Harden tier2 scoped writeback harness

[khaliqgant]

Summary

• fix the Tier-2 harness API-key credential path: WEB/RelayAuth API key now mints one relay_ws_ workspace token via /v1/tokens/workspace, then uses Bearer relay_ws_ for /v1/tokens/path
• keep data-plane operations on relay_pa_ path tokens: run-scoped relay_pa_ for seed/read/admission probes, per-member relay_pa_ tokens for member writebacks
• request paths as /* so minted scopes match the strict relayfile:fs:write:/* allowlist
• add opt-in relayfile-mount HTTP status logging and enable it in the harness so retried mount/writeback 429 + Retry-After responses are observable
• lowercase harness run IDs as a temporary harness-only workaround; fix(mountsync): preserve scoped write path case #232 fixed the real path-case bug on main

Production evidence already captured

• /tmp/relayfile-tier2-prod-full-20260601t071420z.json: N=6x2, no #1602 pathology, scoped correctness verified
• /tmp/relayfile-tier2-prod-saturate-20260601t071950z.json: N=16x2, 8x write_admission_limit 429 with Retry-After=5, no 500/object-reset/context-deadline

Verification

• npm run test:load:tier2-scoped-writeback:self-test
• go test ./cmd/relayfile-mount ./internal/mountsync -count=1

Notes

• x-api-key is no longer sent to /v1/tokens/path; that endpoint receives only Bearer relay_ws_.
• The mount HTTP status logger omits retry-after= when the header is absent, avoiding false positive Retry-After observations on successful 200 responses.
• This branch is rebased on main after fix(mountsync): preserve scoped write path case #232 (squash 7497f16).

[coderabbitai]

Warning

Review limit reached

@khaliqgant, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 35 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3e93d22c-329a-497f-9f35-f8d60763c24b

📥 Commits

Reviewing files that changed from the base of the PR and between 3df8453 and 033b792.

📒 Files selected for processing (3)

• cmd/relayfile-mount/fuse_mount.go
• internal/mountsync/syncer.go
• test/load/README.md

📝 Walkthrough

Walkthrough

This PR adds HTTP response status logging to mount client operations and extends the Tier-2 load harness to support Relayauth API key-driven token minting with dedicated data-plane token scoping. It also records completed trajectory metadata for prior review work and updates the trajectory index.

Changes

HTTP Status Logging Feature

Layer / File(s)	Summary
HTTPClient status logger contract and logging implementation internal/mountsync/syncer.go	HTTPClient gains mutex-protected httpStatusLogger state and exposes SetHTTPStatusLogger to configure it. An internal logHTTPStatus helper formats and logs HTTP method, request path, attempt number, status code, and optional Retry-After header.
Response status logging in HTTP operations internal/mountsync/syncer.go	ExportGithubWorkingTreeTar and doJSON invoke logHTTPStatus after receiving responses, capturing successful 2xx, retryable, and terminal error statuses with retry context.
CLI flag and mount integration cmd/relayfile-mount/main.go, cmd/relayfile-mount/fuse_mount.go	New --log-http-status flag (via RELAYFILE_MOUNT_LOG_HTTP_STATUS) is added to mountConfig, parsed from command-line/env, and conditionally installed on the HTTP client in both fuse_mount and polling paths.
HTTP status logging test coverage internal/mountsync/http_client_test.go	TestHTTPClientLogsRetriedHTTPStatus verifies that status logs capture both retried (429 with Retry-After) and successful (200) responses, with negative assertion that final success logs lack retry metadata.

Tier-2 Load Harness Credential and Token Minting Updates

Layer / File(s)	Summary
Token path helpers and credential gating logic test/load/tier2-cfdo-scoped-writeback.mjs	Introduces tokenPath() to normalize remote roots into wildcard token-path format for relayauth. Credential gating expands from requiring only RELAYFILE_TIER2_WORKSPACE_TOKEN to accepting RELAYFILE_TIER2_WORKSPACE_TOKEN or RELAYFILE_TIER2_RELAYAUTH_API_KEY. runId is normalized to lowercase in config.
Workspace and data-plane token minting functions test/load/tier2-cfdo-scoped-writeback.mjs	Adds mintWorkspaceToken() to optionally mint workspace tokens from Relayauth API key, and introduces mintRunDataPlaneToken() to mint dedicated tokens scoped to /team-tier2/<runId>/** for run data-plane operations. Updates mintPathToken() to use tokenPath() for member token minting.
Data-plane token authorization in operations test/load/tier2-cfdo-scoped-writeback.mjs	Remote file seeding, reading, and direct admission probes switch from config.workspaceToken to config.dataPlaneToken for authorization. X-Correlation-Id header is added to relayfile requests using the normalized runId.
Run orchestration and HTTP status logging flag test/load/tier2-cfdo-scoped-writeback.mjs	runHarness() reorders token minting to mint data-plane token earlier, conditionally captures workspace token evidence, and removes --full-reconcile from writeback mount calls. Mount invocations include new --log-http-status flag.
Tier-2 load documentation and self-test updates test/load/README.md, test/load/tier2-cfdo-scoped-writeback.mjs	README documents alternative credential flows using Relayauth API key and workspace token minting. Self-tests validate tokenPath() output and updated credential-missing gating logic (workspace token or API key).

Trajectory Completion Metadata

Layer / File(s)	Summary
Trajectory compaction metadata files .trajectories/completed/2026-04/traj_*.compaction.json, .trajectories/completed/2026-05/traj_*.compaction.json	20 JSON files recording trajectory compaction events (source trajectoryId, compaction target compact_xl96yexa79wg, completion timestamps).
PR #233 trajectory completion summary and metadata .trajectories/completed/2026-06/traj_9n5xjmq2qpxz/summary.md, .trajectories/completed/2026-06/traj_9n5xjmq2qpxz/trajectory.json	Completes trajectory for PR #233 review work, recording HTTP status logging wiring, HTTPClient race-safety fixes, tier2 documentation updates, and test verification steps. Includes task metadata, agent context, and event logs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• AgentWorkforce/relayfile#166: Both PRs touch internal/mountsync/syncer.go and extend HTTPClient logging behavior; PR #166 focuses on timeout refactoring while this PR adds status logging.
• AgentWorkforce/relayfile#228: Main PR extends the Tier-2 CF-DO scoped writeback load harness originally added in PR #228, introducing token-minting credential flows and mounting HTTP status observability.

Poem

A rabbit hops through status logs so bright,
With tokens minted left and right,
Data-planes scoped with careful grace,
HTTP whispers from each place—
Credentials flow, the harness sings,
Observability unlocks all things! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main focus of the pull request on hardening the tier2 scoped writeback harness.
Description check	✅ Passed	The description provides detailed technical context directly related to the changeset, including credential flow fixes, token scoping, HTTP status logging, and verification steps.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/tier2-workspace-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces HTTP status logging for the mount client to improve observability, adding a --log-http-status flag and corresponding logging logic. It also updates the load test harness to support dynamically minting workspace and data-plane tokens. A concurrency issue was identified in HTTPClient where httpStatusLogger is accessed concurrently without synchronization, which could lead to a data race; protecting it with a mutex is recommended.

[gemini-code-assist]

The httpStatusLogger field of HTTPClient is read concurrently in logHTTPStatus (which is called by concurrent goroutines during bootstrap/sync) and can be written concurrently via SetHTTPStatusLogger. Since Go interface values are not safe for concurrent read/write without synchronization, this introduces a data race that can lead to panics or undefined behavior. Protecting access to httpStatusLogger using the existing tokenMu RWMutex resolves this issue safely.

func (c *HTTPClient) SetHTTPStatusLogger(logger Logger) {
	c.tokenMu.Lock()
	c.httpStatusLogger = logger
	c.tokenMu.Unlock()
}

func (c *HTTPClient) logHTTPStatus(method, requestPath string, statusCode int, retryAfter string, attempt int) {
	c.tokenMu.RLock()
	logger := c.httpStatusLogger
	c.tokenMu.RUnlock()
	if logger == nil {
		return
	}

[github-actions]

Relayfile Eval Review

Run: .relayfile/evals/runs/2026-06-01T07-45-07-840Z-HEAD-provider
Mode: provider
Git SHA: 541252a

Passed: 4 | Needs human: 0 | Reviewable: 0 | Missing output: 0 | Failed: 0 | Skipped: 0

Human Review Cases

No reviewable human-review cases captured Relayfile output.

[agent-relay-bot]

Reviewed and fixed the PR locally.

Changed:

• Wired --log-http-status through FUSE mounts in cmd/relayfile-mount/fuse_mount.go.
• Made HTTPClient status logger access race-safe in internal/mountsync/syncer.go.
• Updated test/load/README.md so the tier2 docs match the new RELAYFILE_TIER2_RELAYAUTH_API_KEY minting path.

Verified:

• npm run test:load:tier2-scoped-writeback:self-test passes.
• Go tests could not run because go is not installed in this environment.

[agent-relay-bot]

✅ pr-reviewer applied fixes — committed and pushed 3df8453 to this PR. The notes below describe what changed.

Reviewed and fixed the PR locally.

Changed:

• Wired --log-http-status through FUSE mounts in cmd/relayfile-mount/fuse_mount.go.
• Made HTTPClient status logger access race-safe in internal/mountsync/syncer.go.
• Updated test/load/README.md so the tier2 docs match the new RELAYFILE_TIER2_RELAYAUTH_API_KEY minting path.

Verified:

• npm run test:load:tier2-scoped-writeback:self-test passes.
• Go tests could not run because go is not installed in this environment.

[agent-relay-bot]

✅ pr-reviewer applied fixes — committed and pushed 3df8453 to this PR. The notes below describe what changed.

Reviewed and fixed the PR locally.

Changed:

• Wired --log-http-status through FUSE mounts in cmd/relayfile-mount/fuse_mount.go.
• Made HTTPClient status logger access race-safe in internal/mountsync/syncer.go.
• Updated test/load/README.md so the tier2 docs match the new RELAYFILE_TIER2_RELAYAUTH_API_KEY minting path.

Verified:

• npm run test:load:tier2-scoped-writeback:self-test passes.
• Go tests could not run because go is not installed in this environment.

[cubic-dev-ai]

No issues found across 4 files

_{Re-trigger cubic}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/load/tier2-cfdo-scoped-writeback.mjs`:
- Around line 377-405: The minted token must be validated to ensure its decoded
scopes are confined to runRoot: in mintRunDataPlaneToken, after calling
scopesFromToken(accessToken) (and using tokenPath(runRoot) as the requested
path), inspect the decoded scopes and/or response.body?.paths and reject the
token if any granted path does not start with the runRoot prefix or grants
broader access than intended; throw an error if scopes are missing, empty, or
include any path outside runRoot so only tokens scoped to the runRoot are
accepted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d7d27fd4-acb4-43a9-821c-7985505846c6

📥 Commits

Reviewing files that changed from the base of the PR and between 7497f16 and 3df8453.

📒 Files selected for processing (29)

• .trajectories/completed/2026-04/traj_7x9nltybo08h.compaction.json
• .trajectories/completed/2026-04/traj_82lywlk9dcnc.compaction.json
• .trajectories/completed/2026-04/traj_cdist8i8vdmd.compaction.json
• .trajectories/completed/2026-04/traj_dmoc4slub7ox.compaction.json
• .trajectories/completed/2026-04/traj_em3hvzpg1xmx.compaction.json
• .trajectories/completed/2026-04/traj_i1f02867dkxn.compaction.json
• .trajectories/completed/2026-04/traj_iuzm83ogm43k.compaction.json
• .trajectories/completed/2026-04/traj_nixaonkglri1.compaction.json
• .trajectories/completed/2026-04/traj_qi3qmy5oveab.compaction.json
• .trajectories/completed/2026-04/traj_wez7rl7pkfpn.compaction.json
• .trajectories/completed/2026-05/traj_6fjv0fnvrc5e.compaction.json
• .trajectories/completed/2026-05/traj_6lyjg41p6a28.compaction.json
• .trajectories/completed/2026-05/traj_9khc36ax639i.compaction.json
• .trajectories/completed/2026-05/traj_a6rfc30zag40.compaction.json
• .trajectories/completed/2026-05/traj_ailh4waboewf.compaction.json
• .trajectories/completed/2026-05/traj_d3drzvodqpn7.compaction.json
• .trajectories/completed/2026-05/traj_hyqnsfininh5.compaction.json
• .trajectories/completed/2026-05/traj_v1un6n66y38i.compaction.json
• .trajectories/completed/2026-05/traj_xf18gkmtr3ib.compaction.json
• .trajectories/completed/2026-05/traj_z2klijcrwqed.compaction.json
• .trajectories/completed/2026-06/traj_9n5xjmq2qpxz/summary.md
• .trajectories/completed/2026-06/traj_9n5xjmq2qpxz/trajectory.json
• .trajectories/index.json
• cmd/relayfile-mount/fuse_mount.go
• cmd/relayfile-mount/main.go
• internal/mountsync/http_client_test.go
• internal/mountsync/syncer.go
• test/load/README.md
• test/load/tier2-cfdo-scoped-writeback.mjs

💤 Files with no reviewable changes (1)

• .trajectories/index.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate the run data-plane token scopes before accepting it.

This helper decodes the returned scopes but never enforces that the minted token is actually confined to runRoot. If /v1/tokens/path ever returns a broader write token, the harness can still pass while using that token for seeding, reads, and admission probes, which weakens the scoped-correctness claim.

Suggested fix

+function validateRunDataPlaneScopes(scopes, runRoot) {
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    throw new Error(`data-plane token for ${runRoot} has no scopes`);
+  }
+  const requiredWriteScope = pathScope(runRoot);
+  let writeScopes = 0;
+  for (const scope of scopes) {
+    if (isBroadOrAdminScope(scope)) {
+      throw new Error(`data-plane token for ${runRoot} has broad/admin scope ${scope}`);
+    }
+    const value = String(scope ?? "").trim();
+    if (value.startsWith("relayfile:fs:write:")) {
+      writeScopes += 1;
+      if (value !== requiredWriteScope) {
+        throw new Error(`data-plane token for ${runRoot} has wrong-root write scope ${scope}`);
+      }
+    }
+  }
+  if (writeScopes === 0) {
+    throw new Error(`data-plane token for ${runRoot} is missing exact write scope ${requiredWriteScope}`);
+  }
+}
+
 async function mintRunDataPlaneToken(config) {
   const runRoot = `/team-tier2/${config.runId}`;
   const response = await requestJSON(config, {
@@
   if (typeof accessToken !== "string" || accessToken.trim() === "") {
     throw new Error("data-plane token mint did not return accessToken");
   }
+  const scopes = scopesFromToken(accessToken);
+  validateRunDataPlaneScopes(scopes, runRoot);
   return {
     token: accessToken,
-    scopes: scopesFromToken(accessToken),
+    scopes,
     paths: response.body?.paths,
     status: response.status,
     durationMs: response.durationMs,
   };
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/load/tier2-cfdo-scoped-writeback.mjs` around lines 377 - 405, The minted
token must be validated to ensure its decoded scopes are confined to runRoot: in
mintRunDataPlaneToken, after calling scopesFromToken(accessToken) (and using
tokenPath(runRoot) as the requested path), inspect the decoded scopes and/or
response.body?.paths and reject the token if any granted path does not start
with the runRoot prefix or grants broader access than intended; throw an error
if scopes are missing, empty, or include any path outside runRoot so only tokens
scoped to the runRoot are accepted.

[agent-relay-bot]

Reviewed PR #233 and traced the changed mount, HTTP client, and tier2 harness paths. The bot review’s actionable logger race finding is already fixed with synchronized logger access.

I restored .trajectories/index.json; the PR was deleting it, which would break the workspace trajectory metadata contract. I also verified the tier2 harness self-test passes:

npm run test:load:tier2-scoped-writeback:self-test

Go package tests could not run because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer push failed (exit 1) — fixes were not applied to the PR. The notes below are advisory and were not pushed.

Reviewed PR #233 and traced the changed mount, HTTP client, and tier2 harness paths. The bot review’s actionable logger race finding is already fixed with synchronized logger access.

I restored .trajectories/index.json; the PR was deleting it, which would break the workspace trajectory metadata contract. I also verified the tier2 harness self-test passes:

npm run test:load:tier2-scoped-writeback:self-test

Go package tests could not run because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed PR #233 and made one fix in test/load/tier2-cfdo-scoped-writeback.mjs: the harness now validates the minted run data-plane token’s decoded write scope before using it for seed/verify/probe calls. This keeps the new “run-scoped data-plane token” contract enforceable instead of only recording scopes in evidence.

Checks run:

• node test/load/tier2-cfdo-scoped-writeback.mjs --self-test
• node --check test/load/tier2-cfdo-scoped-writeback.mjs
• scripts/check-contract-surface.sh

I could not run Go tests locally because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed PR #233 and made one fix in test/load/tier2-cfdo-scoped-writeback.mjs: the harness now validates the minted run data-plane token’s decoded write scope before using it for seed/verify/probe calls. This keeps the new “run-scoped data-plane token” contract enforceable instead of only recording scopes in evidence.

Checks run:

• node test/load/tier2-cfdo-scoped-writeback.mjs --self-test
• node --check test/load/tier2-cfdo-scoped-writeback.mjs
• scripts/check-contract-surface.sh

I could not run Go tests locally because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed and fixed PR #233 locally.

Changes made:

• test/load/tier2-cfdo-scoped-writeback.mjs
  • Prefer an explicit RELAYFILE_TIER2_WORKSPACE_TOKEN when both token and API key are set.
  • Only mint a workspace token from RELAYFILE_TIER2_RELAYAUTH_API_KEY when no workspace token is provided.
  • Validate the minted run data-plane token’s decoded scopes before using it.
  • Fix root token path normalization from //* to /*.
  • Added self-test coverage for these cases.
• test/load/README.md
  • Documented credential precedence when both workspace token and API key are present.
• packages/sdk/typescript/src/workspace-seeder-tar.test.ts
  • Removed stale @relayfile/sdk package-entry mock that broke clean-install SDK tests before dist exists.

Checks run:

• npm run test:load:tier2-scoped-writeback:self-test
• node --check test/load/tier2-cfdo-scoped-writeback.mjs
• scripts/check-contract-surface.sh
• npm run test --workspace=packages/core
• npm run test --workspace=packages/sdk/typescript
• npm run test --workspace=packages/local-mount
• npm run test --workspace=@relayfile/file-observer
• npm run typecheck --workspace=packages/sdk/typescript
• npm run typecheck --workspace=packages/local-mount
• npm run build --workspace=packages/core
• npm run build --workspace=packages/sdk/typescript

Go tests could not be run because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed and fixed PR #233 locally.

Changes made:

• test/load/tier2-cfdo-scoped-writeback.mjs
  • Prefer an explicit RELAYFILE_TIER2_WORKSPACE_TOKEN when both token and API key are set.
  • Only mint a workspace token from RELAYFILE_TIER2_RELAYAUTH_API_KEY when no workspace token is provided.
  • Validate the minted run data-plane token’s decoded scopes before using it.
  • Fix root token path normalization from //* to /*.
  • Added self-test coverage for these cases.
• test/load/README.md
  • Documented credential precedence when both workspace token and API key are present.
• packages/sdk/typescript/src/workspace-seeder-tar.test.ts
  • Removed stale @relayfile/sdk package-entry mock that broke clean-install SDK tests before dist exists.

Checks run:

• npm run test:load:tier2-scoped-writeback:self-test
• node --check test/load/tier2-cfdo-scoped-writeback.mjs
• scripts/check-contract-surface.sh
• npm run test --workspace=packages/core
• npm run test --workspace=packages/sdk/typescript
• npm run test --workspace=packages/local-mount
• npm run test --workspace=@relayfile/file-observer
• npm run typecheck --workspace=packages/sdk/typescript
• npm run typecheck --workspace=packages/local-mount
• npm run build --workspace=packages/core
• npm run build --workspace=packages/sdk/typescript

Go tests could not be run because go is not installed in this environment.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed PR #233 and fixed two real breakages found during local verification:

• cmd/relayfile-cli/main.go: flushed OAuth callback error responses before signaling runCloudLogin, preventing EOF races in the state-mismatch test.
• packages/local-mount/src/auto-sync.ts and mount-reflink.test.ts: tracked file sizes alongside mtimes so rapid same-tick edits are detected, and made the reflink copy test deterministic.

Local checks passed:

• PATH=/tmp/codex-go/go/bin:$PATH npm test
• ./scripts/check-contract-surface.sh
• Go builds for relayfile, relayfile-mount, and relayfile-cli
• npm run test:load:tier2-scoped-writeback:self-test

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed PR #233 and fixed two real breakages found during local verification:

• cmd/relayfile-cli/main.go: flushed OAuth callback error responses before signaling runCloudLogin, preventing EOF races in the state-mismatch test.
• packages/local-mount/src/auto-sync.ts and mount-reflink.test.ts: tracked file sizes alongside mtimes so rapid same-tick edits are detected, and made the reflink copy test deterministic.

Local checks passed:

• PATH=/tmp/codex-go/go/bin:$PATH npm test
• ./scripts/check-contract-surface.sh
• Go builds for relayfile, relayfile-mount, and relayfile-cli
• npm run test:load:tier2-scoped-writeback:self-test

[agent-relay-bot]

Reviewed and fixed PR #233 locally.

Changes made:

• Tier-2 harness now prefers explicit workspace tokens, validates run data-plane token scopes, and fixes root token path normalization.
• README documents credential precedence.
• Fixed unpushed bot-review CI issues in SDK tar seeder test, local-mount same-tick autosync detection, and CLI OAuth callback flushing.

Local checks passed:

• go test ./...
• scripts/check-contract-surface.sh
• Tier-2 harness self-test and syntax check
• SDK/core/local-mount/file-observer tests
• SDK/local-mount typechecks
• core and SDK builds

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed and fixed PR #233 locally.

Changes made:

• Tier-2 harness now prefers explicit workspace tokens, validates run data-plane token scopes, and fixes root token path normalization.
• README documents credential precedence.
• Fixed unpushed bot-review CI issues in SDK tar seeder test, local-mount same-tick autosync detection, and CLI OAuth callback flushing.

Local checks passed:

• go test ./...
• scripts/check-contract-surface.sh
• Tier-2 harness self-test and syntax check
• SDK/core/local-mount/file-observer tests
• SDK/local-mount typechecks
• core and SDK builds

[agent-relay-bot]

Reviewed PR #233 and made one fix in test/load/tier2-cfdo-scoped-writeback.mjs: tokenPath("/") now returns "/*" instead of "//*", with self-test coverage added.

Verified:

• npm run test:load:tier2-scoped-writeback:self-test passes
• credential-gated harness skip exits 77 and emits skipped evidence as expected

I could not run Go tests because go/gofmt are not installed in this container.

[agent-relay-bot]

⚠️ pr-reviewer did not push — the PR branch advanced during the review, so fixes were withheld to avoid overwriting newer commits. Re-trigger the review once the branch settles. The notes below are advisory and were not pushed.

Reviewed PR #233 and made one fix in test/load/tier2-cfdo-scoped-writeback.mjs: tokenPath("/") now returns "/*" instead of "//*", with self-test coverage added.

Verified:

• npm run test:load:tier2-scoped-writeback:self-test passes
• credential-gated harness skip exits 77 and emits skipped evidence as expected

I could not run Go tests because go/gofmt are not installed in this container.