[codex] Harden bridge HID access with broker

[glslang]

Summary

• add a dedicated agent-notify-hid-broker child process for UHK HID access
• route bridge display updates through a narrow local stdin/stdout JSON protocol
• keep --mock-display in-process while moving real HID macro generation/write handling behind the broker boundary

Notes

This keeps the tray/network bridge easy to run while preventing the network-facing process from directly writing arbitrary macro commands to the keyboard. The broker receives structured display intent, generates the UHK macro internally, and owns the HID write path.

Verification

• cargo fmt --all --check
• cargo check --workspace
• cargo test --workspace
• cargo clippy --workspace --all-targets -- -D warnings

Windows-target compilation was not available in the local toolchain used for implementation; the installed target was aarch64-apple-darwin only.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 74.62236% with 84 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.35%. Comparing base (0964750) to head (d2bc058).

Files with missing lines	Patch %	Lines
crates/agent-notify-bridge/src/worker.rs	19.35%	25 Missing ⚠️
...t-notify-bridge/src/bin/agent-notify-hid-broker.rs	0.00%	19 Missing ⚠️
crates/agent-notify-bridge/src/display.rs	77.50%	18 Missing ⚠️
crates/agent-notify-bridge/src/hid_broker.rs	86.36%	15 Missing ⚠️
crates/agent-notify-bridge/src/uhk.rs	0.00%	4 Missing ⚠️
crates/agent-notify-bridge/src/ipc.rs	97.67%	2 Missing ⚠️
crates/agent-notify-bridge/src/main.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #24      +/-   ##
==========================================
+ Coverage   58.25%   63.35%   +5.10%     
==========================================
  Files           8       12       +4     
  Lines        1121     1411     +290     
==========================================
+ Hits          653      894     +241     
- Misses        468      517      +49     

Flag	Coverage Δ
rust	63.35% <74.62%> (+5.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
crates/agent-notify-bridge/src/main.rs	0.00% <0.00%> (ø)
crates/agent-notify-bridge/src/ipc.rs	97.67% <97.67%> (ø)
crates/agent-notify-bridge/src/uhk.rs	0.00% <0.00%> (ø)
crates/agent-notify-bridge/src/hid_broker.rs	86.36% <86.36%> (ø)
crates/agent-notify-bridge/src/display.rs	77.50% <77.50%> (ø)
...t-notify-bridge/src/bin/agent-notify-hid-broker.rs	0.00% <0.00%> (ø)
crates/agent-notify-bridge/src/worker.rs	34.58% <19.35%> (-0.74%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[glslang]

@cursor review

[cursor]

PR Summary

Medium Risk
Process boundary and IPC are new operational surfaces on Windows; mis-spawned broker or protocol bugs could break display updates without affecting auth, but HID behavior is user-visible and security-motivated.

Overview
Introduces a separate agent-notify-hid-broker process and moves UHK keyboard updates behind a newline-delimited JSON IPC protocol (ProbeKeyboard, SetDisplay with AgentEvent, Clear, Shutdown), with size limits and tests that reject raw macro strings.

On Windows, the network-facing bridge no longer writes HID directly: DisplayAdapter spawns the sibling broker binary, sends structured display intent, and restarts the broker after IPC failures. The broker owns macro generation and HID writes; --mock-display still runs in-process without the broker.

worker now drives the keyboard through display_event / clear (returns the macro text for status) instead of building macros in the websocket path; tray Test uses the same event path as live notifications. uhk is reduced to low-level keyboard_present / display_macro_command helpers used by the broker and non-Windows direct path.

The crate is reorganized into a agent_notify_bridge library (lib.rs) so main and the broker binary share display, ipc, and hid_broker modules.

^{Reviewed by Cursor Bugbot for commit 3a90ac2. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3a90ac2f1b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Set a default binary for cargo run

Adding this second binary makes the package ambiguous for the existing documented dev command cargo run -p agent-notify-bridge -- --mock-display from README.md and AGENTS.md; I checked that Cargo now exits with could not determine which binary to run and lists both agent-notify-bridge and agent-notify-hid-broker. Please add default-run = "agent-notify-bridge" to the package manifest or update the documented commands to pass --bin agent-notify-bridge, otherwise the bridge can no longer be launched the documented way.

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3a90ac2. Configure here.}