Skip to content

fix: close composable runtime policy and contract gaps#273

Merged
miyaontherelay merged 5 commits into
mainfrom
codex/issue-2619-final-findings
Jul 16, 2026
Merged

fix: close composable runtime policy and contract gaps#273
miyaontherelay merged 5 commits into
mainfrom
codex/issue-2619-final-findings

Conversation

@miyaontherelay

Copy link
Copy Markdown
Contributor

Summary

Closes the reopened Workforce-side findings for AgentWorkforce/cloud#2619:

  • implement real live/fixture model behavior, multi-turn simulated provider receipt continuity, and explicit input/read/model/HTTP fidelity labels
  • make HN live-read/live-model cases non-vacuous and render the complete ordered human preview, including exact Slack parent/thread text and linkage
  • enforce writes: deny and canonical preview at Relayfile's final write boundary before authored imports/handlers can rebind policy
  • preserve ordered effects exactly once through recording transports
  • define and validate the strict composio.trigger.message@1 payload/delivery contract, including coordinate equivalence
  • consume the real published @relayfile/relay-helpers@0.4.7 from npm with no local overlay

Safety evidence

  • public root and ./transport binder attacks attempted from compiled Agents
  • known global Symbol overwrite/delete attempted
  • deny remains authoritative: 9/9 channels denied, zero authored/explicit/custom writes, zero sentinel traffic, zero receipts, exit 1
  • preview remains canonical: ordered simulated receipts only, no authored transport mutation
  • one read produces one action and one trace span; no duplicate effect recording
  • strict contract rejects 27 malformed/cross-coordinate frames through all validation paths

Exact pre-release verification

Reviewed commit: 057d6f1

  • fresh registry install: @relayfile/relay-helpers@0.4.7
  • registry SHA-1: 1ee3ff9ba60326a93584fbb62395bdfba1fde1c6
  • events: 11/11
  • runtime: 130/130
  • CLI: 322/322
  • full pnpm run check: pass
  • installed runtime rebind attack: 1/1
  • compiled-Agent deny/preview attacks: 2/2
  • live HN smoke: three current GETs and two preview-only Slack writes with exact parent/thread linkage
  • fresh Claude verdict: COMPREHENSIVELY_SATISFIED
  • fresh Codex verdict: COMPREHENSIVELY_SATISFIED

Rollout

No Workforce package version is changed here. After merge, publish the lockstep patch release (expected 4.1.24), update Cloud to the exact published packages, deploy the scoped runtime snapshot/web worker, then rerun Agents strict installed-package acceptance before final issue evidence.

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@miyaontherelay, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 24 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0f5e734a-0f2d-458d-85fa-998c2bb8f7b1

📥 Commits

Reviewing files that changed from the base of the PR and between b3cf787 and 057d6f1.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (13)
  • packages/cli/src/invoke-command.test.ts
  • packages/cli/src/invoke-command.ts
  • packages/delivery/package.json
  • packages/events/README.md
  • packages/events/src/contract-schema-keywords.ts
  • packages/events/src/index.ts
  • packages/events/src/json-schema.ts
  • packages/events/src/registry.test.ts
  • packages/events/src/registry.ts
  • packages/runtime/package.json
  • packages/runtime/src/local-preview-executor.ts
  • packages/runtime/src/local-preview-hooks.ts
  • packages/runtime/src/local-preview.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/issue-2619-final-findings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@miyaontherelay
miyaontherelay merged commit 393dcb2 into main Jul 16, 2026
3 checks passed
@miyaontherelay
miyaontherelay deleted the codex/issue-2619-final-findings branch July 16, 2026 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant