • Added support for resuming Codex sessions and preserving conversation continuity.
    • Added Codex transport configuration with an optional TUI fallback.
    • Added clearer Codex setup, version requirements, troubleshooting, and protocol documentation.
  • Bug Fixes

    • Workspace task initialization errors now return a clear, actionable response.
    • Large messages and app-server delivery failures are handled more reliably with fallback behavior.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds Codex app-server support as the default transport, including protocol schemas, process hosting, authenticated Unix-socket operations, readiness and delivery handling, approval flows, recovery resume behavior, TUI fallback support, and related documentation and tests.

Changes

Codex app-server integration

Layer / File(s) Summary
Protocol and transport contracts
packages/contracts/..., src/lib/codex/..., src/lib/config-yaml/..., docs/..., configuration/...
Defines app-server message schemas and documentation, adds Codex transport configuration, updates harness contracts, and documents version requirements and TUI fallback behavior.
App-server manager and host
src/lib/codex/app-server-manager.ts, src/lib/codex/app-server-host.ts, src/lib/codex/__tests__/*
Adds Codex process management, JSONL RPC handling, Unix-socket authentication, lifecycle state, approval routing, event persistence, rendering, shutdown, and tests.
Launcher and agent runtime integration
src/lib/launcher-generator.ts, src/lib/agents/*, src/lib/overdeck/conversation-runtime.ts, src/lib/runtimes/behavior.ts
Selects app-server or TUI transport, generates app-server launchers, polls readiness, delivers messages through sockets, resumes Codex sessions, and gates TUI-specific polling.
Conversation approvals and interruption
src/lib/overdeck/conversation-delivery.ts, src/lib/runtimes/codex.ts, src/lib/runtimes/tmux-cli.ts, src/dashboard/frontend/..., tests/playwright/...
Routes pending approvals, input, interrupts, and tmux lifecycle operations through app-server or the legacy TUI path, with updated dashboard and UAT coverage.
Supporting state, errors, and generated persistence
src/lib/state-plane.ts, src/dashboard/server/..., sync-sources/hooks/record-cost-event.js, scripts/...
Adds workspace task error handling, expands state-plane recognition, updates test mocks, and refreshes bundled record persistence and auto-commit behavior.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

  • eltmon/overdeck#1810: Both changes use Codex rollout and thread identifiers to locate and resume Codex sessions.
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 6.25% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is just the ticket ID and does not describe the change, so it is too generic to be useful. Use a concise, descriptive title that summarizes the main change, such as adding Codex app-server transport support.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/pan-2597

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (2)
src/lib/overdeck/conversation-delivery.ts (1)

451-494: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate unix-socket-client logic vs. codex.ts's postAppServerInterrupt.

Both this function and postAppServerInterrupt in src/lib/runtimes/codex.ts independently implement "read token, check socket, POST JSON over unix socket with bridge-token header, parse response." codex.ts also hardcodes 'X-Overdeck-Bridge-Token' instead of importing the shared BRIDGE_TOKEN_HEADER constant used here — harmless at runtime (headers are case-insensitive) but a drift risk if the header name ever changes. Consider extracting a shared app-server HTTP client helper (e.g. alongside the manager/host modules) used by both call sites.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/overdeck/conversation-delivery.ts` around lines 451 - 494, Extract
the shared unix-socket app-server request flow from postCodexAppServerOp and
codex.ts’s postAppServerInterrupt into a common helper, including socket/token
validation, token loading, JSON POSTing, response-status handling, and parsing.
Update both callers to use the helper and import the shared BRIDGE_TOKEN_HEADER
constant instead of duplicating the header name.
src/lib/agents/runtime-command.ts (1)

337-341: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use BRIDGE_TOKEN_HEADER here instead of duplicating the header name. The casing difference is harmless, but reusing the shared export from src/lib/bridge-token.ts keeps the bridge-token wire name centralized and avoids drift.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/agents/runtime-command.ts` around lines 337 - 341, Update the headers
construction in the runtime command request to use the shared
BRIDGE_TOKEN_HEADER export from bridge-token.ts as the property key instead of
the hardcoded X-Overdeck-Bridge-Token string, while preserving the existing
token value.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/CODEX-APP-SERVER-PROTOCOL.md`:
- Line 31: Remove the absolute /home/eltmon/Projects/t3code filesystem
references from the documentation links at lines 31 and 37, replacing them with
repository-relative references to codexAppServerManager.ts while preserving the
intended line references.

In `@src/lib/__tests__/launcher-generator.test.ts`:
- Around line 950-969: The test in “codex tui escape hatch preserves the
previous conversation command byte-for-byte” constructs both scripts from
identical configurations, so it never exercises a distinct escape-hatch path.
Change one side to invoke the actual escape-hatch entry point or compare the
generated escape-hatch output against a captured prior-command baseline, while
preserving the byte-for-byte equality assertion.

In `@src/lib/agents/runtime-command.ts`:
- Around line 330-364: Update postAppServerStatus to enforce a per-request
timeout on the httpRequest, using the existing readiness timeout context, and
reject the promise when the request exceeds that limit. Ensure the timeout also
closes or aborts the underlying request so waitForCodexAppServerReady can resume
its deadline checks instead of remaining blocked.

In `@src/lib/overdeck/conversation-delivery.ts`:
- Around line 451-494: Update postCodexAppServerOp to configure a finite timeout
on the httpRequest, and destroy the request when the timeout expires so callers
receive a failure instead of remaining blocked. Preserve the existing response
parsing and error handling, and use the established timeout configuration if one
exists.
- Around line 162-173: Pass the approval request id from the rendered modal
through the codex-approval API into handleConversationCodexApproval, using the
existing toolUseId value from codexConversationPendingInput. Validate that the
submitted id matches the live pending approval before calling
postCodexAppServerOp, and reject stale or mismatched submissions instead of
applying the decision to another request.

In `@src/lib/runtimes/codex.ts`:
- Around line 81-112: The postAppServerInterrupt request can remain pending
indefinitely when the app-server is unresponsive. Add a timeout to the
httpRequest created in postAppServerInterrupt, and destroy the request/socket
when it fires so the Promise rejects and killAgent() continues through its
escalation steps.

---

Nitpick comments:
In `@src/lib/agents/runtime-command.ts`:
- Around line 337-341: Update the headers construction in the runtime command
request to use the shared BRIDGE_TOKEN_HEADER export from bridge-token.ts as the
property key instead of the hardcoded X-Overdeck-Bridge-Token string, while
preserving the existing token value.

In `@src/lib/overdeck/conversation-delivery.ts`:
- Around line 451-494: Extract the shared unix-socket app-server request flow
from postCodexAppServerOp and codex.ts’s postAppServerInterrupt into a common
helper, including socket/token validation, token loading, JSON POSTing,
response-status handling, and parsing. Update both callers to use the helper and
import the shared BRIDGE_TOKEN_HEADER constant instead of duplicating the header
name.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 847e0ebd-6a03-45b2-b6f2-15fc51261519

📥 Commits

Reviewing files that changed from the base of the PR and between 5698a7d and 7e38326.

📒 Files selected for processing (32)
  • CLAUDE.md
  • configuration/harnesses.mdx
  • docs/AGENT-STATE-PLANES.md
  • docs/CODEX-APP-SERVER-PROTOCOL.md
  • packages/contracts/src/harness-behavior.ts
  • src/dashboard/server/services/codex-conversation-parser.ts
  • src/lib/__tests__/launcher-generator.test.ts
  • src/lib/agents/__tests__/delivery.test.ts
  • src/lib/agents/__tests__/resume.test.ts
  • src/lib/agents/__tests__/runtime-command.test.ts
  • src/lib/agents/delivery.ts
  • src/lib/agents/recovery.ts
  • src/lib/agents/runtime-command.ts
  • src/lib/agents/spawn.ts
  • src/lib/codex/__fixtures__/app-server-schema.json
  • src/lib/codex/__tests__/app-server-host.test.ts
  • src/lib/codex/__tests__/app-server-manager.test.ts
  • src/lib/codex/__tests__/fake-app-server.ts
  • src/lib/codex/app-server-host.ts
  • src/lib/codex/app-server-manager.ts
  • src/lib/config-yaml/defaults.ts
  • src/lib/config-yaml/merge.ts
  • src/lib/config-yaml/schema.ts
  • src/lib/cost-parsers/codex-parser.ts
  • src/lib/launcher-generator.ts
  • src/lib/overdeck/__tests__/conversation-delivery.test.ts
  • src/lib/overdeck/conversation-delivery.ts
  • src/lib/overdeck/conversation-runtime.ts
  • src/lib/runtimes/behavior.ts
  • src/lib/runtimes/codex.ts
  • sync-sources/hooks/record-cost-event.js
  • tsdown.config.ts

Comment thread docs/CODEX-APP-SERVER-PROTOCOL.md Outdated
Comment on lines +950 to +969
it('codex tui escape hatch preserves the previous conversation command byte-for-byte', () => {
const legacy = generateLauncherScriptSync({
...DEFAULT_CONFIG,
role: 'work',
harness: 'codex',
codexMode: 'tui',
spawnMode: 'conversation',
useSupervisor: true,
supervisorScriptPath: '/dist/pty-supervisor.js',
});
const escapeHatch = generateLauncherScriptSync({
...DEFAULT_CONFIG,
role: 'work',
harness: 'codex',
codexMode: 'tui',
spawnMode: 'conversation',
useSupervisor: true,
supervisorScriptPath: '/dist/pty-supervisor.js',
});
expect(escapeHatch).toBe(legacy);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Escape-hatch test compares two identical configs.

legacy and escapeHatch are built from byte-identical option objects, so expect(escapeHatch).toBe(legacy) is trivially true and does not validate the escape-hatch path against the prior TUI command. To be a meaningful regression guard, one side should represent the escape-hatch entry point (or the assertion should compare against a captured baseline string).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/__tests__/launcher-generator.test.ts` around lines 950 - 969, The
test in “codex tui escape hatch preserves the previous conversation command
byte-for-byte” constructs both scripts from identical configurations, so it
never exercises a distinct escape-hatch path. Change one side to invoke the
actual escape-hatch entry point or compare the generated escape-hatch output
against a captured prior-command baseline, while preserving the byte-for-byte
equality assertion.

Comment thread src/lib/agents/runtime-command.ts
Comment thread src/lib/overdeck/conversation-delivery.ts
Comment thread src/lib/overdeck/conversation-delivery.ts
Comment thread src/lib/runtimes/codex.ts
@eltmon

eltmon commented Jul 12, 2026

Copy link
Copy Markdown
Owner Author

Review CHANGES REQUESTED for PAN-2597

Review Synthesis — PAN-2597 — 2026-07-13T00:18:00-04:00

Verdict: CHANGES REQUESTED — Codex app-server launch/delivery cannot start a first turn because the selected model is never provided

Context

  • Manifest: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/context.json
  • Branch: feature/pan-2597
  • Workspace: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597
  • HEAD reviewed: d6edf5019c913f98bb4640417353cc0763df3122
  • Cycle number: 3
  • Prior cycle SHA: 930fdfd0ee673d491c26c5bd9dfbb22d7d16a42a from prior context.json; prior synthesis.md was missing

Convoy Status

Sub-role Signal Output Blocking findings
security ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/security.md 1
correctness ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/correctness.md 3
performance ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/performance.md 3
requirements ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/requirements.md 2

Blocking Findings

[correctness, requirements] App-server first-turn delivery has no model — src/lib/launcher-generator.ts:758

Fresh Codex app-server launches build node <hostPath> plus optional --resume, but do not pass the resolved model. The host supports --model and rejects a first message when neither the op nor the host launch supplied one (src/lib/codex/app-server-host.ts:151-157). Delivery posts { op: 'message', content, meta } without a model (src/lib/agents/delivery.ts:222).

Impact: default Codex app-server agents can reach readiness but reject the kickoff prompt, then the fallback pane path calls the same model-required handler and still cannot start a thread. This violates the app-server host ops, launcher mode, delivery tier, and resume/recovery requirements.

[correctness, performance] App-server readiness/status requests can hang indefinitely — src/lib/agents/runtime-command.ts:330

postAppServerStatus uses httpRequest over the app-server Unix socket without a request/socket timeout. waitForCodexAppServerReady awaits that status call inside its readiness loop, so a host that accepts the connection but never responds prevents the outer readiness deadline from being checked.

Impact: spawn or restart readiness can hang past the intended 30 second timeout and block lifecycle progress instead of recording a startup failure.

[correctness, performance] App-server interrupt can hang before kill escalation — src/lib/runtimes/codex.ts:81

postAppServerInterrupt posts { op: 'interrupt' } without a request/socket timeout, and killAgent awaits it before the existing SIGTERM/SIGKILL ladder.

Impact: stopping or restarting a wedged Codex app-server agent can stall before the escalation path that should tear down the tmux session/process group.

[performance] Dashboard app-server approval/status requests can pin route handlers — src/lib/overdeck/conversation-delivery.ts:451

postCodexAppServerOp has no request/socket timeout. Both pending-input polling and approval submission depend on this helper.

Impact: a stuck app-server can leave dashboard route handlers and pending-input probes waiting indefinitely instead of surfacing a bounded control failure.

[security, correctness] Approval submissions are not bound to the displayed request id — src/lib/overdeck/conversation-delivery.ts:162

The pending-input snapshot exposes the live approval id in toolUseId, but approval submission only sends optionNumber. handleConversationCodexApproval re-reads the current first pending approval at submit time and applies the operator decision to that request. The host also accepts an arbitrary requestId without checking that it is still a pending approval request.

Impact: if the pending approval queue changes between render and click, an accept/reject can apply to a different command than the operator reviewed.

[requirements] Pi/ohmypi runtime transports changed despite explicit non-goal — src/lib/runtimes/pi.ts:264

The requirements reviewer found that src/lib/runtimes/pi.ts and src/lib/runtimes/ohmypi.ts are changed in this PR, including their killAgent implementations, despite NonGoal 5 requiring no changes to Pi/ohmypi or Claude Code transports.

Impact: the PR crosses an explicit must-not boundary. Move or revert those runtime transport changes unless the scope is explicitly revised.

Non-blocking Findings

[security] Absolute local path in protocol docs — docs/CODEX-APP-SERVER-PROTOCOL.md:31

The protocol documentation includes /home/eltmon/Projects/t3code/... references. This leaks local directory layout and is not portable. Replace with repository-relative or label-style references.

Scope Note

All blocking findings are in files touched by the PR diff. The review directory count is 3, but both earlier review directories lack synthesis.md; because there is no prior synthesis verdict establishing what was already passed or demoted, I did not demote current Tier 1 reviewer blockers under the cycle-3 convergence gate. The prior context.json SHA (930fdfd0ee673d491c26c5bd9dfbb22d7d16a42a) is recorded for traceability.

Clean Sub-roles

None. All four sub-roles reported at least one blocking finding.

Source: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-d6edf501/synthesis.md

Required action

Fix every blocking review finding, commit the fixes, then re-request review with:

pan review request PAN-2597 -m "Fixed review issues"

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
src/lib/runtimes/codex.ts (2)

640-644: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Unvalidated pid interpolated into a shell command.

pid isn't shell-quoted or validated as numeric before being embedded in the kill -TERM command; a multi-pane session could yield newline-separated PIDs that fragment the command.

🛡️ Proposed fix
-      const pid = stdout.trim()
-      if (pid) await execAsync(`kill -TERM -- -${pid} 2>/dev/null || kill -TERM ${pid} 2>/dev/null || true`)
+      const pid = stdout.trim().split('\n')[0]?.trim()
+      if (pid && /^\d+$/.test(pid)) {
+        await execAsync(`kill -TERM -- -${pid} 2>/dev/null || kill -TERM ${pid} 2>/dev/null || true`)
+      }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/runtimes/codex.ts` around lines 640 - 644, Validate the trimmed
output from the tmux pane lookup in the cleanup flow before using it in the kill
command. Update the logic around pid so only a single numeric process ID is
accepted, rejecting newline-separated or otherwise malformed values, and
shell-quote the validated PID when interpolating it into execAsync; preserve the
existing cleanup fallback behavior for valid PIDs.

616-630: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

killAgent skips the interrupt step for this runtime’s codex exec agents. CodexRuntimeSync.spawnAgent() still launches plain codex exec in tmux and never seeds an app-server socket/token, but killAgent() now routes step 1 through the global codexTransport() default. That makes the interrupt a no-op here and sends these agents straight to the SIGTERM ladder. Gate the app-server branch on per-agent socket/token presence, or keep this path on Ctrl-C.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/runtimes/codex.ts` around lines 616 - 630, The interrupt logic in
killAgent must not select the global codexTransport() app-server path for agents
created by CodexRuntimeSync.spawnAgent(). Gate postAppServerInterrupt(agentId)
on that agent’s app-server socket/token state, or otherwise retain the tmux C-c
path when those credentials are absent, while preserving app-server interrupts
for properly initialized agents.
🧹 Nitpick comments (1)
src/lib/runtimes/codex.ts (1)

133-169: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the shared config loader for Codex transport src/lib/runtimes/codex.ts:133-169 config-yaml already merges codex.transport; this file-by-file YAML reader duplicates path/precedence logic and can drift from the canonical config handling.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/runtimes/codex.ts` around lines 133 - 169, Replace
readCodexTransportFromConfig and its file-by-file YAML helpers with the shared
config-yaml loader’s merged configuration, then read codex.transport from that
canonical result while preserving the app-server fallback in codexTransport.
Remove the duplicated projectConfigPaths and readCodexTransportFromYaml logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/runtimes/codex.ts`:
- Around line 640-644: Validate the trimmed output from the tmux pane lookup in
the cleanup flow before using it in the kill command. Update the logic around
pid so only a single numeric process ID is accepted, rejecting newline-separated
or otherwise malformed values, and shell-quote the validated PID when
interpolating it into execAsync; preserve the existing cleanup fallback behavior
for valid PIDs.
- Around line 616-630: The interrupt logic in killAgent must not select the
global codexTransport() app-server path for agents created by
CodexRuntimeSync.spawnAgent(). Gate postAppServerInterrupt(agentId) on that
agent’s app-server socket/token state, or otherwise retain the tmux C-c path
when those credentials are absent, while preserving app-server interrupts for
properly initialized agents.

---

Nitpick comments:
In `@src/lib/runtimes/codex.ts`:
- Around line 133-169: Replace readCodexTransportFromConfig and its file-by-file
YAML helpers with the shared config-yaml loader’s merged configuration, then
read codex.transport from that canonical result while preserving the app-server
fallback in codexTransport. Remove the duplicated projectConfigPaths and
readCodexTransportFromYaml logic.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 02a6f93f-6c89-41e9-ad7d-b4a3738b544f

📥 Commits

Reviewing files that changed from the base of the PR and between 7e38326 and f7d08c8.

📒 Files selected for processing (18)
  • docs/CODEX-APP-SERVER-PROTOCOL.md
  • scripts/circular-deps-baseline.txt
  • scripts/lint-circular-deps.sh
  • src/dashboard/frontend/src/App/hooks/usePendingInputDialogs.ts
  • src/dashboard/server/routes/__tests__/conversations-supervisor.test.ts
  • src/lib/agents/__tests__/delivery.test.ts
  • src/lib/agents/delivery.ts
  • src/lib/agents/runtime-command.ts
  • src/lib/codex/__tests__/app-server-host.test.ts
  • src/lib/codex/app-server-host.ts
  • src/lib/config-yaml/roles.ts
  • src/lib/config-yaml/schema.ts
  • src/lib/launcher-generator.ts
  • src/lib/overdeck/__tests__/conversation-delivery.test.ts
  • src/lib/overdeck/conversation-delivery.ts
  • src/lib/runtimes/codex.ts
  • src/lib/runtimes/tmux-cli.ts
  • tests/playwright/conversation-supervisor-uat.test.ts
💤 Files with no reviewable changes (1)
  • scripts/circular-deps-baseline.txt
🚧 Files skipped from review as they are similar to previous changes (7)
  • src/lib/launcher-generator.ts
  • docs/CODEX-APP-SERVER-PROTOCOL.md
  • src/lib/agents/tests/delivery.test.ts
  • src/lib/overdeck/tests/conversation-delivery.test.ts
  • src/lib/codex/app-server-host.ts
  • src/lib/agents/delivery.ts
  • src/lib/overdeck/conversation-delivery.ts

@eltmon

eltmon commented Jul 15, 2026

Copy link
Copy Markdown
Owner Author

Review CHANGES REQUESTED for PAN-2597

Review Synthesis — PAN-2597 — 2026-07-14T22:18:00-04:00

Verdict: CHANGES REQUESTED — security report is missing for the active review run

Context

  • Manifest: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-5ac7e40b/context.json
  • Branch: feature/pan-2597
  • Workspace: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597
  • HEAD reviewed: 5ac7e40bc4e220954279dc4d9d8d1595ac2361d6
  • Cycle number: 8
  • Prior cycle SHA: f7d08c8f124927bb82a34af510a1abf0b175555a

Convoy Status

Sub-role Signal Output Blocking findings
security ready for a different run /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-963d704e/security.md 1 infrastructure failure
correctness ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-5ac7e40b/correctness.md 0 after convergence gate
performance ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-5ac7e40b/performance.md 0 after convergence gate
requirements ready /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-5ac7e40b/requirements.md 0

Blocking Findings

[security] Active-run security report is missing

The received security signal references run 963d704e, whose manifest reviewed HEAD 963d704eb83ab1b84fb283ec2db7d64347dff381. The active run 5ac7e40b reviews HEAD 5ac7e40bc4e220954279dc4d9d8d1595ac2361d6, and its review directory contains no security.md. Review policy treats a missing same-run report as blocking because the active snapshot lacks complete four-dimension coverage.

Non-blocking Findings

[correctness] [demoted: previously reviewed] App-server threads ignore configured Codex permission mode — src/lib/codex/app-server-host.ts:166

The cited thread policy path is in the PR diff but unchanged since the previously approved SHA f7d08c8f124927bb82a34af510a1abf0b175555a, so cycle-8 convergence prevents promotion to a blocker.

[correctness] [demoted: previously reviewed] Pane renderer does not consume real assistant event shapes — src/lib/codex/app-server-host.ts:278

The cited renderer is unchanged in the cycle diff from the previously approved SHA, so this finding remains advisory under the convergence gate.

[correctness] [demoted: previously reviewed] Generic Codex delivery retains the one-shot resume path — src/lib/runtimes/codex.ts:644

The cited runtime delivery line is unchanged in the cycle diff. A newly merged mainline caller reaches the existing method, but the review rule gates promotion on the cited PR line changing since the prior synthesis.

[correctness] Child exit leaves manager requests pending until timeout — src/lib/codex/app-server-manager.ts:253

The reviewer classified this lifecycle cleanup issue as advisory.

[correctness] User-input responses accept unknown request IDs — src/lib/codex/app-server-host.ts:208

The reviewer classified stale request-id validation as advisory.

[performance] [demoted: previously reviewed] Streaming notifications create unbounded file work and event-log growth — src/lib/codex/app-server-host.ts:221

This path was explicitly reviewed and demoted in the prior approved synthesis, and it is unchanged in the current cycle diff.

[performance] [demoted: previously reviewed] Unix-socket HTTP endpoint buffers request bodies without a limit — src/lib/codex/app-server-host.ts:313

The cited request-body path is unchanged since the previously approved SHA, so cycle-8 convergence prevents promotion to a blocker.

[security] Bound authenticated Unix-socket request bodies — src/lib/codex/app-server-host.ts:325

The ancestor security report classified this as defense-in-depth advisory; it does not substitute for missing active-run security coverage.

[security] Minimize persisted app-server protocol data — src/lib/codex/app-server-host.ts:221

The ancestor security report classified full protocol-payload logging as defense-in-depth advisory; it does not substitute for missing active-run security coverage.

Scope Note

The four terminal signals span two review run IDs. Security reviewed ancestor HEAD 963d704e; correctness, performance, and requirements reviewed active HEAD 5ac7e40b. The reports were not silently combined into complete active-run coverage.

Clean Sub-roles

  • Requirements: all 21 in-scope requirements are reported implemented, with no partial or missing requirements.

Source: /home/eltmon/Projects/overdeck/workspaces/feature-pan-2597/.pan/review/agent-pan-2597-review-5ac7e40b/synthesis.md

Required action

Fix every blocking review finding, commit the fixes, then re-request review with:

pan review request PAN-2597 -m "Fixed review issues"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant