1
This commit is contained in:
@@ -1250,6 +1250,162 @@ then reports the expected next event window without mailbox reads, drains, acks,
|
||||
or consumer cursor mutation. The live smoke is
|
||||
`scripts/fabric/c19z1-remote-workspace-mailbox-preflight-smoke.ps1`.
|
||||
|
||||
C19Z2 adds telemetry for mailbox preflight checks. Workload status and heartbeat
|
||||
reports now expose preflight totals, ack/checkpoint split counters, and the last
|
||||
preflight cursor/window fields so diagnostics can distinguish handoff checks
|
||||
from mailbox reads. The live smoke is
|
||||
`scripts/fabric/c19z2-remote-workspace-mailbox-preflight-telemetry-smoke.ps1`.
|
||||
|
||||
C19Z3 adds stale-cursor diagnostics to mailbox preflight. If a consumer cursor
|
||||
falls behind retained mailbox events after bounded-mailbox drops, preflight
|
||||
reports retained sequence bounds, `stale_cursor`, `diagnostic_state`, and
|
||||
`missing_dropped_count`; the latest stale state is also visible in telemetry and
|
||||
readiness diagnostics. The live smoke is
|
||||
`scripts/fabric/c19z3-remote-workspace-mailbox-stale-preflight-smoke.ps1`.
|
||||
|
||||
C19Z4 adds action hints to mailbox preflight diagnostics. Stale cursor gaps now
|
||||
return `recommended_action=reset_consumer_and_resync` plus hints to reset the
|
||||
consumer cursor, request full adapter resync, and resume from checkpoint after
|
||||
resync. The live smoke is
|
||||
`scripts/fabric/c19z4-remote-workspace-mailbox-preflight-action-hints-smoke.ps1`.
|
||||
|
||||
C19Z5 adds provenance for the selected preflight action. Responses, telemetry,
|
||||
and readiness diagnostics include `action_reason` and structured
|
||||
`action_context` with cursor, retained sequence bounds, dropped/missing counts,
|
||||
and expected window values. The live smoke is
|
||||
`scripts/fabric/c19z5-remote-workspace-mailbox-preflight-provenance-smoke.ps1`.
|
||||
|
||||
C19Z6 adds the operator-facing summary for mailbox preflight. Responses,
|
||||
telemetry, and readiness diagnostics include `operator_summary` plus compact
|
||||
`operator_summary_fields` for the diagnostic state, selected action, reason,
|
||||
cursor, retained bounds, and expected window counters. The live smoke is
|
||||
`scripts/fabric/c19z6-remote-workspace-mailbox-preflight-summary-smoke.ps1`.
|
||||
|
||||
C19Z7 adds machine-sortable operator severity for mailbox preflight. Responses,
|
||||
telemetry, readiness diagnostics, and summary fields expose `operator_status`
|
||||
and `operator_severity`, classifying ready windows, caught-up cursors, and
|
||||
stale cursor gaps without parsing summary text. The live smoke is
|
||||
`scripts/fabric/c19z7-remote-workspace-mailbox-preflight-severity-smoke.ps1`.
|
||||
|
||||
C19Z8 adds the grouped readiness rollup for mailbox preflight. The readiness
|
||||
diagnostic keeps the flat fields and adds `last_preflight` with observed time,
|
||||
cursor, counts, diagnostic state, action hints/provenance, operator summary,
|
||||
status, severity, and summary fields. The live smoke is
|
||||
`scripts/fabric/c19z8-remote-workspace-mailbox-preflight-rollup-smoke.ps1`.
|
||||
|
||||
C19Z9 adds retained-window detail to that preflight rollup. The grouped
|
||||
`last_preflight` readiness object includes first/last retained sequence and
|
||||
mailbox dropped total so stale cursor explanations are visible without opening
|
||||
the raw preflight response. The live smoke is
|
||||
`scripts/fabric/c19z9-remote-workspace-mailbox-preflight-retained-window-smoke.ps1`.
|
||||
|
||||
C19Z10 adds a structured remediation checklist to that rollup. The grouped
|
||||
`last_preflight.remediation_checklist` entries expose required/satisfied
|
||||
operator steps derived from action hints, including cursor reset, full adapter
|
||||
resync, and resume after resync for stale cursor gaps. The live smoke is
|
||||
`scripts/fabric/c19z10-remote-workspace-mailbox-preflight-checklist-smoke.ps1`.
|
||||
|
||||
C19Z11 adds checklist status and counts to that rollup. The grouped
|
||||
`last_preflight` readiness object exposes `remediation_checklist_status` and
|
||||
total/required/satisfied/pending counts for admin UI summaries. The live smoke
|
||||
is
|
||||
`scripts/fabric/c19z11-remote-workspace-mailbox-preflight-checklist-status-smoke.ps1`.
|
||||
|
||||
C19Z12 adds session-level preflight operator status/severity counters.
|
||||
Readiness exposes status and severity count maps, mirrored in `last_preflight`,
|
||||
so repeated resync-required/warn preflights are visible without retaining a
|
||||
history log. The live smoke is
|
||||
`scripts/fabric/c19z12-remote-workspace-mailbox-preflight-status-counts-smoke.ps1`.
|
||||
|
||||
C19Z13 adds compact preflight attention status on top of those counters.
|
||||
Readiness and `last_preflight` expose `preflight_attention_status` so admin UI
|
||||
can sort clean, attention-needed, and repeated-resync sessions without
|
||||
interpreting count maps. The live smoke is
|
||||
`scripts/fabric/c19z13-remote-workspace-mailbox-preflight-attention-smoke.ps1`.
|
||||
|
||||
C19Z14 proves the repeated-resync attention branch. Unit and live smoke coverage
|
||||
perform multiple stale preflights on one active adapter session and verify
|
||||
`preflight_attention_status=repeated_resync_required` with repeated
|
||||
resync-required/warn counters. The live smoke is
|
||||
`scripts/fabric/c19z14-remote-workspace-mailbox-preflight-repeated-attention-smoke.ps1`.
|
||||
|
||||
C19Z15 adds the preflight attention reason. Readiness and `last_preflight`
|
||||
expose `preflight_attention_reason` beside the attention status, explaining
|
||||
clean, attention-needed, and repeated-resync states without UI-side counter
|
||||
parsing. The live smoke is
|
||||
`scripts/fabric/c19z15-remote-workspace-mailbox-preflight-attention-reason-smoke.ps1`.
|
||||
|
||||
C19Z16 completes focused proof coverage for those attention reasons. Unit tests
|
||||
cover clean, single-resync, repeated-resync, and no-preflight mappings; live
|
||||
smoke proves the single stale-preflight reason. The live smoke is
|
||||
`scripts/fabric/c19z16-remote-workspace-mailbox-preflight-attention-reason-coverage-smoke.ps1`.
|
||||
|
||||
C19Z17 adds the preflight diagnostics contract marker. The readiness
|
||||
`last_preflight` rollup includes `diagnostics_schema_version` and
|
||||
`diagnostics_contract` entries for retained-window, remediation-checklist,
|
||||
attention, and operator-count fields, allowing UI rendering to be gated safely.
|
||||
The live smoke is
|
||||
`scripts/fabric/c19z17-remote-workspace-mailbox-preflight-contract-smoke.ps1`.
|
||||
|
||||
C19Z18 adds boolean diagnostics feature flags to the same preflight rollup.
|
||||
`last_preflight.diagnostics_features` now exposes retained-window,
|
||||
remediation-checklist, attention, and operator-count support directly, so admin
|
||||
UI and automation can gate each diagnostics group without scanning the contract
|
||||
list. The live smoke is
|
||||
`scripts/fabric/c19z18-remote-workspace-mailbox-preflight-feature-flags-smoke.ps1`.
|
||||
|
||||
C19Z19 proves compatibility between the two diagnostics contract forms. Unit
|
||||
coverage and live smoke verify that workload and telemetry reports expose both
|
||||
the string `diagnostics_contract` entries and matching boolean
|
||||
`diagnostics_features` flags for every preflight diagnostics group. The live
|
||||
smoke is
|
||||
`scripts/fabric/c19z19-remote-workspace-mailbox-preflight-contract-compatibility-smoke.ps1`.
|
||||
|
||||
C19Z20 proves the no-preflight readiness shape. Before any mailbox preflight is
|
||||
observed, active adapter sessions expose `preflight_attention_status=unknown`,
|
||||
`preflight_attention_reason=no_preflight_observed`, zero session preflight
|
||||
count, and no grouped `last_preflight` rollup. The live smoke is
|
||||
`scripts/fabric/c19z20-remote-workspace-mailbox-preflight-absence-smoke.ps1`.
|
||||
|
||||
C19Z21 proves the no-active-session readiness shape. After closing the active
|
||||
adapter session, readiness exposes idle/not-ready state, zero active sessions,
|
||||
no active `adapter_session_id`, no grouped `last_preflight`, and terminal
|
||||
`last_session_state=closed` from the terminal-session ledger. The live smoke is
|
||||
`scripts/fabric/c19z21-remote-workspace-no-active-session-readiness-smoke.ps1`.
|
||||
|
||||
C19Z22 proves terminal-state readiness for `expire` and `reset` controls. The
|
||||
same no-active-session readiness shape now reports
|
||||
`last_session_state=expired` or `last_session_state=reset` from the
|
||||
terminal-session ledger. The live smoke is
|
||||
`scripts/fabric/c19z22-remote-workspace-terminal-state-readiness-smoke.ps1`.
|
||||
|
||||
C19Z23 adds grouped terminal-session summary metadata to no-active-session
|
||||
readiness. `terminal_session_summary` carries adapter session id, terminal
|
||||
state, reason, and control timestamp so admin UI can render the terminal cause
|
||||
without stitching flat fields. The live smoke is
|
||||
`scripts/fabric/c19z23-remote-workspace-terminal-session-summary-smoke.ps1`.
|
||||
|
||||
C19Z24 adds the terminal-session summary contract marker. The grouped summary
|
||||
now carries schema version
|
||||
`rap.remote_workspace_adapter_terminal_session_summary.v1` and a
|
||||
summary-contract field list for explicit UI gating. The live smoke is
|
||||
`scripts/fabric/c19z24-remote-workspace-terminal-summary-contract-smoke.ps1`.
|
||||
|
||||
C19Z25 adds boolean `summary_features` to the same grouped terminal-session
|
||||
summary, covering adapter session id, state, reason, and control timestamp. The
|
||||
live smoke is
|
||||
`scripts/fabric/c19z25-remote-workspace-terminal-summary-features-smoke.ps1`.
|
||||
|
||||
C19Z26 proves compatibility between `summary_contract` and `summary_features`
|
||||
for the grouped terminal-session summary in workload and telemetry reports. The
|
||||
live smoke is
|
||||
`scripts/fabric/c19z26-remote-workspace-terminal-summary-compatibility-smoke.ps1`.
|
||||
|
||||
C19Z27 proves the absence shape for terminal-session summary. Before any adapter
|
||||
session or terminal history exists, readiness reports `waiting_for_session` and
|
||||
does not include `terminal_session_summary`. The live smoke is
|
||||
`scripts/fabric/c19z27-remote-workspace-terminal-summary-absence-smoke.ps1`.
|
||||
|
||||
Includes:
|
||||
|
||||
- container/native workload contract
|
||||
@@ -1671,9 +1827,234 @@ with synthetic traffic only. C18 defines the VPN/IP tunnel service target model
|
||||
authorize VPN/IP tunnel runtime. C18A adds the VPN/IP tunnel control-plane
|
||||
data model and platform-admin skeleton only. C18B hardens single-active
|
||||
lease/fencing semantics. C18C adds node-agent desired-state/status reporting
|
||||
for scoped VPN assignments only. C19 is now reserved for the Version
|
||||
Storage/Update Repository and node-agent update/rollback foundation; it is not
|
||||
implemented by this document. No RDP, data-plane, VPN runtime, production
|
||||
relay, production mesh service traffic, node-agent VPN execution, host
|
||||
networking, service workload runtime, or production updater behavior is implied
|
||||
by this document.
|
||||
for scoped VPN assignments only. C19 Remote Workspace adapter probe layers are
|
||||
still node-local and probe-only; through C19Z30, fresh no-session runtime
|
||||
readiness exposes a grouped `no_session_summary` contract plus
|
||||
`summary_features`, with compatibility proof across workload and telemetry,
|
||||
while terminal-history readiness exposes `terminal_session_summary` and omits
|
||||
`no_session_summary`; summary exclusivity is proven across fresh, active, and
|
||||
terminal readiness states, and a compact readiness state matrix artifact exists
|
||||
for admin/runtime handoff. C19Z34 records the explicit probe-to-runtime gates
|
||||
and confirms Remote Workspace still has no production payload traffic. C19Z35
|
||||
adds the disabled-by-default real-adapter supervision status scaffold without
|
||||
enabling real adapter execution. C19Z36 proves that scaffold's env/status/
|
||||
guardrail compatibility. C19Z37 adds sanitized config projection for the future
|
||||
real adapter while still refusing activation and payload traffic. C19Z38 proves
|
||||
that projection for both default/empty and requested config shapes. C19Z39 adds
|
||||
an explicit blocked activation decision contract with required/missing gates.
|
||||
C19Z40 adds a compact handoff report proving scaffold/projection/decision
|
||||
alignment for requested and default node config.
|
||||
C19Z41 adds explicit feature flags for those real-adapter supervision fields.
|
||||
C19Z42 folds those feature flags into the compact handoff report for
|
||||
admin/runtime handoff.
|
||||
C19Z43 proves contract-probe precedence when real-adapter supervision is also
|
||||
requested in desired workload config.
|
||||
C19Z44 proves the real-adapter-only desired workload path remains degraded and
|
||||
blocked.
|
||||
C19Z45 adds a compact desired-workload mode matrix for probe-only,
|
||||
real-adapter-only, and combined requested modes.
|
||||
C19Z46 adds compatibility proof for the mode matrix row contract.
|
||||
C19Z47 adds a disabled process-supervisor preconditions contract for future
|
||||
external RDP worker supervision.
|
||||
C19Z48 proves that contract across requested/default config shapes.
|
||||
C19Z49 folds process-supervisor preconditions into the compact handoff report.
|
||||
C19Z50 folds process-supervisor preconditions into the desired-workload mode
|
||||
matrix.
|
||||
C19Z51 proves the mode matrix v2 row contract.
|
||||
C19Z52 adds a disabled process-health-probe contract for future external RDP
|
||||
worker supervision.
|
||||
C19Z53 proves that process-health-probe contract across requested/default
|
||||
status forms.
|
||||
C19Z54 folds process-health-probe visibility into the compact real-adapter
|
||||
handoff report.
|
||||
C19Z55 folds process-health-probe visibility into the desired-workload mode
|
||||
matrix.
|
||||
C19Z56 proves the mode matrix v3 row contract.
|
||||
C19Z57 adds a compact disabled real-adapter readiness/handoff checklist.
|
||||
C19Z58 proves the readiness/handoff summary and checklist contract.
|
||||
C19Z59 adds a disabled real-adapter operator action map.
|
||||
C19Z60 proves the disabled real-adapter operator action map contract.
|
||||
C19Z61 adds a compact disabled real-adapter admin handoff bundle.
|
||||
C19Z62 proves the disabled real-adapter admin handoff bundle contract.
|
||||
C19Z63 adds compact disabled real-adapter admin handoff digest rows.
|
||||
C19Z64 proves the disabled real-adapter admin handoff digest row contract.
|
||||
C19Z65 adds a disabled real-adapter admin handoff digest rollup.
|
||||
C19Z66 proves the disabled real-adapter admin handoff digest rollup contract.
|
||||
C19Z67 adds a disabled real-adapter admin handoff full-chain summary.
|
||||
C19Z68 proves the disabled real-adapter admin handoff full-chain summary
|
||||
contract.
|
||||
C19Z69 adds a disabled real-adapter admin handoff release marker.
|
||||
C19Z70 proves the disabled real-adapter admin handoff release marker contract.
|
||||
C19Z71 adds a final contract-only package index for the disabled real-adapter
|
||||
admin handoff chain.
|
||||
C19Z72 proves the final package index contract for the disabled real-adapter
|
||||
admin handoff chain.
|
||||
C19Z73 adds a contract-only runtime gate phase boundary for the next disabled
|
||||
real-adapter preflight phase.
|
||||
C19Z74 proves the runtime gate phase boundary contract.
|
||||
C19Z75 adds a disabled real-adapter runtime gate preflight checklist with all
|
||||
items still blocking runtime.
|
||||
C19Z76 proves the disabled real-adapter runtime gate preflight checklist
|
||||
contract.
|
||||
C19Z77 adds a disabled real-adapter runtime gate preflight status summary.
|
||||
C19Z78 proves the disabled real-adapter runtime gate preflight status summary
|
||||
contract.
|
||||
C19Z79 adds disabled real-adapter runtime gate preflight action hints.
|
||||
C19Z80 proves the disabled real-adapter runtime gate preflight action hints
|
||||
contract.
|
||||
C19Z81 adds a disabled real-adapter runtime gate preflight operator handoff
|
||||
bundle.
|
||||
C19Z82 proves the disabled real-adapter runtime gate preflight operator handoff
|
||||
bundle contract.
|
||||
C19Z83 adds a disabled real-adapter runtime gate preflight release marker.
|
||||
C19Z84 proves the disabled real-adapter runtime gate preflight release marker
|
||||
contract.
|
||||
C19Z85 adds a disabled real-adapter runtime gate preflight package index.
|
||||
C19Z86 proves the disabled real-adapter runtime gate preflight package index
|
||||
contract.
|
||||
C19Z87 adds a disabled real-adapter runtime gate preflight closeout summary.
|
||||
C19Z88 proves the disabled real-adapter runtime gate preflight closeout summary
|
||||
contract.
|
||||
C19Z89 starts the explicit real-adapter runtime gate enablement phase with a
|
||||
contract-only request that remains blocked pending validation.
|
||||
C19Z90 proves the explicit real-adapter runtime gate enablement request
|
||||
contract.
|
||||
C19Z91 adds contract-only operator confirmation validation while keeping the
|
||||
runtime gate blocked pending remaining validations.
|
||||
C19Z92 proves the operator confirmation validation contract.
|
||||
C19Z93 adds contract-only binary validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z94 proves the binary validation contract.
|
||||
C19Z95 adds contract-only permission validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z96 proves the permission validation contract.
|
||||
C19Z97 adds contract-only supervisor validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z98 proves the supervisor validation contract.
|
||||
C19Z99 adds contract-only health probe validation while keeping the runtime gate
|
||||
blocked pending payload gate validation.
|
||||
C19Z100 proves the health probe validation contract.
|
||||
C19Z101 adds contract-only payload gate validation with no remaining required
|
||||
validations while keeping runtime not enabled.
|
||||
C19Z102 proves the payload gate validation contract.
|
||||
C19Z103 adds the runtime gate validation closeout while keeping explicit
|
||||
operator enablement required.
|
||||
C19Z104 proves the runtime gate validation closeout contract.
|
||||
C19Z105 adds an operator enablement readiness package while keeping runtime
|
||||
disabled by default.
|
||||
C19Z106 proves the operator enablement readiness package contract.
|
||||
C19Z107 adds an operator enablement readiness release marker while keeping
|
||||
runtime disabled by default.
|
||||
C19Z108 proves the operator enablement readiness release marker contract.
|
||||
C19Z109 adds an operator enablement readiness package index while keeping
|
||||
runtime disabled by default.
|
||||
C19Z110 proves the operator enablement readiness package index contract.
|
||||
C19Z111 adds an operator readiness closeout summary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z112 proves the operator readiness closeout summary contract.
|
||||
C19Z113 adds an operator review decision request while keeping runtime disabled
|
||||
by default.
|
||||
C19Z114 proves the operator review decision request contract.
|
||||
C19Z115 adds an operator decision status summary while keeping runtime disabled
|
||||
by default.
|
||||
C19Z116 proves the operator decision status summary contract.
|
||||
C19Z117 adds an operator approval/rejection outcome contract with the outcome
|
||||
not approved and runtime disabled by default.
|
||||
C19Z118 proves the operator approval/rejection outcome contract.
|
||||
C19Z119 adds an operator outcome closeout/reopen boundary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z120 proves the operator outcome closeout/reopen boundary contract.
|
||||
C19Z121 adds a not-approved outcome release marker while keeping runtime
|
||||
disabled by default.
|
||||
C19Z122 proves the not-approved outcome release marker contract.
|
||||
C19Z123 adds a not-approved outcome package index while keeping runtime disabled
|
||||
by default.
|
||||
C19Z124 proves the not-approved outcome package index contract.
|
||||
C19Z125 adds a not-approved outcome closeout summary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z126 proves the not-approved outcome closeout summary contract.
|
||||
C19Z127 adds a final not-approved outcome release marker while keeping runtime
|
||||
disabled by default.
|
||||
C19Z128 proves the final not-approved outcome release marker contract.
|
||||
C19Z129 adds a final not-approved outcome package index/archive marker while
|
||||
keeping runtime disabled by default.
|
||||
C19Z130 proves the final not-approved outcome package index/archive marker
|
||||
contract.
|
||||
C19Z131 adds a not-approved outcome archive closeout manifest while keeping
|
||||
runtime disabled by default.
|
||||
C19Z132 proves the not-approved outcome archive closeout manifest contract.
|
||||
C19Z133 adds a stopped-branch sentinel for the not-approved outcome while
|
||||
keeping runtime disabled by default.
|
||||
C19Z134 proves the not-approved outcome stopped-branch sentinel contract.
|
||||
C19Z135 adds a no-continuation guard for the stopped not-approved outcome while
|
||||
keeping runtime disabled by default.
|
||||
C19Z136 proves the not-approved outcome no-continuation guard contract.
|
||||
C19Z137 adds continuation block enforcement for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z138 proves the not-approved outcome continuation block enforcement
|
||||
contract.
|
||||
C19Z139 adds a continuation block audit record for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z140 proves the not-approved outcome continuation block audit record
|
||||
contract.
|
||||
C19Z141 adds a continuation block audit rollup for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z142 proves the not-approved outcome continuation block audit rollup
|
||||
contract.
|
||||
C19Z143 adds an operator stop summary for the stopped not-approved outcome
|
||||
while keeping runtime disabled by default.
|
||||
C19Z144 proves the not-approved outcome operator stop summary contract.
|
||||
C19Z145 adds an operator stop handoff for the stopped not-approved outcome
|
||||
while keeping runtime disabled by default.
|
||||
C19Z146 proves the not-approved outcome operator stop handoff contract.
|
||||
C19Z147 adds an operator stop handoff digest for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z148 proves the not-approved outcome operator stop handoff digest contract.
|
||||
C19Z149 adds an operator stop status snapshot for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z150 proves the not-approved outcome operator stop status snapshot contract.
|
||||
C19Z151 adds an operator stop status snapshot index for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z152 proves the not-approved outcome operator stop status snapshot index
|
||||
contract.
|
||||
C19Z153 adds an operator stop status catalog for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z154 proves the not-approved outcome operator stop status catalog contract.
|
||||
C19Z155 adds an operator stop status catalog release marker for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z156 proves the not-approved outcome operator stop status catalog release
|
||||
marker contract.
|
||||
C19Z157 adds an operator stop status catalog package index for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z158 proves the not-approved outcome operator stop status catalog package
|
||||
index contract.
|
||||
C19Z159 adds an operator stop status catalog closeout summary for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z160 proves the not-approved outcome operator stop status catalog closeout
|
||||
summary contract.
|
||||
C19Z161 adds an operator stop status final archive marker for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z162 proves the not-approved outcome operator stop status final archive
|
||||
marker contract.
|
||||
C19Z163 adds an operator stop status final archive manifest for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z164 proves the not-approved outcome operator stop status final archive
|
||||
manifest contract.
|
||||
C19Z165 adds a terminal-complete marker for the stopped not-approved outcome
|
||||
factory while keeping runtime disabled by default.
|
||||
C19Z166 proves the not-approved outcome factory terminal-complete contract.
|
||||
C20Z1 opens a new explicit real-adapter enablement request while keeping
|
||||
runtime disabled by default.
|
||||
C20Z2 proves the new explicit real-adapter enablement request contract.
|
||||
C20Z3 adds the operator validation intake for the new explicit request while
|
||||
keeping runtime disabled by default.
|
||||
C20Z4 completes the operator validation checklist contract while keeping
|
||||
runtime disabled by default.
|
||||
C20Z5 closes the operator validation chain contract while keeping runtime
|
||||
disabled by default.
|
||||
C20Z6 proves the C20 stage terminal-complete contract.
|
||||
Version Storage/Update
|
||||
Repository and node-agent update/rollback foundation are not implemented by
|
||||
this document. No RDP, data-plane, VPN runtime, production relay, production
|
||||
mesh service traffic, node-agent VPN execution, host networking, service
|
||||
workload runtime, or production updater behavior is implied by this document.
|
||||
|
||||
@@ -1324,6 +1324,394 @@ C19Z1 adds a read-only mailbox handoff preflight endpoint. Adapter runtimes can
|
||||
call `/mailbox/preflight` with `consumer_id` and `resume_from=ack|checkpoint`
|
||||
to validate the stored cursor and inspect the next expected event window without
|
||||
reading, draining, acking, or mutating consumer state.
|
||||
C19Z2 adds separate telemetry for those handoff checks. Workload status and
|
||||
heartbeat reports expose preflight totals split by ack/checkpoint cursor and the
|
||||
last preflight session, consumer, cursor, after-sequence, available/returned/
|
||||
skipped counts, and expected sequence range; readiness diagnostics mirror the
|
||||
latest preflight summary.
|
||||
C19Z3 adds stale-cursor diagnostics to preflight. When a consumer cursor points
|
||||
behind dropped bounded-mailbox events, the preflight response reports retained
|
||||
sequence bounds, `diagnostic_state=stale_cursor_gap`, `stale_cursor=true`, and
|
||||
`missing_dropped_count`; workload/heartbeat telemetry and readiness diagnostics
|
||||
mirror that latest stale state.
|
||||
C19Z4 adds explicit action hints to those diagnostics. Preflight responses now
|
||||
include `recommended_action` and `action_hints`; stale cursor gaps recommend
|
||||
resetting the consumer cursor, requesting a full adapter resync, and resuming
|
||||
from checkpoint after resync. Telemetry and readiness diagnostics mirror the
|
||||
latest recommended action and hints.
|
||||
C19Z5 adds remediation provenance for those hints. Preflight responses,
|
||||
workload/heartbeat telemetry, and readiness diagnostics include
|
||||
`action_reason` plus structured `action_context` with the resume cursor,
|
||||
retained sequence bounds, dropped/missing counts, consumer checkpoint/ack, and
|
||||
expected window counters that explain why the recommended action was chosen.
|
||||
C19Z6 adds a compact operator-facing preflight summary derived from the same
|
||||
read-only state. Preflight responses, telemetry, and readiness diagnostics now
|
||||
include `operator_summary` and `operator_summary_fields` so dashboards can show
|
||||
the diagnostic state, action, reason, resume cursor, retained bounds, and key
|
||||
window counters without recomputing or mutating mailbox state.
|
||||
C19Z7 adds machine-sortable operator status and severity to that summary.
|
||||
Preflight responses, telemetry, readiness diagnostics, and
|
||||
`operator_summary_fields` now expose `operator_status` and `operator_severity`
|
||||
so dashboards can sort ready, caught-up, and resync-required handoffs without
|
||||
parsing human text.
|
||||
C19Z8 groups the latest preflight view for admin UI consumption. The readiness
|
||||
diagnostic keeps all existing flat latest-preflight fields and adds
|
||||
`last_preflight` with observed time, cursor, counts, diagnostic state, selected
|
||||
action, action provenance, operator summary, status, severity, and summary
|
||||
fields.
|
||||
C19Z9 adds retained-window detail to that grouped readiness view. The
|
||||
`last_preflight` object now includes first/last retained sequence and mailbox
|
||||
dropped total so stale-cursor summaries can explain the bounded mailbox window
|
||||
without requiring a separate raw preflight lookup.
|
||||
C19Z10 adds a structured remediation checklist to the grouped readiness view.
|
||||
The `last_preflight.remediation_checklist` entries are derived from diagnostic
|
||||
state and action hints, marking required/satisfied operator steps for cursor
|
||||
reset, adapter resync, and post-resync resume without executing those actions.
|
||||
C19Z11 adds summary status and counts for that checklist. The grouped readiness
|
||||
view now exposes `remediation_checklist_status` plus total, required,
|
||||
satisfied, and pending counts so admin UI can render checklist state without
|
||||
scanning the step array.
|
||||
C19Z12 adds per-session preflight operator status/severity counters. Readiness
|
||||
now exposes counts for statuses such as `ready_to_resume`, `caught_up`, and
|
||||
`resync_required`, plus severity counts such as `ok`, `info`, and `warn`, and
|
||||
the grouped latest-preflight rollup mirrors those counters for dashboard
|
||||
context.
|
||||
C19Z13 derives a compact preflight attention status from those counters.
|
||||
Readiness and `last_preflight` expose `preflight_attention_status` values such
|
||||
as `clean`, `needs_attention`, and `repeated_resync_required`, letting admin UI
|
||||
sort sessions without interpreting count maps directly.
|
||||
C19Z14 proves the repeated-resync branch. Unit and live smoke coverage now run
|
||||
multiple stale preflights on the same active adapter session and verify
|
||||
`preflight_attention_status=repeated_resync_required` with repeated
|
||||
`resync_required` / `warn` counters, while the preflight path remains read-only.
|
||||
C19Z15 adds `preflight_attention_reason` beside the attention status. The reason
|
||||
is derived from the latest preflight counters/status and explains clean,
|
||||
attention-needed, and repeated-resync states without requiring UI code to parse
|
||||
the counter maps.
|
||||
C19Z16 completes focused proof coverage for those reasons. Unit coverage proves
|
||||
clean, single-resync, repeated-resync, and no-preflight mappings, and live smoke
|
||||
proves the single stale-preflight `resync_required_preflight_observed` reason.
|
||||
C19Z17 adds a diagnostics contract marker to the grouped preflight readiness
|
||||
rollup. `last_preflight` now includes `diagnostics_schema_version` and a
|
||||
`diagnostics_contract` list for retained-window, remediation-checklist,
|
||||
attention, and operator-count fields so admin UI can gate rendering safely.
|
||||
C19Z18 adds machine-readable feature flags for that contract. `last_preflight`
|
||||
now includes boolean `diagnostics_features` entries for retained-window,
|
||||
remediation-checklist, attention, and operator-count diagnostics, allowing UI
|
||||
and automation clients to check support without scanning the contract list.
|
||||
C19Z19 adds a compatibility proof for the two contract forms. Unit and live
|
||||
smoke coverage now verify that workload and telemetry reports expose matching
|
||||
`diagnostics_contract` entries and `diagnostics_features` booleans for each
|
||||
preflight diagnostics group.
|
||||
C19Z20 adds the no-preflight absence proof. Active adapter sessions that have
|
||||
not observed a mailbox preflight report `preflight_attention_status=unknown`,
|
||||
`preflight_attention_reason=no_preflight_observed`, zero session preflight
|
||||
count, and no grouped `last_preflight` rollup, so UI can distinguish "not
|
||||
observed yet" from an observed clean state.
|
||||
C19Z21 adds the no-active-session readiness proof. After the last adapter
|
||||
session is closed, readiness reports idle/not-ready with zero active sessions,
|
||||
no active `adapter_session_id`, no `last_preflight` rollup, and terminal
|
||||
`last_session_state=closed` from the terminal-session ledger.
|
||||
C19Z22 extends terminal-state coverage to `expire` and `reset` controls. The
|
||||
same no-active-session readiness shape now proves `last_session_state=expired`
|
||||
and `last_session_state=reset` from the terminal-session ledger.
|
||||
C19Z23 adds grouped terminal-session summary metadata for the no-active-session
|
||||
case. Readiness now includes `terminal_session_summary` with adapter session id,
|
||||
terminal state, reason, and control timestamp while retaining flat compatibility
|
||||
fields.
|
||||
C19Z24 adds a contract marker to that summary. The grouped
|
||||
`terminal_session_summary` now carries a schema version and summary-contract
|
||||
field list so UI can gate rendering explicitly.
|
||||
C19Z25 adds boolean feature flags for the same grouped terminal summary fields,
|
||||
mirroring the preflight diagnostics contract/feature pattern.
|
||||
C19Z26 adds compatibility proof coverage for those two terminal summary contract
|
||||
forms, verifying that `summary_contract` entries and `summary_features` booleans
|
||||
stay aligned in workload and telemetry reports.
|
||||
C19Z27 adds absence proof coverage for a fresh no-session runtime: before any
|
||||
terminal history exists, readiness stays in `waiting_for_session` and does not
|
||||
include `terminal_session_summary`.
|
||||
C19Z28 adds the grouped no-session readiness summary for that empty-runtime
|
||||
state. Fresh adapter readiness now includes `no_session_summary` with schema
|
||||
version `rap.remote_workspace_adapter_no_session_summary.v1`, a summary
|
||||
contract for `status`, `diagnostic_state`, `active_session_count`, and
|
||||
`terminal_session_count`, and matching idle/waiting-for-session counts, while
|
||||
the terminal-session summary remains absent until terminal history exists.
|
||||
C19Z29 adds boolean `summary_features` to the same grouped no-session summary
|
||||
for `status`, `diagnostic_state`, `active_session_count`, and
|
||||
`terminal_session_count`, matching the terminal summary and preflight
|
||||
diagnostics feature-flag convention.
|
||||
C19Z30 adds compatibility proof coverage for the grouped no-session summary,
|
||||
verifying that `summary_contract` entries and `summary_features` booleans stay
|
||||
aligned in workload and telemetry reports.
|
||||
C19Z31 adds the inverse terminal-history absence proof: after adapter sessions
|
||||
reach terminal states, readiness exposes `terminal_session_summary` and omits
|
||||
`no_session_summary` in workload and telemetry reports.
|
||||
C19Z32 proves readiness summary exclusivity across the three runtime shapes:
|
||||
fresh exposes only `no_session_summary`, active exposes neither grouped summary,
|
||||
and terminal exposes only `terminal_session_summary`.
|
||||
C19Z33 adds a compact readiness state matrix artifact for admin/runtime handoff:
|
||||
fresh, active, and terminal rows are emitted for workload and telemetry with
|
||||
only the relevant readiness fields and summary-presence booleans.
|
||||
C19Z34 adds an explicit probe-to-runtime gate artifact. It confirms the current
|
||||
Remote Workspace runtime is still `contract_probe`, `probe_only=true`, and
|
||||
`payload_traffic=none`, lists the ready contracts, and records the remaining
|
||||
runtime gates before real RDP frame transport can be enabled.
|
||||
C19Z35 adds the disabled-by-default real-adapter supervision scaffold. The
|
||||
`rdp-worker` contract-probe status now advertises
|
||||
`rap.remote_workspace_real_adapter_supervision.v1` with future config env names,
|
||||
status contract fields, and guardrails, while `contract_probe` remains the only
|
||||
active execution mode and payload traffic remains `none`.
|
||||
C19Z36 adds compatibility proof for that scaffold, verifying the disabled state,
|
||||
status contract, env names, process model, and guardrails remain aligned in unit
|
||||
and live workload status coverage.
|
||||
C19Z37 adds disabled real-adapter config projection. Node-agent parses the
|
||||
future `RAP_REMOTE_WORKSPACE_REAL_ADAPTER_*` env values and reports only
|
||||
sanitized status metadata under
|
||||
`real_adapter_supervision.config_projection`: whether enable was requested,
|
||||
whether command/args/workdir are present, args JSON shape, and that raw values
|
||||
are redacted. This does not activate the real adapter; `enabled=false`,
|
||||
`activation_allowed=false`, and `payload_traffic=none` remain required.
|
||||
C19Z38 proves projection compatibility across default/empty and requested
|
||||
config shapes. Unit and live smoke coverage verify absent env and requested
|
||||
env both keep activation blocked, raw values redacted, and payload traffic
|
||||
disabled.
|
||||
C19Z39 adds an explicit disabled activation decision contract. The real adapter
|
||||
status now reports `decision=blocked`,
|
||||
`reason=real_runtime_stage_not_enabled`, `activation_allowed=false`, and the
|
||||
missing gates before a future stage may start an external RDP worker process.
|
||||
C19Z40 adds a compact handoff report proving that the supervision scaffold,
|
||||
config projection, and blocked activation decision remain aligned for both
|
||||
requested and default config shapes.
|
||||
C19Z41 adds real-adapter supervision feature flags for config projection,
|
||||
activation decision, missing gates, and raw-value redaction so UI and
|
||||
automation clients can gate rendering explicitly.
|
||||
C19Z42 folds those feature flags into the compact handoff report, proving
|
||||
scaffold/projection/decision/features alignment for requested and default node
|
||||
config in one admin/runtime artifact.
|
||||
C19Z43 proves contract-probe precedence when desired workload config includes
|
||||
both `adapter_contract_probe` and `real_adapter_supervision`; the runtime stays
|
||||
running in probe mode and real-adapter activation remains blocked.
|
||||
C19Z44 proves the real-adapter-only desired workload path remains degraded and
|
||||
blocked, with the same disabled activation contract and no payload traffic.
|
||||
C19Z45 adds a compact desired-workload mode matrix for probe-only,
|
||||
real-adapter-only, and combined requested modes, confirming all paths retain
|
||||
disabled real-adapter activation and no payload traffic.
|
||||
C19Z46 adds compatibility proof for that mode matrix row contract, including
|
||||
explicit feature-flag and missing-gate visibility markers.
|
||||
C19Z47 adds a disabled process-supervisor preconditions contract for the future
|
||||
external RDP worker process while keeping `process_start_allowed=false` and all
|
||||
payload traffic disabled.
|
||||
C19Z48 proves that process-supervisor preconditions contract across requested
|
||||
and default config shapes, including required/missing checks and disabled start.
|
||||
C19Z49 folds process-supervisor preconditions into the compact handoff report,
|
||||
proving alignment with projection, activation decision, and feature flags.
|
||||
C19Z50 folds those preconditions into the desired-workload mode matrix, proving
|
||||
process start remains disabled across probe-only, real-adapter-only, and
|
||||
combined requested modes.
|
||||
C19Z51 adds compatibility proof for that mode matrix v2 row contract.
|
||||
C19Z52 adds a disabled process-health-probe contract for the future external
|
||||
RDP worker process while keeping health probes disabled and payload traffic at
|
||||
`none`.
|
||||
C19Z53 proves that process-health-probe contract across requested/default
|
||||
status forms.
|
||||
C19Z54 folds process-health-probe visibility into the compact handoff report,
|
||||
proving disabled health probes and payload-free alignment across all
|
||||
real-adapter handoff contracts.
|
||||
C19Z55 folds process-health-probe visibility into the desired-workload mode
|
||||
matrix, proving disabled health probes and no payload traffic across probe-only,
|
||||
real-adapter-only, and combined requested modes.
|
||||
C19Z56 adds compatibility proof for that mode matrix v3 row contract.
|
||||
C19Z57 ties handoff v4 and mode matrix v3 compatibility into a compact disabled
|
||||
real-adapter readiness/handoff checklist.
|
||||
C19Z58 adds compatibility proof for that readiness/handoff summary and
|
||||
checklist contract.
|
||||
C19Z59 derives a disabled real-adapter operator action map from that checklist
|
||||
while keeping activation, process start, and payload forwarding blocked.
|
||||
C19Z60 adds compatibility proof for that operator action map contract.
|
||||
C19Z61 groups the disabled real-adapter readiness summary, checklist, and
|
||||
action map into one compact admin handoff bundle.
|
||||
C19Z62 adds compatibility proof for that admin handoff bundle contract.
|
||||
C19Z63 derives compact admin handoff digest display rows from the bundle while
|
||||
preserving disabled runtime guardrails.
|
||||
C19Z64 adds compatibility proof for that admin handoff digest row contract.
|
||||
C19Z65 adds a digest rollup with severity/state counts, primary action, and
|
||||
guardrail summary.
|
||||
C19Z66 adds compatibility proof for that digest rollup contract.
|
||||
C19Z67 summarizes the proven disabled real-adapter admin handoff chain from
|
||||
handoff v4 through digest rollup compatibility.
|
||||
C19Z68 adds compatibility proof for that full-chain summary contract.
|
||||
C19Z69 marks the disabled real-adapter admin handoff package as
|
||||
contract-only-ready while keeping the real runtime stage blocked.
|
||||
C19Z70 proves the release marker contract remains compatible while keeping the
|
||||
real runtime stage blocked.
|
||||
C19Z71 adds a final contract-only package index for the disabled real-adapter
|
||||
admin handoff chain.
|
||||
C19Z72 proves the final package index contract for the disabled real-adapter
|
||||
admin handoff chain.
|
||||
C19Z73 adds a contract-only runtime gate phase boundary for the next disabled
|
||||
real-adapter preflight phase.
|
||||
C19Z74 proves the runtime gate phase boundary contract.
|
||||
C19Z75 adds a disabled real-adapter runtime gate preflight checklist with all
|
||||
items still blocking runtime.
|
||||
C19Z76 proves the disabled real-adapter runtime gate preflight checklist
|
||||
contract.
|
||||
C19Z77 adds a disabled real-adapter runtime gate preflight status summary.
|
||||
C19Z78 proves the disabled real-adapter runtime gate preflight status summary
|
||||
contract.
|
||||
C19Z79 adds disabled real-adapter runtime gate preflight action hints.
|
||||
C19Z80 proves the disabled real-adapter runtime gate preflight action hints
|
||||
contract.
|
||||
C19Z81 adds a disabled real-adapter runtime gate preflight operator handoff
|
||||
bundle.
|
||||
C19Z82 proves the disabled real-adapter runtime gate preflight operator handoff
|
||||
bundle contract.
|
||||
C19Z83 adds a disabled real-adapter runtime gate preflight release marker.
|
||||
C19Z84 proves the disabled real-adapter runtime gate preflight release marker
|
||||
contract.
|
||||
C19Z85 adds a disabled real-adapter runtime gate preflight package index.
|
||||
C19Z86 proves the disabled real-adapter runtime gate preflight package index
|
||||
contract.
|
||||
C19Z87 adds a disabled real-adapter runtime gate preflight closeout summary.
|
||||
C19Z88 proves the disabled real-adapter runtime gate preflight closeout summary
|
||||
contract.
|
||||
C19Z89 starts the explicit real-adapter runtime gate enablement phase with a
|
||||
contract-only request that remains blocked pending validation.
|
||||
C19Z90 proves the explicit real-adapter runtime gate enablement request
|
||||
contract.
|
||||
C19Z91 adds contract-only operator confirmation validation while keeping the
|
||||
runtime gate blocked pending remaining validations.
|
||||
C19Z92 proves the operator confirmation validation contract.
|
||||
C19Z93 adds contract-only binary validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z94 proves the binary validation contract.
|
||||
C19Z95 adds contract-only permission validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z96 proves the permission validation contract.
|
||||
C19Z97 adds contract-only supervisor validation while keeping the runtime gate
|
||||
blocked pending remaining validations.
|
||||
C19Z98 proves the supervisor validation contract.
|
||||
C19Z99 adds contract-only health probe validation while keeping the runtime gate
|
||||
blocked pending payload gate validation.
|
||||
C19Z100 proves the health probe validation contract.
|
||||
C19Z101 adds contract-only payload gate validation with no remaining required
|
||||
validations while keeping runtime not enabled.
|
||||
C19Z102 proves the payload gate validation contract.
|
||||
C19Z103 adds the runtime gate validation closeout while keeping explicit
|
||||
operator enablement required.
|
||||
C19Z104 proves the runtime gate validation closeout contract.
|
||||
C19Z105 adds an operator enablement readiness package while keeping runtime
|
||||
disabled by default.
|
||||
C19Z106 proves the operator enablement readiness package contract.
|
||||
C19Z107 adds an operator enablement readiness release marker while keeping
|
||||
runtime disabled by default.
|
||||
C19Z108 proves the operator enablement readiness release marker contract.
|
||||
C19Z109 adds an operator enablement readiness package index while keeping
|
||||
runtime disabled by default.
|
||||
C19Z110 proves the operator enablement readiness package index contract.
|
||||
C19Z111 adds an operator readiness closeout summary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z112 proves the operator readiness closeout summary contract.
|
||||
C19Z113 adds an operator review decision request while keeping runtime disabled
|
||||
by default.
|
||||
C19Z114 proves the operator review decision request contract.
|
||||
C19Z115 adds an operator decision status summary while keeping runtime disabled
|
||||
by default.
|
||||
C19Z116 proves the operator decision status summary contract.
|
||||
C19Z117 adds an operator approval/rejection outcome contract with the outcome
|
||||
not approved and runtime disabled by default.
|
||||
C19Z118 proves the operator approval/rejection outcome contract.
|
||||
C19Z119 adds an operator outcome closeout/reopen boundary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z120 proves the operator outcome closeout/reopen boundary contract.
|
||||
C19Z121 adds a not-approved outcome release marker while keeping runtime
|
||||
disabled by default.
|
||||
C19Z122 proves the not-approved outcome release marker contract.
|
||||
C19Z123 adds a not-approved outcome package index while keeping runtime disabled
|
||||
by default.
|
||||
C19Z124 proves the not-approved outcome package index contract.
|
||||
C19Z125 adds a not-approved outcome closeout summary while keeping runtime
|
||||
disabled by default.
|
||||
C19Z126 proves the not-approved outcome closeout summary contract.
|
||||
C19Z127 adds a final not-approved outcome release marker while keeping runtime
|
||||
disabled by default.
|
||||
C19Z128 proves the final not-approved outcome release marker contract.
|
||||
C19Z129 adds a final not-approved outcome package index/archive marker while
|
||||
keeping runtime disabled by default.
|
||||
C19Z130 proves the final not-approved outcome package index/archive marker
|
||||
contract.
|
||||
C19Z131 adds a not-approved outcome archive closeout manifest while keeping
|
||||
runtime disabled by default.
|
||||
C19Z132 proves the not-approved outcome archive closeout manifest contract.
|
||||
C19Z133 adds a stopped-branch sentinel for the not-approved outcome while
|
||||
keeping runtime disabled by default.
|
||||
C19Z134 proves the not-approved outcome stopped-branch sentinel contract.
|
||||
C19Z135 adds a no-continuation guard for the stopped not-approved outcome while
|
||||
keeping runtime disabled by default.
|
||||
C19Z136 proves the not-approved outcome no-continuation guard contract.
|
||||
C19Z137 adds continuation block enforcement for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z138 proves the not-approved outcome continuation block enforcement
|
||||
contract.
|
||||
C19Z139 adds a continuation block audit record for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z140 proves the not-approved outcome continuation block audit record
|
||||
contract.
|
||||
C19Z141 adds a continuation block audit rollup for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z142 proves the not-approved outcome continuation block audit rollup
|
||||
contract.
|
||||
C19Z143 adds an operator stop summary for the stopped not-approved outcome
|
||||
while keeping runtime disabled by default.
|
||||
C19Z144 proves the not-approved outcome operator stop summary contract.
|
||||
C19Z145 adds an operator stop handoff for the stopped not-approved outcome
|
||||
while keeping runtime disabled by default.
|
||||
C19Z146 proves the not-approved outcome operator stop handoff contract.
|
||||
C19Z147 adds an operator stop handoff digest for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z148 proves the not-approved outcome operator stop handoff digest contract.
|
||||
C19Z149 adds an operator stop status snapshot for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z150 proves the not-approved outcome operator stop status snapshot contract.
|
||||
C19Z151 adds an operator stop status snapshot index for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z152 proves the not-approved outcome operator stop status snapshot index
|
||||
contract.
|
||||
C19Z153 adds an operator stop status catalog for the stopped not-approved
|
||||
outcome while keeping runtime disabled by default.
|
||||
C19Z154 proves the not-approved outcome operator stop status catalog contract.
|
||||
C19Z155 adds an operator stop status catalog release marker for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z156 proves the not-approved outcome operator stop status catalog release
|
||||
marker contract.
|
||||
C19Z157 adds an operator stop status catalog package index for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z158 proves the not-approved outcome operator stop status catalog package
|
||||
index contract.
|
||||
C19Z159 adds an operator stop status catalog closeout summary for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z160 proves the not-approved outcome operator stop status catalog closeout
|
||||
summary contract.
|
||||
C19Z161 adds an operator stop status final archive marker for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z162 proves the not-approved outcome operator stop status final archive
|
||||
marker contract.
|
||||
C19Z163 adds an operator stop status final archive manifest for the stopped
|
||||
not-approved outcome while keeping runtime disabled by default.
|
||||
C19Z164 proves the not-approved outcome operator stop status final archive
|
||||
manifest contract.
|
||||
C19Z165 adds a terminal-complete marker for the stopped not-approved outcome
|
||||
factory while keeping runtime disabled by default.
|
||||
C19Z166 proves the not-approved outcome factory terminal-complete contract.
|
||||
C20Z1 opens a new explicit real-adapter enablement request while keeping
|
||||
runtime disabled by default.
|
||||
C20Z2 proves the new explicit real-adapter enablement request contract.
|
||||
C20Z3 adds the operator validation intake for the new explicit request while
|
||||
keeping runtime disabled by default.
|
||||
C20Z4 completes the operator validation checklist contract while keeping
|
||||
runtime disabled by default.
|
||||
C20Z5 closes the operator validation chain contract while keeping runtime
|
||||
disabled by default.
|
||||
C20Z6 proves the C20 stage terminal-complete contract.
|
||||
5. Move VPN packet flow to the service channel and keep backend relay only as
|
||||
explicit degraded fallback.
|
||||
6. Run load tests against the fabric channel: many streams, route failure,
|
||||
|
||||
@@ -586,25 +586,31 @@ artifacts:
|
||||
`artifacts/c18z108-dedicated-breadcrumbs-smoke-result.json`, and
|
||||
`artifacts/c18z109-breadcrumb-freshness-window-smoke-result.json`.
|
||||
|
||||
Current active continuation after C19Z1:
|
||||
Current active continuation after C20Z6:
|
||||
|
||||
C19Z1 is implemented and runtime-smoke-proven. Remote Workspace adapter sessions
|
||||
now expose read-only mailbox handoff preflight:
|
||||
`GET /mesh/v1/remote-workspace/adapter-sessions/{adapter_session_id}/mailbox/preflight?consumer_id=...&resume_from=ack|checkpoint`.
|
||||
The response validates the consumer cursor and reports the expected next event
|
||||
window (`after_sequence`, available/returned/skipped counts, first/last expected
|
||||
sequence) without reading, draining, acking, or mutating consumer state.
|
||||
Node-agent image `rap-node-agent:codex-service-supervisor-20260512z2` is
|
||||
deployed on `test-1/2/3`. Verification artifacts:
|
||||
`artifacts/c19z1-remote-workspace-mailbox-preflight-smoke-result.json`, C19X
|
||||
source
|
||||
`artifacts/c19z1-remote-workspace-mailbox-preflight-source-result.json`, and
|
||||
C19Z regression
|
||||
`artifacts/c19z-remote-workspace-adapter-readiness-smoke-result.json`.
|
||||
C20Z1 through C20Z6 are implemented and runtime-smoke-proven. The C20 stage is
|
||||
terminal-complete by contract. It opened and validated a new explicit
|
||||
real-adapter enablement request as a contract-only transition:
|
||||
`rap.remote_workspace_real_adapter_c20_stage_terminal_complete.v1`, with
|
||||
`terminal_status=stage_terminal_complete_contract_only`,
|
||||
`stage_status=complete_no_more_c20_layers_required`,
|
||||
`stage_name=c20_real_adapter_new_explicit_enablement_request`,
|
||||
`validation_chain_status=complete_contract_only`,
|
||||
`enablement_boundary=runtime_enablement_requires_next_explicit_runtime_stage`,
|
||||
`enablement_decision=validated_contract_only_not_enabled`,
|
||||
`enablement_status=validated_not_enabled`,
|
||||
`runtime_gate_state=validated_contract_only_not_enabled`,
|
||||
`runtime_effect=contract_only_no_runtime_enablement`,
|
||||
`operator_default_action=keep_real_adapter_disabled_until_next_explicit_runtime_stage`,
|
||||
`next_allowed_entrypoint=next_explicit_runtime_enablement_stage_only`,
|
||||
`allows_process_start=false`, and `allows_payload_traffic=false`. Docker-test
|
||||
`test-1/2/3` remain on
|
||||
`rap-node-agent:codex-service-supervisor-20260513z52`. Verification artifact:
|
||||
`artifacts/c20z6-remote-workspace-real-adapter-stage-terminal-complete-compatibility-smoke-result.json`.
|
||||
|
||||
Next narrow Remote Workspace layer should stay probe-only and node-local. A good
|
||||
C19Z2 candidate is handoff preflight telemetry: add counters/last-preflight
|
||||
fields for the read-only preflight endpoint in workload status/heartbeat reports,
|
||||
so operators can distinguish handoff checks from mailbox reads. Do not add
|
||||
desktop frame transport, Android work, backend relay semantics, or production
|
||||
adapter payload forwarding in this slice.
|
||||
The not-approved factory remains terminal-complete by contract, and C20 is now
|
||||
also terminal-complete by contract. Do not add more C20 continuation layers.
|
||||
The only allowed next entrypoint is a new explicit runtime enablement stage.
|
||||
Keep the real adapter disabled until that new stage explicitly changes runtime
|
||||
state: no process start, no real RDP frame transport, no Android work, no
|
||||
backend relay semantics, and no production adapter payload forwarding.
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
# RAP host-agent monitor
|
||||
|
||||
`rap-host-agent monitor-loop` is the local watchdog that runs near a node host.
|
||||
It complements the update loop:
|
||||
|
||||
- starts watched Docker containers when they are stopped;
|
||||
- restarts watched containers when Docker health is `unhealthy`;
|
||||
- restarts containers stuck in `restarting` longer than the stale threshold;
|
||||
- rate-limits repeated remediation with a restart cooldown;
|
||||
- watches disk pressure and runs safe cleanup when the cleanup threshold is reached;
|
||||
- removes old `/tmp/rap-*` and `/tmp/go-build*` build directories;
|
||||
- writes an optional JSON status file;
|
||||
- reports monitor status to the control plane through the node update-status channel.
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
rap-host-agent monitor-loop \
|
||||
--backend-url http://127.0.0.1:18121/api/v1 \
|
||||
--cluster-id cfc0743d-d960-49fb-9de8-96e063d5e4aa \
|
||||
--node-id 108a0d66-d65e-4dea-b9a8-135366bf7dba \
|
||||
--current-version 0.2.261-vpnfarm \
|
||||
--interval-seconds 60 \
|
||||
--disk-warn-percent 80 \
|
||||
--disk-cleanup-percent 85 \
|
||||
--disk-critical-percent 95 \
|
||||
--status-file /tmp/rap-web-admin/html/downloads/ops/host-monitor-status.json \
|
||||
--watch-container rap_test_postgres \
|
||||
--watch-container rap_test_redis \
|
||||
--watch-container rap_test_backend
|
||||
```
|
||||
|
||||
On the shared test Docker host the current public status file is:
|
||||
|
||||
`http://docker-test.cin.su:18080/downloads/ops/host-monitor-status.json`
|
||||
@@ -0,0 +1,64 @@
|
||||
# Test Docker Disk Guard
|
||||
|
||||
`test-docker` is a shared build and runtime host. If `/` fills up, Postgres can
|
||||
restart-loop with `No space left on device`, which breaks VPN diagnostics and
|
||||
cluster tests. The disk guard is the first operational guardrail for that host.
|
||||
|
||||
## What It Does
|
||||
|
||||
- Checks `/` usage every run.
|
||||
- At `>= 85%`, removes safe reclaimable data:
|
||||
- Docker build cache.
|
||||
- Dangling Docker images.
|
||||
- Old RAP temporary build directories under `/tmp`.
|
||||
- At `>= 85%`, publishes a warning status after cleanup if the host is still above the warning line.
|
||||
- At `>= 95%` after cleanup, publishes critical status and exits with code `2`.
|
||||
- Writes machine-readable status to:
|
||||
- `http://docker-test.cin.su:18080/downloads/ops/test-docker-disk-guard-status.json`
|
||||
- Writes host log to:
|
||||
- `/tmp/rap-ops/test-docker-disk-guard.log`
|
||||
|
||||
## Install Or Refresh Schedule
|
||||
|
||||
Run from the repo root on the Windows workstation:
|
||||
|
||||
```powershell
|
||||
pwsh -ExecutionPolicy Bypass -File scripts/ops/test-docker-disk-guard.ps1 -InstallCron -RunOnce
|
||||
```
|
||||
|
||||
The wrapper uploads `scripts/ops/test-docker-disk-guard.sh` to
|
||||
`/home/test/bin/rap-test-docker-disk-guard` on `test-docker`. It installs cron
|
||||
when `crontab` exists; otherwise it installs a user systemd timer named
|
||||
`rap-test-docker-disk-guard.timer`.
|
||||
|
||||
## Manual Check
|
||||
|
||||
```powershell
|
||||
pwsh -ExecutionPolicy Bypass -File scripts/ops/test-docker-disk-guard.ps1 -RunOnce
|
||||
Invoke-RestMethod http://docker-test.cin.su:18080/downloads/ops/test-docker-disk-guard-status.json
|
||||
```
|
||||
|
||||
## Expansion Approach
|
||||
|
||||
Cleanup is only a pressure valve. If the status remains `warning` or `critical`
|
||||
after cleanup, expand the host disk.
|
||||
|
||||
Current host root is expected to be LVM. If the VM already has free VG space,
|
||||
the guard status will recommend:
|
||||
|
||||
```bash
|
||||
sudo lvextend -r -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv
|
||||
```
|
||||
|
||||
If there is no VG free space, first expand the VM disk in the hypervisor, then
|
||||
run `pvresize` for the physical volume and finally `lvextend -r` for the root
|
||||
logical volume.
|
||||
|
||||
## Optional Webhook
|
||||
|
||||
The shell guard supports `WEBHOOK_URL`. If set in cron/environment, warning and
|
||||
critical states are posted as JSON:
|
||||
|
||||
```json
|
||||
{"level":"warning","message":"...","host":"...","observed_at":"..."}
|
||||
```
|
||||
Reference in New Issue
Block a user