Skip to content

feat(hosted): add file-only repair mode#163

Merged
BunsDev merged 3 commits into
OpenCoven:mainfrom
romgenie:agent/hosted-repair
Jul 15, 2026
Merged

feat(hosted): add file-only repair mode#163
BunsDev merged 3 commits into
OpenCoven:mainfrom
romgenie:agent/hosted-repair

Conversation

@romgenie

@romgenie romgenie commented Jul 14, 2026

Copy link
Copy Markdown
Member

Summary

  • add a dedicated --hosted-repair structured-headless mode
  • expose only repository file read/write tools; exclude shell, web, task, sub-agent, plugin, and MCP tools
  • preserve hosted-review defaults and explicit contract-v2 compatibility while v3 remains normative
  • require --headless --context --output and reject combination with --hosted-review

Security model

The model may edit the sandboxed workspace but cannot run commands or access GitHub credentials. Validation, commit, and push remain control-plane responsibilities.

Verification

  • cargo fmt --all -- --check
  • cargo check --workspace --locked
  • cargo clippy --workspace --all-targets --locked -- -D warnings
  • cargo test --workspace --locked --quiet
  • GitHub Rust CI, interactive terminal suite, and engine contract checks pass

Dependency

Required by the Covencat autoreview/repair control-plane change in OpenCoven/coven-github-webhook.

Review status

Covencat automated review requested for the current head.

@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

@romgenie is attempting to deploy a commit to the 0xBuns Team on Vercel.

A member of the Team first needs to authorize it.

@romgenie
romgenie marked this pull request as draft July 15, 2026 00:26
@romgenie
romgenie marked this pull request as ready for review July 15, 2026 00:26

@covencat covencat Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coven review

Status: success

The runtime review output was downgraded because its publication evidence was incomplete or contradictory.

Evidence

  • PR: #163
  • Base: main @ af61be3195f668689546580652ab13569170970d
  • Head: agent/hosted-repair @ 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Checked-out workspace HEAD: 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Changed files supplied to agent: 6
  • Review context SHA-256: a2aadc8a3bfadbc48507c60c7109003d6a8e9a7a24d605e665a8ea5ca1a0b56f
  • Files: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs

Structured review

Files changed: 0
Commits: 1

Task autoreview-3cc9df4ae86f768d6b91c9d5ded59ecd1e9b746593287bfe.

Publication validation

  • captured diff evidence is incomplete or truncated

Evidence was incomplete or contradictory, so this is a COMMENT review rather than an approval or change request.

@romgenie
romgenie marked this pull request as draft July 15, 2026 00:34
@romgenie
romgenie marked this pull request as ready for review July 15, 2026 00:34
@romgenie

Copy link
Copy Markdown
Member Author

@covencat Please perform a fresh, complete review of the current PR head and submit the native review decision. Inspect every changed file and relevant supporting context; approve only if there are no actionable findings and the trusted evidence is complete.

@covencat covencat Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coven review

Status: success

The runtime review output was downgraded because its publication evidence was incomplete or contradictory.

Evidence

  • PR: #163
  • Base: main @ af61be3195f668689546580652ab13569170970d
  • Head: agent/hosted-repair @ 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Checked-out workspace HEAD: 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Changed files supplied to agent: 6
  • Review context SHA-256: b4dea521b708bd56760354fe75369adf18f240e1507abad4e0fe3b413e668493
  • Files: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs

Structured review

  • Mode: pull_request
  • Evidence status: partial
  • Reviewed files: 6
  • Reviewed file list: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs
  • Supporting files inspected: 1
  • Supporting file list: AGENTS.md
  • Findings: 0
  • No-findings reason: The reviewed changes are internally consistent with the hosted-review contract and the runtime’s permission model. In src-rust/crates/core/src/hosted_review.rs:21-96, the new allow_file_write_tools gate is defined distinctly from broader allow_write_tools, and allows_auto_memory_persistence() still requires trust-threshold satisfaction. In src-rust/crates/cli/src/headless.rs:358-367, headless review mode explicitly disables allow_write_tools, allow_file_write_tools, allow_mcp_servers, allow_plugins, and allow_auto_memory_persistence, which matches the contract’s “repository file tools only” boundary for trusted repair and prevents broader capabilities from leaking into review mode. In src-rust/crates/cli/src/main.rs:2086-2088, sessions are marked as hosted-review when that mode is active, preserving downstream behavior. The contract text in docs/headless-contract.md:38-40 and docs/headless-contract.md:210-220 aligns with the implementation’s restricted tool surface and review evidence model, and the documentation updates in docs/advanced.md and docs/configuration.md are consistent with the new hosted-review surface. No actionable divergence was found in the changed files or the supporting code inspected.
  • Tests reported by runtime: 1
    • git diff --check: passed - Command completed successfully with no output.
  • Limitations: 0

Files changed: 0
Commits: 1

Task 241e7450-7fe5-11f1-8e54-6a46d53cc982.

This review follows the prior covencat publication. A decisive submission replaces its state; a COMMENT does not.

Publication validation

  • captured diff evidence is incomplete or truncated

Evidence was incomplete or contradictory, so this is a COMMENT review rather than an approval or change request.

@romgenie

Copy link
Copy Markdown
Member Author

@covencat Please rerun the complete current-head review now that exact-base/head diff capture retains the full patch. Submit the native decision; approve only with complete trusted evidence and no actionable findings.

@covencat covencat Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coven review

Status: success

The runtime review output was downgraded because its publication evidence was incomplete or contradictory.

Evidence

  • PR: #163
  • Base: main @ af61be3195f668689546580652ab13569170970d
  • Head: agent/hosted-repair @ 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Checked-out workspace HEAD: 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Changed files supplied to agent: 6
  • Review context SHA-256: 7e461dc234d39623da1a49fe3dc8dac0f61b48af4ce51bd08cd31d2df5a5ce9d
  • Files: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs

Structured review

  • Mode: pull_request
  • Evidence status: partial
  • Reviewed files: 6
  • Reviewed file list: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs
  • Supporting files inspected: 1
  • Supporting file list: AGENTS.md
  • Findings: 0
  • No-findings reason: The changed files consistently implement the intended trusted-worker repair path and preserve the review contract boundaries: src-rust/crates/cli/src/headless.rs:202-207, 283-297 adds a dedicated hosted-repair prompt path and explicitly tells the runtime to stay within repository file edits, while also excluding command/network/git/test execution. src-rust/crates/cli/src/headless.rs:351-367 forces hosted-review safety gates off for write tools, MCP, plugins, user memory, and auto memory persistence, aligning with the documented hosted-review isolation. src-rust/crates/cli/src/main.rs:595-603 enables allow_file_write_tools only when --hosted-repair is set, while keeping broader write surfaces disabled. docs/headless-contract.md:38-40 and docs/advanced.md:574-576 describe the dedicated hosted-repair surface as file-only and non-executable, matching the code paths above. src-rust/crates/core/src/hosted_review.rs:21-97 includes a dedicated allow_file_write_tools flag and default-off behavior, so the new mode is represented in config rather than being inferred indirectly. I did not find a blocking mismatch between the changed code and the supporting contract/docs, and the trusted validation receipt shows git diff --check passed.
  • Tests reported by runtime: 1
    • git diff --check: passed - Command completed successfully with no output.
  • Limitations: 1
    • High confidence; the review was bounded to the supplied changed files plus directly relevant supporting contract/configuration sources, and no material limitation remains.

Files changed: 0
Commits: 1

Task 9d08bd30-7fe5-11f1-8f01-ba72b931bda1.

This review follows the prior covencat publication. A decisive submission replaces its state; a COMMENT does not.

Publication validation

  • review reported limitations

Evidence was incomplete or contradictory, so this is a COMMENT review rather than an approval or change request.

@romgenie

Copy link
Copy Markdown
Member Author

@covencat Perform the final complete review of the current head using the full merge-base diff evidence now deployed. Submit the native decision; approve only if evidence is complete, trusted validation passes, and there are no actionable findings.

@covencat covencat Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coven review

Status: success

Covencat completed the source review. Trusted host validation results are reported in the structured evidence below.

Evidence

  • PR: #163
  • Base: main @ af61be3195f668689546580652ab13569170970d
  • Merge base: af61be3195f668689546580652ab13569170970d
  • Head: agent/hosted-repair @ 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Checked-out workspace HEAD: 21aceb81b666071a409e3b93cf922b6b6dfb318c
  • Changed files supplied to agent: 6
  • Review context SHA-256: 36427130b871e9edddd3bd59cf2a9ff58dbf65706aa2a34a477cb7fab52cd707
  • Files: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs

Structured review

Files changed: 0
Commits: 1

Task 38bb9860-7fe6-11f1-8cdf-d9c46d771cec.

This review follows the prior covencat publication. A decisive submission replaces its state; a COMMENT does not.

…dary

- --hosted-repair now conflicts_with --dangerously-skip-permissions so the
  starved tool surface can't be widened into full bypass (shell/network)
- add load-bearing SECURITY comment on the file-tool allowlist: since
  github_context forces BypassPermissions, this allowlist is the sole
  containment boundary and is guarded by the exhaustive filter test
- extend the CLI conflict test to assert the new rejection

@covencat covencat Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coven review

Status: partial

The runtime review output was downgraded because its publication evidence was incomplete or contradictory.

Evidence

  • PR: #163
  • Base: main @ af61be3195f668689546580652ab13569170970d
  • Merge base: af61be3195f668689546580652ab13569170970d
  • Head: agent/hosted-repair @ a63751be3adfc65311da19660b648d59d4aa8398
  • Checked-out workspace HEAD: a63751be3adfc65311da19660b648d59d4aa8398
  • Changed files supplied to agent: 6
  • Review context SHA-256: 854e202f727ee5cd31b4fc1d7e3000c574b5361c8c158e960ed416ca0e4eaf6b
  • Files: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs

Structured review

  • Mode: pull_request
  • Evidence status: partial
  • Reviewed files: 6
  • Reviewed file list: docs/advanced.md, docs/configuration.md, docs/headless-contract.md, src-rust/crates/cli/src/headless.rs, src-rust/crates/cli/src/main.rs, src-rust/crates/core/src/hosted_review.rs
  • Supporting files inspected: 0
  • Findings: 0
  • No-findings reason: The changed files consistently enforce the bounded review contract and the hosted-review lockdown: src-rust/crates/cli/src/headless.rs:182-195 and :245-260 classify review-mode briefs and inject the exact review instructions required for a bounded evidence-backed review, including the mandatory final sections. src-rust/crates/cli/src/headless.rs:354-367 disables write tools, file-write tools, MCP, plugins, user memory, and auto memory persistence whenever a review-mode brief is loaded, matching the containment intent. src-rust/crates/cli/src/main.rs:592-603 applies the same hosted-review restrictions in the CLI path and separately enables the narrower allow_file_write_tools only for hosted repair, while still disabling broader write and plugin/MCP/memory capabilities. src-rust/crates/core/src/hosted_review.rs:21-97 defines the new hosted-review configuration fields and the auto-memory gating logic in a coherent way, with defaults and is_default() aligned. The updated docs files were inspected as supporting contract documentation and do not contradict the code paths above. The trusted validation evidence (git diff --check) passed, so there is no patch-format or whitespace defect to report.
  • Tests reported by runtime: 1
    • git diff --check: passed - Command completed successfully with no output.
  • Limitations: 1
    • No supporting-code file reads or search results were captured during this review.

Files changed: 0
Commits: 1

Task autoreview-f314bedf4416a2ac2cc07af95650093551bb9cd0c92233a5.

This review follows the prior covencat publication. A decisive submission replaces its state; a COMMENT does not.

Publication validation

  • review evidence was not marked complete
  • runtime result was not successful
  • review reported limitations

Evidence was incomplete or contradictory, so this is a COMMENT review rather than an approval or change request.

@BunsDev

BunsDev commented Jul 15, 2026

Copy link
Copy Markdown
Member

Review — approve, with two hardening commits pushed

Read the full diff. This is a well-scoped, security-conscious change: --hosted-repair gives a trusted worker a deliberately starved tool surface (only Read/Grep/Glob/Edit/Write/ApplyPatch/BatchEdit/NotebookEdit), with validation/commit/push kept in the control plane, outside the model's reach.

What's genuinely good

  • Tight allowlist enforced by an exhaustive test that asserts the required tools, a hard exclusion list (Bash, PtyBash, PowerShell, WebSearch, WebFetch, Agent, TeamCreate, Skill, MCP), and a catch-all so a newly-added tool can't silently leak in.
  • Separate allow_file_write_tools flag (distinct from allow_write_tools, defaults false, included in is_read_only()); conflicts_with/requires_all enforced at the clap layer and tested.
  • Correct progress semantics for repair: success keys off workspace_dirty rather than commits; no-op runs return Failure/AmbiguousSpec. v2 compat is additive and bounded (["2","3"], v3 still normative).

Two hardening items I pushed (maintainer-modify) to agent/hosted-repair:

  1. --hosted-repair now conflicts_with --dangerously-skip-permissions. Since github_context already forces BypassPermissions, there are no permission prompts in repair mode — so the tool allowlist is the sole containment boundary. Blocking the bypass combo prevents widening that surface (e.g. re-admitting shell/network) via a second flag. Added a CLI test asserting the rejection.
  2. Added a load-bearing // SECURITY comment on the file-tool allowlist branch documenting that it is the containment boundary and must not be widened without updating the exhaustive filter test.

Local verification on the new head: cargo fmt --check, cargo clippy -p claurst --all-targets -D warnings (clean), full claurst test suite green (88 + hosted_repair suite incl. the new case).

Verdict: ✅ approve & merge once CI is green on the updated head.

@BunsDev
BunsDev merged commit 561c026 into OpenCoven:main Jul 15, 2026
3 of 4 checks passed
@romgenie
romgenie deleted the agent/hosted-repair branch July 15, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants