feat: implement Codencer v2 local self-host path#2
Merged
lookmanrays merged 12 commits intomainfrom Apr 27, 2026
Merged
Conversation
Implement the full v2 local/self-host bridge path in this session: - harden the local daemon with explicit repo-root targeting, stable instance identity, manifest-backed discovery, truthful runtime compatibility reporting, artifact content retrieval, run reconciliation, and gate lifecycle closure - add the outbound connector with persistent Ed25519 identity, enrollment, signed challenge/response session auth, reconnect/heartbeat behavior, explicit instance sharing, and a narrow allowlisted proxy to the local daemon - add the self-host relay with sqlite-backed connector/enrollment state, planner auth scopes, connector session tracking, planner-facing /api/v2 routes, audit persistence, and resource routing hints - add the relay MCP surface with codencer.* tools on /mcp, keeping /mcp/call as a compatibility path while preserving relay auth and instance scoping - rewrite operator-facing architecture, security, connector, relay, self-host, and MCP docs to match current runtime truth, add WSL/Windows/Antigravity topology guidance, and record the v2 work in the changelog Verification performed: - go test ./internal/app ./internal/service ./internal/connector ./internal/relay ./internal/mcp -count=1 - go test ./... -count=1 Known alpha limitations remain explicit in docs: best-effort abort, opportunistic relay routing for previously unseen resource IDs, bounded artifact transport, and static self-host auth.
Remove tracked local build output and collapse duplicate public command entrypoints by deleting the legacy connector and relayd mains and keeping codencer-connectord and codencer-relayd as the canonical binaries. Update build ignores and the Makefile so local command artifacts are not recommitted and duplicate bin targets are not produced. Tighten daemon async dispatch and abort handling by moving background step submission onto RunService.DispatchStepAsync, reusing that path for retry dispatch, and making abort report success only when the active step actually reaches cancelled. Fail closed when no execution was registered or when adapter cancellation is not confirmed, and cover the immediate-abort race with focused service tests. Clarify MCP hierarchy and public surfaces by marking the daemon-local /mcp/call endpoint as a legacy local compatibility/admin bridge, keeping the relay MCP as the canonical remote integration surface, and adding explicit surface headers to distinguish the two. Bring runtime truth and docs back into alignment across README, relay, connector, self-host, MCP, and v2 contract notes so the repo now documents the actual alpha-grade guarantees and limitations: no raw shell, no arbitrary filesystem browsing, narrow remote routing, best-effort abort, bounded artifact transport, and static self-host auth. Verification: gofmt -w on touched Go files; go test ./internal/service ./internal/app ./internal/relay ./internal/connector ./internal/mcp -count=1; go test ./... -count=1
Remove committed extension dependency and build artifacts by deleting extension/node_modules and extension/out while keeping the extension manifests and source. Unify repo version/status truth on v0.2.0-alpha across the Makefile, runtime version string, public docs, validation scenario assets, and extension metadata. Tighten publication-facing wording so relay MCP remains the canonical remote surface, daemon-local MCP stays clearly local compatibility/admin only, and adapter/readiness claims defer to runtime compatibility instead of stale static support labels. Harden local runtime behavior with nanosecond attempt IDs, safer worktree reclamation for reused run branches, and clearer abort error wording when cancellation cannot be confirmed. Fix and stabilize service tests by isolating validation worktree tests from the real checkout and correcting the success provenance adapter so it reports completion instead of hanging the suite. Verification: go test ./internal/app ./internal/connector ./internal/relay ./internal/mcp -count=1; go test ./internal/service -count=1; go test ./... -count=1
Finalize the current v2 implementation for practical daily self-use without changing the core bridge-not-brain architecture. Daemon hardening: - fail closed for aborts against paused_for_gate runs and only report success when the active step really reaches cancelled - tighten restart recovery to restore evidence-backed terminal/gated states and move ambiguous active work to needs_manual_attention - add local read routes for gate metadata and artifact metadata by id - make log and artifact selection deterministic across multiple attempts - remove repo-root fallback/path leaks and harden worktree cleanup on provisioning and adapter start failures Connector completion: - add persisted local connector status snapshots with session state, heartbeat/error fields, and shared instance ids - add codencer-connectord status --json for offline operator inspection - keep explicit sharing only and extend the allowlist narrowly for safe relay route probing of artifact and gate metadata Relay completion: - add relay admin/status endpoints for status, connectors, and recent audit - resolve step/artifact/gate routes deterministically by probing only authorized online shared instances when route hints are missing - persist discovered route hints and keep ambiguous or offline lookups fail-closed Relay MCP and operator flow: - update relay MCP resource tools to use deterministic routing without requiring prior observation of resource ids - add a practical self-host smoke script and broker build target - sync README and operator docs to the current alpha-grade runtime truth, including canonical binaries, relay MCP hierarchy, bootstrap-only enrollment_secret wording, and honest abort/auth limitations Verification performed: - go test ./internal/app ./internal/service ./internal/storage/sqlite -count=1 - go test ./internal/connector ./internal/relay ./internal/mcp ./cmd/codencer-connectord -count=1 - go test ./... -count=1 - go build ./cmd/orchestratord ./cmd/orchestratorctl ./cmd/codencer-connectord ./cmd/codencer-relayd - (cd cmd/broker && go build ./...) - make build - live self-host smoke path against local daemon + relay + connector
This commit lands the full beta-finalization program for the current
Codencer repository and promotes the repo-wide release truth from
v0.2.0-alpha to v0.2.0-beta.
It includes the completed work across the frozen beta workstreams:
- cloud self-host finalization
- close tenant-scope and token-revocation gaps
- harden cloud runtime HTTP and cloud MCP parity
- strengthen composed cloud runtime, MCP, and SDK proof
- relay/runtime connector finalization
- fix share --instance-id so shared state cannot drift into unroutable
fake-shared entries
- harden connector re-advertise and stale session pruning
- keep relay HTTP and relay MCP scoped and behaviorally aligned
- local core finalization
- fix the local same-run wait/finalization race
- stabilize retry/result lifecycle truth
- make legacy v1/local parity smoke repeatable
- planner/client integration finalization
- freeze the public compatibility matrix to proven vs expected vs
compatibility-only claims
- package relay/cloud MCP guidance and client examples
- provider connector finalization
- preserve repeated webhook history as append-only event storage
- enforce Jira webhook deferment truthfully
- enrich provider action and audit logs
- release engineering and public testability
- add explicit repo-level verification entrypoints
- improve public tester routing and self-host documentation
- keep deployment packaging and Docker compose proof aligned with repo
truth
- final beta confirmation
- rerun the frozen verification matrix
- rerun Docker-backed cloud stack proof on a live Docker daemon host
- add the durable beta confirmation report
- update public and internal release surfaces to v0.2.0-beta
Public truth after this commit:
- Codencer is beta for the supported local, self-host relay/runtime,
self-host cloud, planner/client, and provider tracks
- compatibility-only and deferred surfaces remain explicitly outside the
beta promise
- non-blocking linker warning noise remains documented but does not block
the beta claim
Verification performed:
- make build-supported
- make verify-beta
- make cloud-stack-smoke
- detached temporary worktree overlay:
make build-supported && make verify-beta
- make verify-beta-docker
Rewrite the README around the durable execution record and planner-to-executor bridge while preserving the v0.2.0-beta status block, quickstart commands, and beta track table. Restructure setup docs into a platform hub, add dedicated macOS, Windows, WSL, and remote VPS walkthroughs, and consolidate scattered limits into docs/KNOWN_LIMITATIONS.md. Add planner-side MCP walkthroughs for ChatGPT, Claude Desktop/claude.ai, and Gemini CLI plus minimal example JSON files, keeping ChatGPT and Claude compatibility-only and Gemini expected-only. Add operator-facing v0.2.0-beta release notes and cross-platform public-testability workflows for macOS and Windows, with Windows scoped truthfully to agent-broker build coverage while BG-011 remains a known secondary-surface test failure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement the full v2 local/self-host bridge path in this session:
Verification performed:
Known alpha limitations remain explicit in docs: best-effort abort, opportunistic relay routing for previously unseen resource IDs, bounded artifact transport, and static self-host auth.