Skip to content

Agent-first pivot + workflow-system hardening (docs/spec/ADR — Phase 1 not started)#5

Merged
cemililik merged 13 commits into
mainfrom
development
Jun 5, 2026
Merged

Agent-first pivot + workflow-system hardening (docs/spec/ADR — Phase 1 not started)#5
cemililik merged 13 commits into
mainfrom
development

Conversation

@cemililik

@cemililik cemililik commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

What & why

Pivots Relavium from workflow-first to agent-first + workflow (the maintainer's Option-A decision), and folds in a validated workflow-system hardening pass. Phase 0/M0 is complete and Phase 1 has not started, so this lands entirely at the docs / spec / ADR layer — there is no packages/* or apps/* code here. The point is to settle the design before any engine code is written.

A conversational AgentSession becomes a first-class engine entry point alongside WorkflowEngine — reusing the same ToolRegistry, the @relavium/llm seam, and the event bus — with a one-way chat → workflow export so Relavium sits at both the start (chat) and the destination (committed workflow).

Highlights

6 new ADRs (0024–0029)

  • 0024 AgentSession as a second engine entry point · 0025 refines ADR-0007 (chat panel = agent capability, not an IDE shell) · 0026 session → .relavium.yaml export (reviewed linear-chain scaffold)
  • 0027 expression sandbox (QuickJS-wasm, deterministic, capped) · 0028 pre-egress budget + timeout + concurrency governance · 0029 tool-policy hardening (exact-match commands, narrow-only node tools, secret-no-interpolation, one SSRF primitive across base-URL + http_request + MCP)

New canonical artifacts: reference/contracts/agent-session-spec.md, architecture/agent-sessions.md, reference/cli/chat-session.md, tutorials/cli/start-a-chat-session.md, analysis/competitive-landscape-2026-06-05.md.

Roadmap: agent-first sub-spine 1.V–1.AA (parallel, off the M2 critical path) + 1.AB sandbox (on the critical path, folds into 1.P) + 1.AC budget; CLI 2.M–2.Q; desktop chat 3.N/3.O (sign-off renumbered 3.N→3.P); VS Code 4.L/4.M (milestones 4.M*→P4.M*).

Pre-existing bug fixed: roadmap/README had M1/M2 inverted vs phase-1 (a dependency inversion — M1's AgentRunner+retry needed the seam M2 delivered). Aligned the global spine to phase-1: M1 = LLM seam proven, M2 = engine end-to-end.

Conformance checklist

  • ADRs append-only (0007/0009/0011 amended with dated notes; decisions intact; none flipped to Superseded)
  • One canonical home per artifact (substrate narrative in shared-core-engine, not a new file; [chat] references fs_scope/allowedCommands, doesn't fork them)
  • No vendor SDK type crosses the @relavium/llm seam (SessionMessage maps to LlmMessage, never copied)
  • Engine zero platform-specific imports honored (sandbox = QuickJS-wasm via the WebAssembly global, not isolated-vm)
  • Secrets keychain-only; secret-typed inputs rejected from prompts (ADR-0029)
  • Desktop not an IDE — refined (0025), never reversed (0007 intact)
  • 1465/1465 relative links resolve · no private-analysis leak in tracked files
  • Security tightenings labeled as public-API tightenings (not "additive")

Scope: explicitly NOT in this PR

  • Any engine/surface code, Zod schemas, or DB migrations (Phase 1 hasn't started — this is the design layer).
  • Building loops / iteration / subworkflow / best_of_n / jmespath / jsonlogic (all reserved; a future loops/expression ADR owns them).

🤖 Generated with Claude Code

Summary by Sourcery

Pivot the product design to an agent-first model by introducing AgentSession as a co-equal engine entry point alongside WorkflowEngine, and harden the workflow and tool security model through new ADRs and documentation updates.

New Features:

  • Define the AgentSession runtime contract and event namespace as a first-class conversational entry point that shares the existing engine substrate.
  • Document chat-to-workflow export as a canonical path from persistent agent sessions to git-native workflows across CLI, desktop, and VS Code.
  • Specify CLI, desktop, and VS Code chat surfaces and commands that expose AgentSession consistently on all local entry points.

Bug Fixes:

  • Correct roadmap milestone naming and inversion issues between M1/M2 and Phase-1 descriptions.

Enhancements:

  • Refine the desktop app scope to add a co-equal chat tab while preserving its non-IDE constraints.
  • Clarify the engine architecture to describe two entry points on one shared substrate and update roadmap milestones and phase plans to include an agent-first sub-spine.
  • Extend glossary, vision, UVP, deployment models, and tutorials to reflect the agent-first plus workflow positioning.

Documentation:

  • Add and update security-review and workflow-spec docs to define tool-policy hardening, expression sandbox, resource governance, and human gate behavior changes.
  • Introduce detailed specs for expression sandbox behavior, workflow resource governance, tool-policy tightening, and error-code taxonomy in the SSE event schema.
  • Document new desktop database tables, IPC commands, and state management for agent-session persistence and export, ensuring a single canonical home per artifact.

Summary by CodeRabbit

  • New Features

    • Agent-first chat sessions as a co-equal entry point with workflows — persistent, resumable chats across CLI/desktop/VS Code, chat commands (start/resume/export), distinct chat exit code, and export-to-workflow scaffold preserving transcript (secrets excluded).
    • Deterministic expression sandbox (QuickJS‑Wasm), pre‑egress resource governance (budget/timeout/concurrency), stricter tool policies and SSRF protections.
  • Documentation

    • Expanded architecture, ADRs, contracts, CLI/desktop/VS Code guides, tutorials, roadmap, DB/schema, and glossary to reflect the agent-first model and safeguards.

cemililik and others added 7 commits June 5, 2026 09:01
…25/0026)

Record the Option-A pivot from workflow-first to agent-first + workflow: a
conversational AgentSession becomes a first-class engine entry point alongside
WorkflowEngine, reusing the ToolRegistry + @relavium/llm seam + event bus, with a
chat → workflow export (the "graduation" continuum).

- ADR-0024: AgentSession as a second engine entry point (session:* namespace,
  history.db persistence, resumable, one agent + fallback chain per session).
- ADR-0025: refine ADR-0007's desktop scope — a conversational chat panel is an
  agent capability (allowed), distinct from an IDE shell (editor/file-tree/terminal,
  still forbidden); Chat & Canvas co-equal tabs, neutral default landing.
- ADR-0026: session → .relavium.yaml export as a reviewed linear-chain scaffold.
- Append-only amendments to ADR-0007/0009/0011 (dated notes; decisions intact).
- New canonical contract reference/contracts/agent-session-spec.md and the
  architecture home architecture/agent-sessions.md (cites shared-core-engine).
- decisions/README index rows for ADR-0024..0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…DR-0027/0028/0029)

A pre-Phase-1 hardening pass over the workflow specs (validated against the
specs; 8 of 27 candidate findings dropped as misframed/already-handled).

- ADR-0027: expression sandbox for condition/transform/merge_fn — QuickJS-wasm
  via the WebAssembly global from embedded bytes (no node:fs/fetch/DOM, no
  new Function), deterministic (no wall-clock/RNG), CPU/mem/time-capped;
  expression_type is js-only in v1.0 (jmespath/jsonlogic reserved).
- ADR-0028: workflow resource governance — pre-egress budget cap + run timeout +
  parallel concurrency cap; pause_for_approval reuses the human-gate seam;
  BYOK-first-class, distinct from ADR-0014 managed billing.
- ADR-0029: tool-policy hardening — exact-match allowedCommands, node tools
  narrow-only, secret-no-interpolation, and one SSRF primitive across provider
  base URLs + http_request + MCP server URLs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…nonical specs

- sse-event-schema: session:* namespace + SessionEvent; budget:warning/paused +
  run:timeout + run:paused (multi-gate aggregate) in the RunEvent union; reserved
  steering/iteration events; ErrorCode taxonomy; attemptNumber; forward-compat rule;
  decidedBy 'timeout' (escalate reserved).
- database-schema: agent_sessions + session_messages (history.db; bound to sessions,
  distinct from the run messages table).
- config-spec: [chat] block referencing [defaults].fs_scope + allowedCommands (no fork).
- ipc-contract: session commands + resume_budget.
- workflow-yaml-spec + node-types: expression_type js-only; budget block; condition
  strict-equality; eager-once context; escalate reserved; parse-time model resolution;
  edge data_mapping reserved; inputs.validation; output_schema; tool-policy tightenings.
- agent-yaml-spec: expose output_schema/input_schema. Index rows + canonical-home line.

Refs ADR-0024/0026/0027/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
shared-core-engine now owns the unified-substrate narrative: WorkflowEngine and
AgentSession are co-equal entry points on one substrate (AgentRunner, ToolRegistry,
@relavium/llm seam, RunEventBus, Checkpointer), hardened once by ADR-0027/0028/0029.
overview + execution-model add the second entry point and scope notes; state-management
marks sessions DB-first (no sixth store). agent-sessions.md cites this file.

Refs ADR-0024/0027/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- CLI: relavium chat REPL + chat-resume/list/export + agent run + gate list; exit
  code 4; new cli/chat-session.md.
- Desktop: /chat + /chat/:sessionId, Chat/Canvas co-equal tabs with a neutral default
  landing (ADR-0025); Export-to-Canvas; agent-capability-vs-IDE-shell line intact.
- VS Code: full chat-assistant panel + openChat/exportChatSession + chat events.

Refs ADR-0024/0025/0026.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…1/M2 spine inversion

- Phase 1: agent-first sub-spine 1.V–1.AA (parallel, not on the M2 critical path) +
  1.AB expression sandbox (on the critical path, folds into 1.P) + 1.AC resource
  governor; mermaid + milestone table updated (M1/M2 definitions kept).
- Phase 2: relavium chat (2.M–2.Q) + agent run + gate list; exit code 4 in the map.
- Phase 3: insert chat 3.N + export 3.O after 3.M; rename sign-off 3.N → 3.P across
  mermaid, heading, the M4 milestone cell, risk rows, and the global spine.
- Phase 4: workstreams 4.L/4.M; in-phase milestones renamed 4.M* → P4.M* (collision).
- Fix a pre-existing global-spine bug: roadmap/README had M1 ('core engine') and M2
  ('LLM seam') inverted relative to phase-1 — a dependency inversion (M1's AgentRunner
  + retry need the seam M2 delivered). Aligned to phase-1: M1 = LLM seam proven,
  M2 = engine end-to-end (critical-path). current.md updated to match.
- Reserve human-gate escalate consistently (decidedBy 'timeout' across phases).

Refs ADR-0024/0026/0027/0028.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ials, analysis

- Positioning: tagline → "Start as an agent. Ship the workflow. Own every run.";
  vision/uvp reframed to two co-equal entry points (chat + workflow); product-constraints
  keeps the no-editor/file-tree/terminal line, adds conversation-mode (ADR-0025);
  README/docs/README/project-structure/deployment-models updated.
- Governance: CLAUDE.md #7 + AGENTS.md #6 refined to agent-capability vs IDE-shell;
  AGENTS.md status corrected to Phase-0-complete.
- Standards: architectural-principles 4a (conversational agent is a first-class entry
  point); security-review adds the chat secret boundary, the three-pronged SSRF policy
  (base URL + http_request + MCP, one primitive), and the ADR-0027 sandbox rules.
- Glossary: AgentSession / mode / chat-to-workflow terms + SessionEvent; tagline +
  unit-of-value softened; escalate reserved.
- Tutorials: chat-first entry + new start-a-chat-session (planned).
- New dated competitive-landscape-2026-06-05 (two-entry-point thesis); 06-03 frozen.

Refs ADR-0024/0025/0026/0027/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sourcery-ai

sourcery-ai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Reviewer's Guide

Docs-only PR that pivots Relavium from workflow-first to agent-first+workflow, introducing AgentSession as a second engine entry point alongside WorkflowEngine, defining its contracts and surfaces, and simultaneously hardening the workflow system around tool policy, expression sandboxing, resource governance, and roadmap alignment — all without touching packages/apps code.

Sequence diagram for chat-to-workflow export via AgentSession

sequenceDiagram
    actor User
    participant CLI as CLI_relavium
    participant AgentSession
    participant HistoryDB as history_db
    participant WorkflowEngine

    User->>CLI: relavium chat
    CLI->>AgentSession: start(agentRef, context)
    AgentSession->>HistoryDB: insert agent_session
    loop per_turn
        User->>CLI: message text
        CLI->>AgentSession: sendMessage(sessionId, text)
        AgentSession->>HistoryDB: append session_message
    end

    User->>CLI: relavium chat-export sessionId
    CLI->>AgentSession: exportToWorkflow(sessionId)
    AgentSession->>HistoryDB: read agent_session + session_messages
    AgentSession->>WorkflowEngine: createWorkflowScaffold(transcript)
    WorkflowEngine-->>CLI: workflowPath
    CLI-->>User: open .relavium.yaml scaffold
Loading

Entity-relationship diagram for new agent session persistence tables

erDiagram
    agents {
        TEXT id PK
        TEXT slug
    }

    agent_sessions {
        TEXT id PK
        TEXT agent_id FK
        TEXT agent_slug
        TEXT agent_snapshot
        TEXT title
        TEXT model_id
        TEXT working_dir
        TEXT git_ref
        TEXT fs_scope_tier
        TEXT status
        TEXT context_json
        INTEGER total_input_tokens
        INTEGER total_output_tokens
        INTEGER total_cost_microcents
        TEXT exported_workflow_path
        INTEGER created_at
        INTEGER updated_at
    }

    session_messages {
        TEXT id PK
        TEXT session_id FK
        INTEGER sequence_number
        TEXT role
        TEXT content
        TEXT content_parts
        TEXT tool_calls
        TEXT tool_call_id
        TEXT name
        TEXT finish_reason
        INTEGER input_tokens
        INTEGER output_tokens
        INTEGER cost_microcents
        INTEGER created_at
    }

    agents ||--o{ agent_sessions : "configured_by"
    agent_sessions ||--o{ session_messages : "has_messages"
Loading

File-Level Changes

Change Details Files
Define AgentSession as a first-class engine entry point alongside WorkflowEngine and document its runtime contract, persistence, events, and export-to-workflow path.
  • Introduce AgentSession as a co-equal engine entry point sharing AgentRunner, ToolRegistry, @relavium/llm seam, RunEventBus, and Checkpointer with WorkflowEngine.
  • Specify the AgentSession runtime contract (lifecycle, SessionContext, SessionMessage mapping to LlmMessage, export-to-workflow mapping) in a new agent-session-spec.md with Zod-backed schemas.
  • Add an agent-session-focused architecture doc describing how sessions reuse the shared substrate, auto-persist to history.db, and surface across CLI, desktop, and VS Code.
  • Extend the SSE event schema with a disjoint session:* namespace, budget/timeout events, and reserved steering/loop events, clarifying forward-compatibility rules.
  • Add agent_sessions and session_messages tables to the desktop history.db schema, including indexes and guarantees about append-only transcripts and secret handling.
  • Extend IPC and surface references (CLI, desktop, VS Code) with new session-related commands, events, and behaviors, ensuring they all reuse the same AgentSession entry point.
  • Update high-level docs (vision, UVP, glossary, overview, deployment-models, tutorials, AGENTS/CLAUDE/README) to reposition Relavium as agent-first+workflow with a chat→workflow continuum and two engine entry points.
docs/architecture/shared-core-engine.md
docs/architecture/agent-sessions.md
docs/reference/contracts/agent-session-spec.md
docs/reference/contracts/sse-event-schema.md
docs/reference/desktop/database-schema.md
docs/reference/contracts/ipc-contract.md
docs/reference/cli/README.md
docs/reference/vscode/README.md
docs/reference/vscode/extension-api.md
docs/reference/desktop/routes-and-screens.md
docs/reference/cli/commands.md
docs/reference/cli/chat-session.md
docs/reference/contracts/config-spec.md
docs/architecture/state-management.md
docs/reference/shared-core/store-shapes.md
docs/roadmap/phases/phase-1-engine-and-llm.md
docs/roadmap/phases/phase-2-cli.md
docs/roadmap/phases/phase-3-desktop.md
docs/roadmap/phases/phase-4-vscode.md
docs/roadmap/README.md
docs/roadmap/current.md
docs/project-structure.md
docs/tutorials/README.md
docs/tutorials/cli/start-a-chat-session.md
docs/README.md
docs/reference/README.md
docs/reference/contracts/README.md
docs/standards/architectural-principles.md
docs/standards/documentation-style.md
docs/glossary.md
docs/vision.md
docs/uvp.md
docs/deployment-models.md
docs/AGENTS.md
CLAUDE.md
README.md
Harden tool policy and security posture around run_command, node tool narrowing, secret usage, and SSRF across all egress paths, and clarify chat-mode security scope.
  • Replace vague run_command semantics with exact-match allowedCommands by default, add optional allowedCommandGlobs, and enforce deny-all when lists are empty for both commands and http_request domains.
  • Define node-level tools: lists as narrow-only (cannot add tools beyond the agent’s grants) and enforce this via validation, tying it to ADR-0023/0029.
  • Forbid secret-typed inputs from being interpolated into prompts or tool text, clarifying that secrets only feed credentials/headers and that conversational content is not treated as managed secrets.
  • Unify SSRF protection across provider baseURL, http_request, and MCP server URLs using a single range-blocking primitive, and document HTTPS-only, exact-FQDN, and local-endpoint opt-in rules.
  • Clarify chat-mode security scope (AgentSession uses same key custody, fs_scope tier, allowedCommands, and never relaxes rules), and update security review checklists and triggers to cover http_request, MCP URLs, node tools narrowing, and secret-input handling.
docs/standards/security-review.md
docs/reference/contracts/workflow-yaml-spec.md
docs/reference/shared-core/built-in-tools.md
docs/reference/shared-core/node-types.md
docs/reference/contracts/config-spec.md
docs/reference/desktop/database-schema.md
docs/reference/cli/commands.md
docs/reference/cli/chat-session.md
docs/standards/architectural-principles.md
docs/architecture/execution-model.md
docs/standards/local-first-and-security.md
Introduce a deterministic, resource-capped expression sandbox and a workflow resource-governance model (budget, timeout, concurrency) and wire them into specs, node types, and roadmap.
  • Specify a QuickJS-wasm-based expression sandbox for condition/transform/merge_fn with no ambient globals, deterministic behavior, and CPU/memory/time caps, forbidding eval/new Function/Node vm.
  • Constrain expression_type in v1.0 to js only, marking jmespath/jsonlogic as reserved and updating node-type and workflow specs accordingly.
  • Add workflow-level budget, timeout_ms, and max_parallel fields, define pre-egress cost estimation and on_exceed policies (fail/pause_for_approval/warn), and distinguish this from Phase-2 managed billing.
  • Extend the SSE event schema with budget:warning, budget:paused, and run:timeout events, plus reserved loop/steering events and an ErrorCode taxonomy, and update IPC with resume_budget.
  • Update roadmap/milestones to add expression sandbox and resource governor work items (1.AB/1.AC) on the engine critical path and document acceptance criteria.
docs/reference/contracts/workflow-yaml-spec.md
docs/reference/shared-core/node-types.md
docs/reference/contracts/sse-event-schema.md
docs/reference/contracts/ipc-contract.md
docs/architecture/shared-core-engine.md
docs/architecture/execution-model.md
docs/standards/security-review.md
docs/roadmap/phases/phase-1-engine-and-llm.md
docs/roadmap/README.md
docs/decisions/0027-expression-sandbox.md
docs/decisions/0028-workflow-resource-governance.md
Refine desktop and VS Code surface scopes to add co-equal chat panels while preserving the “desktop is not an IDE” constraint, and align routes, stores, and roadmap milestones.
  • Add desktop /chat and /chat/:sessionId routes as co-equal tabs with the Canvas, clarify Dashboard remains the neutral landing, and describe chat behavior (session list, streaming transcript, Export-to-Canvas).
  • Define VS Code’s chat panel as an AgentSession-based WebviewPanel with persistence via history.db, export-to-workflow support, and onChat* events projecting session:* events, while keeping workflow triggering features intact.
  • Clarify state-management/store-shapes to keep sessions DB-first (no new global store), adding only activeSessionId to uiStore and emphasizing co-equal Chat/Canvas tabs.
  • Amend ADR-0007 with ADR-0025, drawing a precise line between allowed agent capabilities (chat, steering) and forbidden IDE shell features (editor, file tree, terminal).
  • Adjust desktop and VS Code phase roadmaps/milestones to add chat panel, steering, export-to-canvas, and chat export/persistence tasks, renumbering milestone IDs accordingly.
docs/reference/desktop/routes-and-screens.md
docs/reference/desktop/README.md
docs/reference/vscode/README.md
docs/reference/vscode/extension-api.md
docs/reference/shared-core/store-shapes.md
docs/architecture/state-management.md
docs/decisions/0007-desktop-is-not-an-ide.md
docs/decisions/0025-agent-surface-refines-desktop-scope.md
docs/roadmap/phases/phase-3-desktop.md
docs/roadmap/phases/phase-4-vscode.md
docs/roadmap/README.md
docs/product-constraints.md
Update vision, UVP, roadmap, and analysis docs to reflect the agent-first pivot, chat-to-workflow continuum, and competitive positioning, including a new competitive landscape analysis.
  • Rephrase product vision and core concepts to emphasize starting in conversation, then exporting to git-native workflows, and highlight two co-equal engine entry points (AgentSession and WorkflowEngine).
  • Expand UVP and positioning to add chat-first as a core property, describe chat-to-workflow export as a differentiator, and update the competitive framing against chat-first tools like Claude Code.
  • Introduce a new dated competitive landscape analysis that centers the two-entry-point thesis (chat + workflow) and supersedes the 2026-06-03 analysis, updating analysis index references.
  • Align roadmap descriptions (current and global milestones) with the agent-first pivot, the re-ordered M1/M2 milestones, and the agent-first sub-spine, and fix the M1/M2 inversion bug in roadmap/README.
  • Update AGENTS/CLAUDE and top-level docs to describe Relavium as an AI agent platform (not just workflow), articulate the agent-first + workflow continuum, and link to new ADRs/specs.
docs/vision.md
docs/uvp.md
docs/glossary.md
docs/analysis/competitive-landscape-2026-06-05.md
docs/analysis/README.md
docs/roadmap/current.md
docs/roadmap/README.md
docs/deployment-models.md
docs/tutorials/README.md
docs/AGENTS.md
CLAUDE.md
docs/README.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84659f9b-d61f-45a7-ba4d-0f5b80558e96

📥 Commits

Reviewing files that changed from the base of the PR and between 2508fc0 and 9e9d3b6.

📒 Files selected for processing (2)
  • docs/architecture/multi-llm-providers.md
  • docs/roadmap/phases/phase-1-engine-and-llm.md

📝 Walkthrough

Walkthrough

This PR updates documentation and ADRs to pivot Relavium to an agent-first + workflow platform: introduces AgentSession as a co-equal engine entry point, defines session persistence/export contracts, tightens sandboxing/tool/security policies, and integrates session behavior across CLI, desktop, VS Code, contracts, and the roadmap.

Changes

Agent-First Platform Pivot

Layer / File(s) Summary
Platform Conceptual Reframing
AGENTS.md, CLAUDE.md, README.md, docs/README.md, docs/vision.md, docs/uvp.md, docs/glossary.md, docs/product-constraints.md
Platform repositioned as a multi-surface AI agent platform with two co-equal entry points (AgentSession and WorkflowEngine); updated intro, tagline, proof points, glossary, and desktop scope clarifications.
AgentSession Architecture & Shared Substrate
docs/architecture/agent-sessions.md, docs/architecture/shared-core-engine.md, docs/architecture/overview.md, docs/architecture/execution-model.md, docs/architecture/state-management.md, docs/project-structure.md
Documents AgentSession lifecycle (start/sendMessage/cancel/resume/export), session persistence to encrypted history.db (agent_sessions/session_messages), SessionContext, tool-policy alignment (narrowing-only, no secret interpolation, SSRF rules), and shared substrate reuse.
Architectural Decisions & Standards
docs/decisions/0024-0029, docs/decisions/0007, docs/decisions/0009, docs/decisions/0011, docs/decisions/README.md, docs/standards/architectural-principles.md, docs/standards/documentation-style.md, docs/standards/security-review.md
Adds ADRs 0024–0029 (AgentSession entry point, desktop surface scope, session export, expression sandbox QuickJS-wasm, workflow resource governance, tool-policy hardening); updates prior ADRs and standards to require shared-substrate reuse and canonical contract locations.
Runtime Contracts & Specifications
docs/reference/contracts/agent-session-spec.md, docs/reference/contracts/workflow-yaml-spec.md, docs/reference/contracts/config-spec.md, docs/reference/contracts/ipc-contract.md, docs/reference/contracts/sse-event-schema.md, docs/reference/contracts/agent-yaml-spec.md, docs/reference/README.md, docs/reference/contracts/README.md
Adds canonical AgentSession spec (lifecycle, SessionMessage/Context shapes, export mapping), extends workflow YAML with resource guardrails/validation/strict expression semantics, adds session IPC commands, and extends SSE RunEvent union with governance events.
Surface-Specific Implementation
docs/reference/cli/chat-session.md, docs/reference/cli/commands.md, docs/reference/cli/README.md, docs/reference/desktop/routes-and-screens.md, docs/reference/desktop/database-schema.md, docs/reference/desktop/README.md, docs/reference/vscode/extension-api.md, docs/reference/vscode/README.md, docs/deployment-models.md, docs/tutorials/README.md, docs/tutorials/cli/start-a-chat-session.md
Documents relavium chat REPL (multi-turn streaming, /exit /export /cancel, exit code 4), desktop /chat route and export-to-canvas, VS Code chat panel commands/events/settings, desktop DB schema additions for sessions/messages, and tutorial content.
Roadmap & Execution Integration
docs/roadmap/README.md, docs/roadmap/current.md, docs/roadmap/phases/phase-1-engine-and-llm.md, docs/roadmap/phases/phase-2-cli.md, docs/roadmap/phases/phase-3-desktop.md, docs/roadmap/phases/phase-4-vscode.md, docs/roadmap/phases/phase-6-cloud-execution-portal.md
Reframes milestones: M1 = LLM seam first, M2 = engine e2e; adds parallel agent-first sub-spine, expression sandbox, resource governor work items, and schedules CLI/desktop/VS Code session workstreams as integrated phases.
Strategic Positioning & Competitive Landscape
docs/analysis/README.md, docs/analysis/competitive-landscape-2026-06-05.md
New competitive analysis and updated UVP documenting four-surface + two-entry-point thesis, competitor matrix, and strategic takeaways emphasizing chat→workflow continuum.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs:

  • HodeTech/Relavium#2: SSE/event-contract documentation changes related to RunEvent/attemptNumber and correlation semantics likely overlap with the event-schema updates in this PR.

"🐰 From burrow to build, I hopped and penned,
Two doors to the engine, now one friend to trend.
Sessions that persist, then export to a file,
A scaffolded workflow makes reviewers smile.
Hoppity hooray — ship-safe, step-by-step style!"

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch development

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request establishes the "agent-first + workflow" pivot for the Relavium platform, introducing conversational AgentSessions as a first-class engine entry point alongside the WorkflowEngine. It adds specifications and architectural designs for persistent, resumable chat sessions, a chat-to-workflow export continuum, a QuickJS-wasm expression sandbox, pre-egress budget governance, and tightened tool policies. The review comments are highly constructive and should all be kept, as they identify important improvement opportunities: tracking fallback models in the database and message contracts, propagating errors in session events, refining budget estimation when max_tokens is omitted, and strictly validating transitive secret interpolation to prevent prompt leaks.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +360 to +375
| Column | Type | Constraints |
|--------|------|-------------|
| `id` | TEXT | PRIMARY KEY (UUID) |
| `session_id` | TEXT | NOT NULL REFERENCES `agent_sessions(id)` ON DELETE CASCADE |
| `sequence_number` | INTEGER | NOT NULL — monotonic per session (append-only) |
| `role` | TEXT | NOT NULL (`system`, `user`, `assistant`, `tool`) |
| `content` | TEXT | NULL |
| `content_parts` | TEXT (JSON) | NULL — multimodal/structured parts |
| `tool_calls` | TEXT (JSON) | NULL |
| `tool_call_id` | TEXT | NULL |
| `name` | TEXT | NULL |
| `finish_reason` | TEXT | NULL |
| `input_tokens` | INTEGER | NOT NULL DEFAULT 0 |
| `output_tokens` | INTEGER | NOT NULL DEFAULT 0 |
| `cost_microcents` | INTEGER | NOT NULL DEFAULT 0 |
| `created_at` | INTEGER | NOT NULL |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since an AgentSession can use fallback models (as described in the specs), the session_messages table should store the actual model used for each turn. Without a model_id column, the UI cannot correctly display which model generated a specific response in the history transcript once the session is reloaded.

Comment on lines +88 to +95
interface SessionMessage {
id: string;
sessionId: string;
sequenceNumber: number; // monotonic per session
role: 'system' | 'user' | 'assistant' | 'tool';
content: ContentPart[]; // text | tool_call | tool_result parts
timestamp: string; // ISO 8601
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To support fallback model tracking in the conversation transcript, the SessionMessage interface should include an optional modelId field. This ensures the runtime representation matches the database schema and allows the UI to display the correct model for each turn.

Suggested change
interface SessionMessage {
id: string;
sessionId: string;
sequenceNumber: number; // monotonic per session
role: 'system' | 'user' | 'assistant' | 'tool';
content: ContentPart[]; // text | tool_call | tool_result parts
timestamp: string; // ISO 8601
}
interface SessionMessage {
id: string;
sessionId: string;
sequenceNumber: number; // monotonic per session
role: 'system' | 'user' | 'assistant' | 'tool';
modelId?: string; // the model that generated this message (null for user/system/tool)
content: ContentPart[]; // text | tool_call | tool_result parts
timestamp: string; // ISO 8601
}

Comment on lines +185 to +191
export type SessionEvent =
| SessionStartedEvent // 'session:started' — { agentRef, model, context }
| SessionTurnStartedEvent // 'session:turn_started' — a user message began an assistant turn
| SessionTurnCompletedEvent // 'session:turn_completed' — { stopReason, tokensUsed }
| SessionCancelledEvent // 'session:cancelled' — the in-flight turn was aborted
| SessionExportedEvent; // 'session:exported' — { workflowPath } (chat-to-workflow export)
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

If a session turn fails (e.g., due to a provider error or rate limit), the event stream needs to convey the error details so the UI can display a helpful error message. Adding an optional error field to SessionTurnCompletedEvent ensures proper error propagation.

Suggested change
export type SessionEvent =
| SessionStartedEvent // 'session:started' — { agentRef, model, context }
| SessionTurnStartedEvent // 'session:turn_started' — a user message began an assistant turn
| SessionTurnCompletedEvent // 'session:turn_completed' — { stopReason, tokensUsed }
| SessionCancelledEvent // 'session:cancelled' — the in-flight turn was aborted
| SessionExportedEvent; // 'session:exported' — { workflowPath } (chat-to-workflow export)
```
export type SessionEvent =
| SessionStartedEvent // 'session:started' — { agentRef, model, context }
| SessionTurnStartedEvent // 'session:turn_started' — a user message began an assistant turn
| SessionTurnCompletedEvent // 'session:turn_completed' — { stopReason, tokensUsed, error?: { code: ErrorCode, message: string } }
| SessionCancelledEvent // 'session:cancelled' — the in-flight turn was aborted
| SessionExportedEvent; // 'session:exported' — { workflowPath } (chat-to-workflow export)


### Negative

- `worstCaseNextEstimate` is an estimate (it uses `maxTokens`), so the cap is conservative — it may

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

When max_tokens is omitted on a node, using the model's absolute maximum output limit for worstCaseNextEstimate can result in extremely conservative estimates that prematurely block runs (e.g., blocking on the first turn of a small budget). Consider specifying a fallback default or requiring max_tokens on nodes when a budget is defined.

- **(b) Node tools narrow-only.** A node's `tools:` may only **intersect** (narrow) the agent's
granted tools; it can never add a tool the agent lacks. Enforced by the parser
([ADR-0023](0023-strict-authored-yaml-validation.md)).
- **(c) No secret interpolation into agent text.** `secret`-typed inputs are **rejected at parse**

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The parser must also strictly validate transitive interpolation (e.g., assigning a secret input to a context variable and then interpolating that variable into a prompt) to prevent bypassing the secret-interpolation rejection rule.

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/HodeTech/Relavium/issues/comments/4628855445","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/HodeTech/Relavium/pull/5?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: defaults\n> \n> **Review profile**: CHILL\n> \n> **Plan**: Pro\n> \n> **Run ID**: `8d1abb4d-201a-440d-a6cb-436abc1cc140`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 54551bd83c5e7fda36e0bde60a120935a8d8f5c9 and 0441d2e03ac5f12a1b069487eec14cabf0f7a936.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (57)</summary>\n> \n> * `AGENTS.md`\n> * `CLAUDE.md`\n> * `README.md`\n> * `docs/README.md`\n> * `docs/analysis/README.md`\n> * `docs/analysis/competitive-landscape-2026-06-05.md`\n> * `docs/architecture/agent-sessions.md`\n> * `docs/architecture/execution-model.md`\n> * `docs/architecture/overview.md`\n> * `docs/architecture/shared-core-engine.md`\n> * `docs/architecture/state-management.md`\n> * `docs/decisions/0007-desktop-is-not-an-ide.md`\n> * `docs/decisions/0009-git-native-workflow-yaml.md`\n> * `docs/decisions/0011-internal-llm-abstraction.md`\n> * `docs/decisions/0024-agent-first-entry-point-agentsession.md`\n> * `docs/decisions/0025-agent-surface-refines-desktop-scope.md`\n> * `docs/decisions/0026-session-export-to-workflow.md`\n> * `docs/decisions/0027-expression-sandbox.md`\n> * `docs/decisions/0028-workflow-resource-governance.md`\n> * `docs/decisions/0029-tool-policy-hardening.md`\n> * `docs/decisions/README.md`\n> * `docs/deployment-models.md`\n> * `docs/glossary.md`\n> * `docs/product-constraints.md`\n> * `docs/project-structure.md`\n> * `docs/reference/README.md`\n> * `docs/reference/cli/README.md`\n> * `docs/reference/cli/chat-session.md`\n> * `docs/reference/cli/commands.md`\n> * `docs/reference/contracts/README.md`\n> * `docs/reference/contracts/agent-session-spec.md`\n> * `docs/reference/contracts/agent-yaml-spec.md`\n> * `docs/reference/contracts/config-spec.md`\n> * `docs/reference/contracts/ipc-contract.md`\n> * `docs/reference/contracts/sse-event-schema.md`\n> * `docs/reference/contracts/workflow-yaml-spec.md`\n> * `docs/reference/desktop/README.md`\n> * `docs/reference/desktop/database-schema.md`\n> * `docs/reference/desktop/routes-and-screens.md`\n> * `docs/reference/shared-core/node-types.md`\n> * `docs/reference/shared-core/store-shapes.md`\n> * `docs/reference/vscode/README.md`\n> * `docs/reference/vscode/extension-api.md`\n> * `docs/roadmap/README.md`\n> * `docs/roadmap/current.md`\n> * `docs/roadmap/phases/phase-1-engine-and-llm.md`\n> * `docs/roadmap/phases/phase-2-cli.md`\n> * `docs/roadmap/phases/phase-3-desktop.md`\n> * `docs/roadmap/phases/phase-4-vscode.md`\n> * `docs/roadmap/phases/phase-6-cloud-execution-portal.md`\n> * `docs/standards/architectural-principles.md`\n> * `docs/standards/documentation-style.md`\n> * `docs/standards/security-review.md`\n> * `docs/tutorials/README.md`\n> * `docs/tutorials/cli/start-a-chat-session.md`\n> * `docs/uvp.md`\n> * `docs/vision.md`\n> \n> </details>\n> \n> ```ascii\n>  ________________________________________________________________________\n> < Obi-Wan Kenobi has taught me well. I sense a disturbance in your code. >\n>  ------------------------------------------------------------------------\n>   \\\n>    \\   \\\n>         \\ /\\\n>         ( )\n>       .( o ).\n> ```\n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `development`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\n\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":3,"signal":{},"retries":3,"retryAfter":16}}}

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
CLAUDE.md (1)

38-39: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed ADR range link separator.

The ADR-0012..ADR-0015 reference currently uses .. directly between two links, which reads as a formatting typo and can confuse readers. Use a clear separator (to, , or comma-separated links).

Suggested edit
- engine is identical across all three. See [ADR-0012](docs/decisions/0012-managed-inference-dual-mode.md)..[ADR-0015](docs/decisions/0015-managed-mode-data-handling-and-compliance.md)
+ engine is identical across all three. See [ADR-0012](docs/decisions/0012-managed-inference-dual-mode.md) to [ADR-0015](docs/decisions/0015-managed-mode-data-handling-and-compliance.md)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLAUDE.md` around lines 38 - 39, The ADR link range uses a malformed
separator ("..") between two markdown links; edit the sentence containing the
ADR references (ADR-0012 and ADR-0015) to replace the ".." with a clear
separator such as "to" or an en-dash (e.g., "ADR-0012 to ADR-0015" or
"ADR-0012–ADR-0015") or list the links comma-separated so the links read clearly
(update the fragment that currently reads "ADR-0012](... )..[ADR-0015](... )" to
use the chosen separator).
🧹 Nitpick comments (3)
docs/standards/security-review.md (1)

145-179: ⚡ Quick win

Move concrete tool-policy rule definitions to docs/reference/ and keep this section as a checklist/link hub.

This section currently defines detailed normative behavior (exact-match semantics, parse-time rejection, narrowing validation) in docs/standards/, which risks divergence from canonical specs. Keep brief security requirements here and link to the authoritative reference contract sections for exact rule text.

As per coding guidelines, “Concrete specs … must live only in docs/reference/; other files must link to these definitions, never restate them.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/standards/security-review.md` around lines 145 - 179, The "Sandbox and
tool policy (`run_command`, node tools, secret inputs)" section contains
concrete normative rules (exact-match semantics for allowedCommands,
allowedCommandGlobs, node `tools:` narrowing, `secret`-typed input parse-time
rejection, etc. and citations like ADR-0029/ADR-0023) that must be moved to the
canonical reference; edit this section to remove the detailed rule text and
replace it with a short checklist and direct links to the authoritative specs in
docs/reference (e.g. point to built-in-tools.md, workflow-yaml-spec.md and
ADR-0029/ADR-0023), keeping only high-level requirements and link anchors and
ensuring mentions of symbols like run_command, allowedCommands,
allowedCommandGlobs, tools:, and secret-typed inputs remain as pointers rather
than normative definitions.
docs/roadmap/phases/phase-2-cli.md (1)

120-123: ⚡ Quick win

Avoid duplicating CLI process-contract constants in the phase roadmap.

The exact exit-code table and /exit behavior are concrete command-spec details; this file should reference docs/reference/cli/commands.md rather than restating numeric mappings.

As per coding guidelines: “Concrete specs … must live only in docs/reference/; other files must link to these definitions, never restate them.”

Also applies to: 131-132, 410-421

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/roadmap/phases/phase-2-cli.md` around lines 120 - 123, This file
duplicates CLI process-contract constants (exit codes and `/exit` behavior);
remove the numeric mappings and the `/exit` specification from phase-2-cli.md
and replace them with a single reference to the canonical definitions in
docs/reference/cli/commands.md (the same link already mentioned in the text).
Specifically, delete the explicit exit code text (exit 3 for gate-paused, exit 4
for chat session ended) and instead insert a short pointer like “See
docs/reference/cli/commands.md for exit-code and /exit behavior” so the phase
roadmap references the authoritative symbols maintained in commands.md.
docs/roadmap/phases/phase-1-engine-and-llm.md (1)

483-488: ⚡ Quick win

Prefer linking to canonical spec instead of restating behavior details here.

This section duplicates concrete contract semantics (timeout_action/on_timeout, aggregate pause semantics, pre-egress budget formula) that should stay canonical in docs/reference/**. Keep this phase doc at milestone/task level and link to the contract anchors.

As per coding guidelines: “Concrete specs … must live only in docs/reference/; other files must link to these definitions, never restate them.”

Also applies to: 582-590

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/roadmap/phases/phase-1-engine-and-llm.md` around lines 483 - 488, This
section restates concrete contract semantics (timeout_action / on_timeout
mapping, run:paused aggregate behavior, pre-egress budget formula) that must
live only in the canonical reference; remove the detailed semantics text and
replace each restatement with a short milestone-level sentence plus a link to
the authoritative anchors (referencing the human_gate-node anchor in the
workflow-yaml-spec and the relevant pre-egress budget anchor in docs/reference),
leaving only task/milestone descriptions and links; ensure the duplicate
passages at the later block (the one mentioned for lines 582-590) are updated
the same way and keep the symbols timeout_action, on_timeout and run:paused as
plain references only.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/analysis/competitive-landscape-2026-06-05.md`:
- Around line 36-38: In the sentence under "The workflow is a git-committable
file" containing the phrase ".relavium.yaml", replace the misspelled word
"revertable" with the correct word "reversible" so the line reads
"...reviewable, diffable, reversible, and shareable..." (update the markdown in
the file that contains that paragraph).

In `@docs/reference/shared-core/node-types.md`:
- Around line 128-130: The blockquote containing "The authored YAML uses
friendlier field names..." and the following "Expression languages (condition /
transform)." paragraph has an empty quoted line that triggers MD028; remove that
blank quoted separator so the two quoted paragraphs form one continuous
blockquote (i.e., join the quoted lines so there is no blank quoted line between
the YAML paragraph and the Expression languages paragraph).

In `@docs/vision.md`:
- Line 81: The docs row currently marks `relavium chat` as "(Phase 2)" but
elsewhere `AgentSession` and CLI chat are described as current functionality;
update this table cell to consistently reflect `relavium chat` as a Phase 1 /
current first-class `AgentSession` entry point (or change the other docs to
Phase 2 if you intend to delay it). Specifically, replace the "(Phase 2)"
qualifier after `relavium chat` with the matching phrase used in other docs
(e.g., "current" or "Phase 1") so references to `relavium chat` and
`AgentSession` are consistent across the documentation.

---

Outside diff comments:
In `@CLAUDE.md`:
- Around line 38-39: The ADR link range uses a malformed separator ("..")
between two markdown links; edit the sentence containing the ADR references
(ADR-0012 and ADR-0015) to replace the ".." with a clear separator such as "to"
or an en-dash (e.g., "ADR-0012 to ADR-0015" or "ADR-0012–ADR-0015") or list the
links comma-separated so the links read clearly (update the fragment that
currently reads "ADR-0012](... )..[ADR-0015](... )" to use the chosen
separator).

---

Nitpick comments:
In `@docs/roadmap/phases/phase-1-engine-and-llm.md`:
- Around line 483-488: This section restates concrete contract semantics
(timeout_action / on_timeout mapping, run:paused aggregate behavior, pre-egress
budget formula) that must live only in the canonical reference; remove the
detailed semantics text and replace each restatement with a short
milestone-level sentence plus a link to the authoritative anchors (referencing
the human_gate-node anchor in the workflow-yaml-spec and the relevant pre-egress
budget anchor in docs/reference), leaving only task/milestone descriptions and
links; ensure the duplicate passages at the later block (the one mentioned for
lines 582-590) are updated the same way and keep the symbols timeout_action,
on_timeout and run:paused as plain references only.

In `@docs/roadmap/phases/phase-2-cli.md`:
- Around line 120-123: This file duplicates CLI process-contract constants (exit
codes and `/exit` behavior); remove the numeric mappings and the `/exit`
specification from phase-2-cli.md and replace them with a single reference to
the canonical definitions in docs/reference/cli/commands.md (the same link
already mentioned in the text). Specifically, delete the explicit exit code text
(exit 3 for gate-paused, exit 4 for chat session ended) and instead insert a
short pointer like “See docs/reference/cli/commands.md for exit-code and /exit
behavior” so the phase roadmap references the authoritative symbols maintained
in commands.md.

In `@docs/standards/security-review.md`:
- Around line 145-179: The "Sandbox and tool policy (`run_command`, node tools,
secret inputs)" section contains concrete normative rules (exact-match semantics
for allowedCommands, allowedCommandGlobs, node `tools:` narrowing,
`secret`-typed input parse-time rejection, etc. and citations like
ADR-0029/ADR-0023) that must be moved to the canonical reference; edit this
section to remove the detailed rule text and replace it with a short checklist
and direct links to the authoritative specs in docs/reference (e.g. point to
built-in-tools.md, workflow-yaml-spec.md and ADR-0029/ADR-0023), keeping only
high-level requirements and link anchors and ensuring mentions of symbols like
run_command, allowedCommands, allowedCommandGlobs, tools:, and secret-typed
inputs remain as pointers rather than normative definitions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8d1abb4d-201a-440d-a6cb-436abc1cc140

📥 Commits

Reviewing files that changed from the base of the PR and between 54551bd and 0441d2e.

📒 Files selected for processing (57)
  • AGENTS.md
  • CLAUDE.md
  • README.md
  • docs/README.md
  • docs/analysis/README.md
  • docs/analysis/competitive-landscape-2026-06-05.md
  • docs/architecture/agent-sessions.md
  • docs/architecture/execution-model.md
  • docs/architecture/overview.md
  • docs/architecture/shared-core-engine.md
  • docs/architecture/state-management.md
  • docs/decisions/0007-desktop-is-not-an-ide.md
  • docs/decisions/0009-git-native-workflow-yaml.md
  • docs/decisions/0011-internal-llm-abstraction.md
  • docs/decisions/0024-agent-first-entry-point-agentsession.md
  • docs/decisions/0025-agent-surface-refines-desktop-scope.md
  • docs/decisions/0026-session-export-to-workflow.md
  • docs/decisions/0027-expression-sandbox.md
  • docs/decisions/0028-workflow-resource-governance.md
  • docs/decisions/0029-tool-policy-hardening.md
  • docs/decisions/README.md
  • docs/deployment-models.md
  • docs/glossary.md
  • docs/product-constraints.md
  • docs/project-structure.md
  • docs/reference/README.md
  • docs/reference/cli/README.md
  • docs/reference/cli/chat-session.md
  • docs/reference/cli/commands.md
  • docs/reference/contracts/README.md
  • docs/reference/contracts/agent-session-spec.md
  • docs/reference/contracts/agent-yaml-spec.md
  • docs/reference/contracts/config-spec.md
  • docs/reference/contracts/ipc-contract.md
  • docs/reference/contracts/sse-event-schema.md
  • docs/reference/contracts/workflow-yaml-spec.md
  • docs/reference/desktop/README.md
  • docs/reference/desktop/database-schema.md
  • docs/reference/desktop/routes-and-screens.md
  • docs/reference/shared-core/node-types.md
  • docs/reference/shared-core/store-shapes.md
  • docs/reference/vscode/README.md
  • docs/reference/vscode/extension-api.md
  • docs/roadmap/README.md
  • docs/roadmap/current.md
  • docs/roadmap/phases/phase-1-engine-and-llm.md
  • docs/roadmap/phases/phase-2-cli.md
  • docs/roadmap/phases/phase-3-desktop.md
  • docs/roadmap/phases/phase-4-vscode.md
  • docs/roadmap/phases/phase-6-cloud-execution-portal.md
  • docs/standards/architectural-principles.md
  • docs/standards/documentation-style.md
  • docs/standards/security-review.md
  • docs/tutorials/README.md
  • docs/tutorials/cli/start-a-chat-session.md
  • docs/uvp.md
  • docs/vision.md

Comment thread docs/analysis/competitive-landscape-2026-06-05.md
Comment thread docs/reference/shared-core/node-types.md
Comment thread docs/vision.md Outdated
cemililik and others added 3 commits June 5, 2026 10:05
Verified each finding against the docs; fixed the still-valid ones, skipped the rest.

Fixed:
- competitive-landscape: "revertable" → "reversible".
- node-types: MD028 — join the two adjacent blockquotes (engine-config note +
  expression-languages note) into one continuous quote.
- CLAUDE.md: malformed ".." between ADR-0012/ADR-0015 links → "to".
- Session model tracking: add session_messages.model_id + SessionMessage.modelId?
  (fallback-aware — transcript shows which model answered each turn).
- Session error propagation: session:turn_completed gains optional error? (ErrorCode
  taxonomy) so a failed turn is conveyed, not a silent stall.
- ADR-0028: when a node omits maxTokens, the pre-egress estimate uses a configured
  per-call default (not the model's absolute max, which would over-block).
- ADR-0029(c): secret-no-interpolation is transitive (taint-tracked through context
  entries / derived values), mirrored in workflow-yaml-spec + security-review.
- phase-1 1.AC: drop the restated budget formula; point to ADR-0028 (one canonical home).

Skipped (with reason):
- vision `relavium chat` "(Phase 2)" — correct: it is the Phase-2 CLI workstream (2.M);
  the AgentSession engine is Phase 1 but the CLI command is Phase 2; no doc calls it current.
- phase-2 exit-code map — kept: §2.A is the CLI process-contract workstream, already names
  commands.md as canonical, and the maintainer's review explicitly asked to reflect exit-4 here.
- security-review §sandbox-and-tool-policy — kept: it is the binding security standard;
  stating normative rules is its role (ADR-0029 names it the binding home). Field defs are cited.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…+ fix consistency defects

Verified each finding from the two review passes; fixed the clear consistency/completeness
defects (design/business calls deferred to the maintainer).

- tech-stack.md: add the QuickJS-wasm row ADR-0027 says lives here (the engine's first runtime
  dependency was unrecorded — non-negotiable #2/#8).
- built-in-tools.md: propagate ADR-0029 — run_command exact-match, http_request HTTPS-only +
  exact-FQDN allowedDomains + deny-all-when-empty + SSRF range-block (the promised pointer home).
- mcp-integration.md: add the MCP-URL SSRF pointer; note the localhost example needs a local-endpoint
  opt-in (it was a config the new rule would reject).
- sse-event-schema.md: resolve the envelope contradiction — BaseEvent carries runId? | sessionId?
  (exactly one), so reused agent:*/cost:* events ride a session legitimately; document the full
  typed session stream (5 session:* + agent:*/cost:* on sessionId) a chat --json consumer sees.
- store-shapes.md: runStore token buffer is now per-node (Record<NodeId,string>) — a single global
  buffer corrupts parallel-node streaming, per state-management.md.
- extension-api.md: drop the forked .relavium/permissions.yaml allowlist; the VS Code prompt appends
  to the canonical workflow.tools.allowedCommands (ADR-0029) — one allowlist home across surfaces.
- workflow-yaml-spec.md: top-level tools summary now matches the detail (allowedDomains required to
  use http_request, deny-all-when-empty); add a durable workflow.metadata field.
- transcript durability: session export preserves the transcript in workflow.metadata (a schema
  field that survives round-trips), not fragile YAML comments (agent-session-spec + ADR-0026).
- current.md: scope "adds no work to M1/M2" to the agent sub-spine; the sandbox 1.AB is new
  M2-critical-path work that raises 1.m4.
- budget resume cross-surface: add `relavium budget resume` (CLI) + relavium.resumeBudget (VS Code)
  so ADR-0028's budget:paused has an operator path beyond desktop IPC.

Refs ADR-0026/0027/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Maintainer-approved resolutions to the genuine design/strategy questions the two reviews surfaced.

- D1 — cross-surface session persistence: history.db is the canonical store (the
  resume-anywhere differentiator). Phase-4 4.M now persists to history.db (not extension
  state); the VS Code/CLI Node hosts open the SQLCipher DB via a wasm SQLite build (no
  native module → respects ADR-0003), documented as a "Cross-host access" note in
  database-schema.md. Resolves the agent-sessions/extension-api ↔ 4.M contradiction.
- D2 — file_patch is now a canonical event: add `agent:file_patch_proposed` to the
  RunEvent union + table (gated; no write until accepted); extension-api references it
  instead of inventing `filePatchProposed`. One canonical home.
- D3 — chat-session budget: ADR-0028's governor now applies to sessions via a per-session
  `[chat].max_cost_microcents` + `on_exceed` (config-spec + agent-session-spec), so
  "both entry points inherit resource governance" (ADR-0024) is literally true and
  open-ended chat fails safe.
- D4 — phase disambiguation + CLI-chat milestone: `relavium chat` is a Product-Phase-1
  surface built in build phase 2 (not Product Phase 2 / cloud). Fixed the misleading
  "(Phase 2)" tags in vision/project-structure/tutorials, qualified the "Killer Features
  (Phase 1)" engine-vs-surface distinction, and firmed the phase-2 in-phase milestone as
  the first user-facing AgentSession surface (a committed build-phase-2 deliverable).
- D5 — positioning: added an explicit risk/caveat to the competitive analysis — chat is
  the most contested surface; the moat is the chat→workflow continuum + git-native
  artifact + local-first, not conversational parity. Made the bet with eyes open.

Refs ADR-0024/0026/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reference/contracts/sse-event-schema.md`:
- Around line 29-36: The docs and shared schema diverge:
BaseEventSchema/baseFields currently require runId and lack sessionId while the
doc states exactly one of runId/sessionId is present and sequenceNumber is
monotonic per run OR per session; update the shared schema in
packages/shared/src/run-event.ts to match the spec by making runId optional,
adding sessionId?: string, and model the envelope as a union or
runtime-validated shape that enforces "exactly one of runId or sessionId" (e.g.,
two interfaces RunEnvelope { runId: string; sessionId?: undefined } and
SessionEnvelope { sessionId: string; runId?: undefined } and export type
BaseEvent = RunEnvelope | SessionEnvelope), then audit any usages of
BaseEventSchema/baseFields and functions that assumed runId to handle the
sessionId branch, and confirm documentation text about sequenceNumber
monotonicity matches the behavior (per-run or per-session) or adjust the doc
instead if you prefer the code’s current semantics.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f68fb29b-01fe-4d1a-9375-e8e875628271

📥 Commits

Reviewing files that changed from the base of the PR and between aeff8aa and 7c07267.

📒 Files selected for processing (21)
  • docs/analysis/competitive-landscape-2026-06-05.md
  • docs/decisions/0026-session-export-to-workflow.md
  • docs/decisions/0028-workflow-resource-governance.md
  • docs/project-structure.md
  • docs/reference/cli/commands.md
  • docs/reference/contracts/agent-session-spec.md
  • docs/reference/contracts/config-spec.md
  • docs/reference/contracts/sse-event-schema.md
  • docs/reference/contracts/workflow-yaml-spec.md
  • docs/reference/desktop/database-schema.md
  • docs/reference/shared-core/built-in-tools.md
  • docs/reference/shared-core/mcp-integration.md
  • docs/reference/shared-core/store-shapes.md
  • docs/reference/vscode/extension-api.md
  • docs/roadmap/current.md
  • docs/roadmap/phases/phase-2-cli.md
  • docs/roadmap/phases/phase-4-vscode.md
  • docs/tech-stack.md
  • docs/tutorials/README.md
  • docs/tutorials/cli/start-a-chat-session.md
  • docs/vision.md
✅ Files skipped from review due to trivial changes (13)
  • docs/reference/shared-core/mcp-integration.md
  • docs/tech-stack.md
  • docs/tutorials/cli/start-a-chat-session.md
  • docs/tutorials/README.md
  • docs/project-structure.md
  • docs/roadmap/phases/phase-4-vscode.md
  • docs/roadmap/phases/phase-2-cli.md
  • docs/decisions/0026-session-export-to-workflow.md
  • docs/roadmap/current.md
  • docs/reference/contracts/config-spec.md
  • docs/analysis/competitive-landscape-2026-06-05.md
  • docs/decisions/0028-workflow-resource-governance.md
  • docs/reference/contracts/agent-session-spec.md
🚧 Files skipped from review as they are similar to previous changes (4)
  • docs/reference/cli/commands.md
  • docs/reference/desktop/database-schema.md
  • docs/vision.md
  • docs/reference/contracts/workflow-yaml-spec.md

Comment on lines +29 to +36
runId?: string; // correlation key on a workflow RUN (omitted on a session)
sessionId?: string; // correlation key on an agent SESSION (omitted on a run)
timestamp: string; // ISO 8601
sequenceNumber: number; // monotonically increasing per run
sequenceNumber: number; // monotonic per run OR per session
}
```

> **Correlation key.** Exactly one of `runId` / `sessionId` is present — `runId` on a workflow run, `sessionId` on an agent session. The reused `agent:token` / `agent:tool_call` / `agent:tool_result` / `cost:updated` events carry `runId` on a run and `sessionId` on a session; consumers route on whichever is present.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Check BaseEvent schema and related session/run envelope fields"
fd run-event.ts | xargs -I{} sh -c 'echo "== {} =="; sed -n "1,120p" "{}"'

echo
echo "Find required runId/sessionId usage in shared event schemas"
rg -n -C3 "runId|sessionId|sequenceNumber|BaseEventSchema" packages/shared/src

Repository: HodeTech/Relavium

Length of output: 9913


Fix spec/schema drift in SSE base envelope (runId/sessionId) and sequenceNumber monotonicity.

docs/reference/contracts/sse-event-schema.md (lines 29–36) claims “exactly one of runId / sessionId is present” and that sequenceNumber is “monotonic per run OR per session”, but packages/shared/src/run-event.ts defines the base envelope with runId required (BaseEventSchema/baseFields) and provides no sessionId; it also documents the stream as “Every run produces one ordered stream” (so sequenceNumber is per run). Reconcile the doc with the shared schema (or update the shared schema to include sessionId).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/contracts/sse-event-schema.md` around lines 29 - 36, The docs
and shared schema diverge: BaseEventSchema/baseFields currently require runId
and lack sessionId while the doc states exactly one of runId/sessionId is
present and sequenceNumber is monotonic per run OR per session; update the
shared schema in packages/shared/src/run-event.ts to match the spec by making
runId optional, adding sessionId?: string, and model the envelope as a union or
runtime-validated shape that enforces "exactly one of runId or sessionId" (e.g.,
two interfaces RunEnvelope { runId: string; sessionId?: undefined } and
SessionEnvelope { sessionId: string; runId?: undefined } and export type
BaseEvent = RunEnvelope | SessionEnvelope), then audit any usages of
BaseEventSchema/baseFields and functions that assumed runId to handle the
sessionId branch, and confirm documentation text about sequenceNumber
monotonicity matches the behavior (per-run or per-session) or adjust the doc
instead if you prefer the code’s current semantics.

cemililik and others added 2 commits June 5, 2026 11:40
…o DoD/deps/exit/risks + 2 specs

The pivot added workstreams 1.V–1.AC to the Phase-1 work-breakdown + milestones, but the
Definition-of-Done, Dependencies, Exit-criteria, and Risks sections were never updated to match —
leaving Phase 1 internally inconsistent at its go/no-go gate. This closes that, plus two small
open specs the readiness analysis surfaced.

Phase-1 doc (consistency):
- DoD: now includes the QuickJS-wasm sandbox (1.AB) + pre-egress budget governor (1.AC) and the
  agent-first sub-spine proven by its own 1.AA harness.
- Dependencies: mermaid shows CORE incl. 1.AB/1.AC + the parallel sub-spine → 1.AA → Phase 2;
  bullets add the agent-session contract, [chat] defaults, the pivot/hardening ADRs (0024/0026/
  0027/0028/0029), and the QuickJS-wasm runtime dependency.
- Exit criteria: add #6 sandbox proven, #7 budget governor blocks before egress, #8 sub-spine
  passes the 1.AA harness (additive — does not gate M2).
- Risks: add expression-sandbox perf/determinism and the new session-lifecycle/persistence rows.

Open specs closed:
- B5 — QuickJS-wasm package: name the candidate (quickjs-emscripten) and make a perf spike 1.AB's
  first task; recorded in tech-stack.md.
- B6 — pre-egress estimate default: give it a canonical home, [defaults].max_tokens_estimate
  (config-spec), referenced from ADR-0028 (so 1.AC is deterministic to implement).
- B7 — agent_sessions.model_id is the configured primary model; the fallback-aware per-turn model
  is session_messages.model_id.

(The schema-migration drift gate for the new session tables was already noted in 1.X.)

Refs ADR-0024/0026/0027/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A multi-agent Phase-1 readiness review (6 dimensions, adversarially verified: 27 confirmed) found
Phase 1 is go-with-fixes — the root cause being that @relavium/shared (frozen 2026-06-04) drifted from
the contracts the pivot hardened the next day. These are the doc/plan fixes that close the gate; the
actual schema reconciliation is now an explicit first Phase-1 workstream (1.L.0), not silent drift.

Must-fix:
- 1.L.0 (new, do-first): reconcile @relavium/shared to the 2026-06-05 contract — authored-YAML fields
  (metadata/budget/timeout_ms/max_parallel/system_prompt_append/output_schema/allowedCommandGlobs/
  input.validation), the 5 missing run-events + SessionEvent union with an exactly-one-of
  runId|sessionId envelope (discriminated RunEnvelope|SessionEnvelope + baseFields usage audit),
  attemptNumber on 3 events, the closed ErrorCode enum + retryable on run:failed, [defaults].max_tokens_
  estimate + [chat], RUN_EVENT_TYPES + the count-pinned test. (Also resolves the inline review comment
  on the run-event envelope.)
- 1.L2 (new): the {{…}} interpolation/templating engine (resolver + pipe filters + eager-once frozen
  context + transitive parse-time secret taint, ADR-0029c) — previously unowned.
- Expression-sandbox scope object defined once in ADR-0027 (inputs/ctx/run.outputs keyed by node id,
  secrets excluded; {{…}} is separate templating); node-types bare `output` example fixed to run.outputs.
- Checkpointer is event-sourced from step_executions + run_events (+ messages) — no checkpoint table;
  reconciled across execution-model, shared-core-engine, database-schema, and the 1.R pointer.
- Canonical supported-model matrix + prices home is packages/llm/src/pricing.ts (seeded into the empty
  model_catalog); 1.B and multi-llm-providers repointed at it.
- README global spine reconciled: M1 = seam + 3 adapters (fallback/cost are 1.m2), M2 includes the
  sandbox (1.AB) + budget governor (1.AC) + the parallel sub-spine (1.m5).
- Work-breakdown DAG: T->O (registry before the AgentRunner tool loop), Q->AC (gate seam for
  pause_for_approval), P->U; 1.U/1.AB acceptance no longer over-claims the 3-node harness exercises the
  sandbox.

In-phase fixes folded in: DoD rescope, 1.Z WorkflowDefinition->YAML emitter made explicit, milestone
1.m3 includes 1.L.0/1.L2, sub-spine label 1.V–1.AA, QuickJS "pinned by the 1.AB spike", expression
syntax-error surfaces at the sandbox not parse. Deferred (low, genuinely in-phase): J->K edge relaxation
and critical-path tag consistency.

Refs the phase-1 readiness review; ADR-0023/0026/0027/0028/0029.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
docs/roadmap/phases/phase-1-engine-and-llm.md (1)

395-416: ⚡ Quick win

Reduce schema restatement in roadmap; link to canonical contracts instead.

This section now embeds detailed field-by-field contract requirements (event variants/envelopes/config enums), which is likely to drift from docs/reference/contracts/*. Keep roadmap text outcome-focused and link to the canonical specs for exact shapes.

As per coding guidelines, “Use relative links in documentation and avoid restating canonical specs; link to specs in docs/reference/ instead”.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/roadmap/phases/phase-1-engine-and-llm.md` around lines 395 - 416, The
roadmap currently restates detailed contract shapes (e.g.,
RunEnvelope/SessionEnvelope, BaseEventSchema, ErrorCode enum,
ProjectConfigSchema, RUN_EVENT_TYPES, run-event.test.ts) — remove the
field-by-field specs and replace with concise outcome-focused text that refers
readers to the canonical contract files under docs/reference/contracts (use
relative links) for exact schemas and enums; keep a short bulleted list of what
will change (e.g., add five run/session variants, discriminated envelope, add
attemptNumber and retryable, update RUN_EVENT_TYPES) and update the comment
about decidedBy, but do not duplicate schema details in
phase-1-engine-and-llm.md.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/architecture/multi-llm-providers.md`:
- Around line 146-152: Clarify that pricing.ts is the single source-of-truth for
canonical model ids, context windows, and per-token pricing, and that
model_catalog is only a seeded projection/read-model used for UI display via
providerStore; explicitly state that adapters and CostTracker read pricing data
from pricing.ts (not model_catalog) and that model_catalog must not be treated
as the authoritative pricing contract to avoid drift.

In `@docs/roadmap/phases/phase-1-engine-and-llm.md`:
- Around line 710-712: The roadmap bullet that references database-schema.md as
the model-pricing catalog is inconsistent with the phase plan which designates
packages/llm/src/pricing.ts as the source of truth; update the dependency bullet
to reference packages/llm/src/pricing.ts (or explicitly state that
database-schema.md mirrors the definitions in packages/llm/src/pricing.ts) so
the pricing-source is unambiguous and consistent with the phase definition.

---

Nitpick comments:
In `@docs/roadmap/phases/phase-1-engine-and-llm.md`:
- Around line 395-416: The roadmap currently restates detailed contract shapes
(e.g., RunEnvelope/SessionEnvelope, BaseEventSchema, ErrorCode enum,
ProjectConfigSchema, RUN_EVENT_TYPES, run-event.test.ts) — remove the
field-by-field specs and replace with concise outcome-focused text that refers
readers to the canonical contract files under docs/reference/contracts (use
relative links) for exact schemas and enums; keep a short bulleted list of what
will change (e.g., add five run/session variants, discriminated envelope, add
attemptNumber and retryable, update RUN_EVENT_TYPES) and update the comment
about decidedBy, but do not duplicate schema details in
phase-1-engine-and-llm.md.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 304d92ef-55b7-4acf-a725-09ed1e911912

📥 Commits

Reviewing files that changed from the base of the PR and between 7c07267 and 2508fc0.

📒 Files selected for processing (11)
  • docs/architecture/execution-model.md
  • docs/architecture/multi-llm-providers.md
  • docs/architecture/shared-core-engine.md
  • docs/decisions/0027-expression-sandbox.md
  • docs/decisions/0028-workflow-resource-governance.md
  • docs/reference/contracts/config-spec.md
  • docs/reference/desktop/database-schema.md
  • docs/reference/shared-core/node-types.md
  • docs/roadmap/README.md
  • docs/roadmap/phases/phase-1-engine-and-llm.md
  • docs/tech-stack.md
✅ Files skipped from review due to trivial changes (4)
  • docs/tech-stack.md
  • docs/decisions/0027-expression-sandbox.md
  • docs/reference/shared-core/node-types.md
  • docs/decisions/0028-workflow-resource-governance.md
🚧 Files skipped from review as they are similar to previous changes (4)
  • docs/reference/contracts/config-spec.md
  • docs/architecture/execution-model.md
  • docs/roadmap/README.md
  • docs/architecture/shared-core-engine.md

Comment thread docs/architecture/multi-llm-providers.md
Comment thread docs/roadmap/phases/phase-1-engine-and-llm.md Outdated
Resolve review feedback on the model-pricing canonical home. Three spots
implied database-schema.md / model_catalog was the authoritative pricing
catalog, contradicting pricing.ts as the in-code source of truth:

- multi-llm-providers.md header callout said the catalog "is canonical in
  database-schema.md" — now names packages/llm/src/pricing.ts, seeded into
  the model_catalog display projection.
- phase-1 frozen-contracts bullet called database-schema.md "the
  model-pricing catalog" — now the model_catalog table seeded from
  pricing.ts (the source of truth for ids, context windows, pricing).

Also trim the inline run/session envelope type definition in 1.L.0 to an
outcome + spec link, per the one-canonical-home rule (sse-event-schema.md
owns the shape). Skipped the already-addressed pricing clarification at
multi-llm-providers.md:146-152.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Jun 5, 2026

Copy link
Copy Markdown

@cemililik cemililik merged commit 43f7348 into main Jun 5, 2026
6 of 7 checks passed
cemililik added a commit that referenced this pull request Jun 25, 2026
… status, defer log, concurrency)

Five review findings on the CLI media surface (all low/nit):

- #12 (nit, 3-lens): wireSaveToPort called mkdirSync on every write (blocking sync I/O in an async
  port) while the JSDoc implied once-only. Switch to await mkdir (node:fs/promises) — matches the
  FilesystemMediaStore.put pattern, keeps the port non-blocking — and reword the JSDoc to "every write".
- #13 (nit): TERMINAL_RUN_STATUSES typed Set<RunStatus> (was Set<string>), so a misspelled status is a
  compile error and .has() narrows the closed union.
- #7 (low): createWorkflowModelCatalog deferred silently on a CapabilityFlagsSchema.safeParse failure —
  indistinguishable from "model absent". Add an optional, per-model-deduped, secret-free warn sink
  (model id + Zod issue messages) threaded from run/gate via io.writeErr, so a future schema evolution
  that invalidates previously-valid rows is observable. Still fail-open (FallbackChain backstop).
- #6 (low): document the grace-window soft-delete→unlink resurrection gap (within ADR-0042 §3
  best-effort) so a future graceMs shortening triggers a re-verify-before-delete.
- #5 companion (low, PERF-CONCURRENCY-2): the grace-reclaim and orphan-sweep CAS deletes ran one await
  at a time on the exit path — fan them out with Promise.all (independent unlinks).

Refs: ADR-0042

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant