refactor(core): ♻️ Decompose agent runtime modules

[HayWolf]

Summary

• Split large Rust runtime and extension modules into focused companion files while preserving facade-style public APIs.
• Extract reusable workbench UI helpers/components from runtime-thread-surface.tsx and dashboard-workbench.tsx.
• Update agent-facing project structure guidance in AGENTS.md.

Test Plan

• cargo fmt --manifest-path src-tauri/Cargo.toml --check
• cargo test --manifest-path src-tauri/Cargo.toml — 499 unit + 197 integration tests passed, matching the Phase 0 baseline.
• npm run typecheck
• npm run test:unit — 20 files / 213 tests passed.
• npm run build:web — passed with existing Vite chunk-size warnings.

🤖 Generated with TiyCode

[github-actions]

AI Code Review Summary

PR: #136 (refactor(core): ♻️ Decompose agent runtime modules)
Preferred language: English

Overall Assessment

Detected 22 actionable findings, prioritize CRITICAL/HIGH before merge.

Major Findings by Severity

• CRITICAL (1)
  • src-tauri/src/core/agent_run_event_handler.rs:102 - agent_run_event_handler.rs has zero test coverage for the main event handler
• HIGH (8)
  • src-tauri/src/core/agent_run_compaction.rs:118 - compact_thread_context and run_compact_background have no tests
  • src-tauri/src/core/agent_run_event_handler.rs:501 - finish_run reasoning discard logic has no test coverage
  • src-tauri/src/core/agent_session_execution.rs:62 - execute_tool_call dispatch has no test coverage for any branch
  • src-tauri/src/extensions/plugins.rs:868 - execute_hook path traversal prevention is untested
  • src-tauri/src/extensions/plugins.rs:920 - execute_plugin_tool and execute_command_ have no test coverage
  • src-tauri/src/extensions/plugins.rs:953 - Plugin tool commands execute arbitrary executables without path confinement
  • src/modules/workbench-shell/ui/runtime-thread-surface-metadata.ts:96 - No unit tests for metadata parsing functions in runtime-thread-surface-metadata.ts
  • src/modules/workbench-shell/ui/runtime-thread-surface-state.ts:484 - No unit tests added for newly-extracted pure functions in runtime-thread-surface-state.ts
• MEDIUM (9)
  • src-tauri/src/extensions/marketplace.rs:275 - SSRF via unvalidated git clone URL in sync_marketplace_source_repo
  • src-tauri/src/extensions/marketplace.rs:311 - N+1 redundant DB query in marketplace_list_items via marketplace_items_for_source
  • src-tauri/src/extensions/marketplace.rs:554 - DefaultHasher used for persistent marketplace source IDs is not cross-version stable
  • src-tauri/src/extensions/marketplace.rs:204 - marketplace_install_item does full list scan to find a single item
  • src-tauri/src/extensions/plugins.rs:1480 - substitute_variables has no test coverage
  • src-tauri/src/extensions/plugins.rs:1488 - mask_sensitive_value and mask_url have no test coverage
  • src/modules/workbench-shell/ui/dashboard-overlays.tsx:234 - Same indentation issue in DashboardOverlays
  • src/modules/workbench-shell/ui/dashboard-sidebar.tsx:120 - Extracted JSX retains parent-level indentation, hurting readability
• LOW (4)
  • src-tauri/Cargo.toml:57 - RC version of tiycore used as a production dependency
  • src-tauri/Cargo.toml:57 - Pre-release tiycore dependency introduces supply-chain risk
  • src-tauri/src/extensions/plugins.rs:1030 - Stdin write error silently ignored in execute_command_
  • src/modules/workbench-shell/ui/runtime-thread-surface-state.ts:123 - Double blank lines in runtime-thread-surface-state.ts

Actionable Suggestions

• Add tool_call_repo::update_result calls in all result branches of execute_tool_call (Denied, EscalationRequired, Cancelled, Err, Executed) to prevent stale 'requested' records
• Replace let _ = stdin.write_all(...) with error logging or propagation in execute_command_
• Use dunce::canonicalize consistently in execute_hook to match the plugin path resolution in load_plugin_from_dir
• Add a tracking issue or TODO comment for the tiycore RC version and plan to upgrade to stable before release
• Consider documenting the plugin trust model (trusted vs untrusted sources) and adding permission-level validation for tool.command values
• Add path confinement for plugin tool commands similar to the hook path-traversal check already in execute_hook
• Validate MCP server URLs against private/internal IP ranges before auto-starting plugin-managed MCP servers
• Canonicalize and validate plugin tool CWD to ensure it stays within the workspace or plugin directory
• Add an environment variable denylist (PATH, LD_PRELOAD, DYLD_INSERT_LIBRARIES, etc.) for plugin tool env maps
• Pin tiycore to a stable release before production deployment
• Consider requiring explicit user approval before installing plugins or enabling plugin-managed MCP servers
• Add unit tests for the 4 free functions in agent_run_event_handler.rs (build_orphaned_run_terminal_event, terminal_event_status, is_terminal_runtime_event, should_complete_reasoning_for_event) — these require no mocking

Potential Risks

• Stale tool_call records accumulating in 'requested' status could degrade DB query performance over time and mislead the UI
• RC tiycore dependency could introduce breaking changes or runtime bugs in agent sessions
• Plugin tool commands with no sandboxing could be exploited if plugins are loaded from untrusted marketplace sources
• Silent stdin write failures could cause intermittent plugin/hook failures that are hard to diagnose
• A malicious plugin can execute arbitrary system commands via tool.command
• A malicious plugin can probe internal network services via MCP URL SSRF
• A malicious plugin can subvert spawned process execution via env var injection (LD_PRELOAD, PATH override)
• A malicious plugin can set arbitrary working directories for spawned commands
• Pre-release tiycore dependency may introduce unreviewed security changes
• State machine regressions in agent_run_event_handler.rs will only be caught in manual end-to-end testing
• Path traversal bypass in execute_hook could allow arbitrary command execution
• Compaction lifecycle bugs could leave threads stuck in Running state

Test Suggestions

• Add integration test verifying tool_call_repo status is updated to 'failed' for all error paths in execute_tool_call
• Add Windows-specific test for hook path traversal check with dunce vs std::fs::canonicalize
• Add test for execute_command_ with stdin write failure (mock broken pipe)
• Add test for compact_thread_context concurrent with an active run (race condition)
• Verify all new modules compile and pass cargo test with the RC tiycore version
• Write security tests verifying hook path-traversal prevention works with symlinks and ../ sequences
• Add tests that plugin tool commands cannot specify executables outside expected directories
• Add tests that MCP URLs pointing to 127.0.0.1, 169.254.169.254, 10.x.x.x, and 192.168.x.x are rejected or require approval
• Add tests that PATH, LD_PRELOAD, and other sensitive env var keys are denied in plugin tool env maps
• Add tests that plugin CWD containing ../ or absolute paths outside workspace are rejected
• Fuzz test parse_plugin_manifest and parse_plugin_command_markdown with malformed inputs
• Unit test all pure/free functions first (lowest effort, highest coverage density)

File-Level Coverage Notes

• src-tauri/src/core/agent_run_manager.rs: Patch content unavailable (binary/large/renamed), reviewed as file-level risk only. (cannot_inline_without_patch)
• src-tauri/src/core/agent_session.rs: Patch content unavailable (binary/large/renamed), reviewed as file-level risk only. (cannot_inline_without_patch)
• src-tauri/src/core/agent_session_tests.rs: Patch content unavailable (binary/large/renamed), reviewed as file-level risk only. (cannot_inline_without_patch)
• src-tauri/src/extensions/mcp.rs: Patch content unavailable (binary/large/renamed), reviewed as file-level risk only. (cannot_inline_without_patch)
• src-tauri/src/extensions/mod.rs: Patch content unavailable (binary/large/renamed), reviewed as file-level risk only. (cannot_inline_without_patch)
• src-tauri/Cargo.toml: low_risk (Simple dependency version change; testing risk is in downstream modules consuming the new API.)
• src-tauri/src/extensions/plugins.rs: high_risk (Good test coverage for manifest parsing, DTO builders, and free-function helpers. Critical gap is the I/O-heavy async methods (execute_hook, execute_plugin_tool, install/uninstall/sync) which have zero coverage.)
• src-tauri/src/core/agent_run_event_handler.rs: critical_risk (This is the most critical testing gap in the batch. The entire event-driven state machine that governs run lifecycle has no automated verification.)
• src-tauri/src/core/agent_session_execution.rs: high_risk (resolve_helper_tool_task has good test coverage. The main execution paths and all other sub-handlers are untested.)
• src-tauri/src/core/subagent/orchestrator.rs: medium_risk (The refactoring of merge_payload and addition of thinking_level propagation are behaviorally significant but lightly tested.)
• src-tauri/src/core/agent_run_compaction.rs: high_risk (persist_clear_context_reset_to_pool has a good test. The main orchestration methods are completely untested.)
• src-tauri/src/core/agent_session_compression.rs: medium_risk (Best test coverage in the batch. persist_compression_markers_to_pool and run_auto_compression (non-LLM paths) have solid tests. The calibration and LLM-dependent paths remain gaps.)
• src-tauri/src/extensions/marketplace.rs: Has several performance issues: N+1 DB queries, full-list scan for single-item install, sequential git sync, and per-call allocations in builtin source helpers. (The N+1 pattern in marketplace_list_items is the most impactful issue to address first.)
• src-tauri/src/extensions/skills.rs: Lacks any caching layer; every existence check or scope lookup does a full filesystem walk and parse. Linear search in state application. (The skill_exists / lookup_skill_actual_scope full-scan pattern is the highest-impact issue here.)
• src-tauri/src/extensions/config_io.rs: Minor I/O concern with display_config_path canonicalize. Mutex-based diagnostic recording is acceptable for small lists. Overall low risk. (Low priority; canonicalize caching is a nice-to-have.)
• src-tauri/src/extensions/runtime_tools.rs: resolve_tool does linear scan across all plugins and MCP servers. Hook execution is sequential with interleaved DB writes. Acceptable for typical counts but no indexing. (No critical issues; consider a tool-name index if plugin count grows.)
• src-tauri/src/core/settings_manager.rs: Only a test data addition (reasoning_content_constrained field). No performance impact.
• src-tauri/src/core/thread_manager.rs: Adds a single DB call (discard_dangling_reasoning) to startup recovery. Low overhead; the query is a simple indexed UPDATE.
• src-tauri/src/commands/git.rs: Test-only change adding a field. No performance impact.
• src-tauri/src/commands/thread.rs: Test-only change adding a field. No performance impact.
• ... and 31 more file-level entries.

Inline Downgraded Items (processed but not inline)

• None

Coverage Status

• Target files: 51
• Covered files: 35
• Uncovered files: 16
• No-patch/binary covered as file-level: 5
• Findings with unknown confidence (N/A): 0

Uncovered list:

• src-tauri/src/core/agent_run_manager_tests.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_run_summary.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_run_title.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_session_events.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_session_history.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_session_tools.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/agent_session_types.rs: planner_signaled_done_before_coverage
• src-tauri/src/core/mod.rs: planner_signaled_done_before_coverage
• src/modules/settings-center/model/run-model-plan.test.ts: planner_signaled_done_before_coverage
• src/modules/settings-center/model/run-model-plan.ts: planner_signaled_done_before_coverage
• src/modules/settings-center/ui/settings-center-overlay.tsx: planner_signaled_done_before_coverage
• src/modules/workbench-shell/ui/dashboard-terminal-orchestrator.tsx: planner_signaled_done_before_coverage
• src/modules/workbench-shell/ui/runtime-thread-surface-diff.tsx: planner_signaled_done_before_coverage
• src/modules/workbench-shell/ui/runtime-thread-surface-helpers.ts: planner_signaled_done_before_coverage
• src/modules/workbench-shell/ui/runtime-thread-surface-tools.tsx: planner_signaled_done_before_coverage
• src/modules/workbench-shell/ui/thread-rename-input.tsx: planner_signaled_done_before_coverage

No-patch covered list:

• src-tauri/src/core/agent_run_manager.rs: patch_unavailable_or_binary
• src-tauri/src/core/agent_session.rs: patch_unavailable_or_binary
• src-tauri/src/core/agent_session_tests.rs: patch_unavailable_or_binary
• src-tauri/src/extensions/mcp.rs: patch_unavailable_or_binary
• src-tauri/src/extensions/mod.rs: patch_unavailable_or_binary

Runtime/Budget

• Rounds used: 1/4
• Planned batches: 3
• Executed batches: 3
• Sub-agent runs: 8
• Planner calls: 1
• Reviewer calls: 8
• Model calls: 9/64
• Structured-output summary-only degradation: NO

[github-actions]

Automated PR review completed.

• Findings kept: 40
• Findings with unknown confidence: 0
• Inline comments attempted: 32
• Target files: 27
• Covered files: 27
• Uncovered files: 0
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 26
• Findings with unknown confidence: 0
• Inline comments attempted: 26
• Target files: 33
• Covered files: 33
• Uncovered files: 0
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 11
• Findings with unknown confidence: 0
• Inline comments attempted: 11
• Target files: 36
• Covered files: 19
• Uncovered files: 17
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 30
• Findings with unknown confidence: 0
• Inline comments attempted: 24
• Target files: 37
• Covered files: 36
• Uncovered files: 1
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 36
• Findings with unknown confidence: 0
• Inline comments attempted: 32
• Target files: 42
• Covered files: 42
• Uncovered files: 0
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 24
• Findings with unknown confidence: 0
• Inline comments attempted: 22
• Target files: 42
• Covered files: 29
• Uncovered files: 13
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 39
• Findings with unknown confidence: 0
• Inline comments attempted: 32
• Target files: 49
• Covered files: 49
• Uncovered files: 0
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 35
• Findings with unknown confidence: 0
• Inline comments attempted: 32
• Target files: 51
• Covered files: 51
• Uncovered files: 0
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 10
• Findings with unknown confidence: 0
• Inline comments attempted: 10
• Target files: 51
• Covered files: 25
• Uncovered files: 26
  See the summary comment for detailed analysis and coverage details.

[github-actions]

Automated PR review completed.

• Findings kept: 22
• Findings with unknown confidence: 0
• Inline comments attempted: 22
• Target files: 51
• Covered files: 35
• Uncovered files: 16
  See the summary comment for detailed analysis and coverage details.

[github-actions]

[CRITICAL] agent_run_event_handler.rs has zero test coverage for the main event handler

The central runtime event handler that drives all agent run state transitions has no automated tests. Race conditions in status transitions (e.g. MessageDelta → MessageCompleted, or duplicate terminal events) are entirely untested.

Suggestion: Add unit tests for each match arm of handle_runtime_event using a mock AgentRunManager or by extracting pure decision functions (terminal_event_status, should_complete_reasoning_for_event, is_terminal_runtime_event) and testing those with synthetic ThreadStreamEvent variants. The free functions at R16-R59 are ideal candidates for immediate unit testing.

Risk: State machine regressions (e.g. wrong thread status after cancellation, reasoning messages left in 'streaming' state) will only be caught manually.

Confidence: 0.95

[From SubAgent: testing]

[github-actions]

[HIGH] compact_thread_context and run_compact_background have no tests

The /compact command entry point — including ActiveRun registration, message persistence order, broadcast channel setup, and the spawned background task — has no test coverage. The existing test only covers the simpler /clear path.

Suggestion: Add a test that: (1) calls compact_thread_context on a seeded thread; (2) verifies the user message, reset marker, and run row are persisted; (3) verifies the frontend channel receives RunStarted and ContextCompressing events. The LLM-dependent part (run_compact_background) can be tested with a mock or by verifying the final state after a short timeout.

Risk: Compaction lifecycle bugs (stuck Running state, missing reset markers, missing events) will only be caught in manual testing.

Confidence: 0.88

[From SubAgent: testing]

[github-actions]

[HIGH] finish_run reasoning discard logic has no test coverage

The reasoning message classification in finish_run (discard if empty or missing signature for non-completed runs, keep otherwise) directly controls what thinking content users see after interrupted/cancelled runs. No tests validate any of the four combinations (empty vs non-empty × signature present vs absent).

Suggestion: Extract the discard decision into a pure function and add parameterized tests covering: (1) completed run → never discard; (2) non-completed + empty content → discard; (3) non-completed + no signature → discard; (4) non-completed + content + signature → keep as completed.

Risk: Users may lose valid thinking content on interrupted runs, or see garbage thinking content that should have been discarded.

Confidence: 0.87

[From SubAgent: testing]

[github-actions]

[HIGH] execute_tool_call dispatch has no test coverage for any branch

The primary tool execution dispatcher has no integration tests. Branch-specific logic like approval flow event emission (ApprovalRequired → ApprovalResolved), timeout result persistence, and clarify request lifecycle are all untested.

Suggestion: At minimum, add unit tests for the event emission patterns: (1) tool approval required then approved emits both events; (2) tool timeout persists the error to tool_call_repo; (3) clarify request emits ClarifyRequired then ClarifyResolved. These can be tested with mock event_tx and tool_gateway.

Risk: Event emission ordering bugs (e.g. missing ToolRunning event, double ToolFailed) would cause frontend state desynchronization.

Confidence: 0.85

[From SubAgent: testing]

[github-actions]

[HIGH] execute_hook path traversal prevention is untested

The path traversal guard in execute_hook is security-critical but untested. A regression in the starts_with comparison or canonicalize behavior could silently allow execution of arbitrary binaries.

Suggestion: Add tests that: (1) a handler '../../../etc/passwd' is rejected with the hook_escape error; (2) a symlink inside the plugin dir that points outside is rejected; (3) a valid handler within the plugin dir succeeds.

Risk: A path traversal bypass would allow plugin manifests to execute arbitrary commands outside their directory.

Confidence: 0.92

[From SubAgent: testing]

[github-actions]

[MEDIUM] No unit tests for dashboard-workbench-logic.ts pure functions

The extracted workbench logic module contains status mapping and data computation functions with no test coverage. These functions drive sidebar status indicators and context badge display.

Suggestion: Add tests for: each RunState value in mapRunStateToWorkbenchThreadStatus; each status in mapRunFinishedStatusToThreadStatus; buildThreadContextBadgeData with zero/positive context window; mergeLocalFallbackThreads with overlapping and disjoint thread sets; formatCompactTokenCount boundary values.

Risk: Incorrect sidebar thread status badges or context usage display after refactoring

Confidence: 0.88

[From SubAgent: testing]

[github-actions]

[LOW] RC version of tiycore used as a production dependency

The tiycore dependency was bumped from a stable version (0.1.19) to a release candidate (0.2.1-rc.26042720). RC versions may have unstable APIs or bugs and shouldn't ship to production without explicit sign-off.

Suggestion: Ensure this RC is intentional and temporary. Add a comment or tracking issue reference in Cargo.toml, and plan to pin to the stable 0.2.1 once it's released before merging to main.

Risk: An RC dependency could introduce regressions, breaking changes, or instability in agent runtime behavior.

Confidence: 0.90

[From SubAgent: general]

[github-actions]

[LOW] Pre-release tiycore dependency introduces supply-chain risk

The tiycore dependency is updated from a stable version (0.1.19) to a pre-release RC version (0.2.1-rc.26042720), which may carry additional supply-chain and stability risk.

Suggestion: Pin to a stable release before shipping to production. If an RC is required for feature access, verify the upstream tag and commit signature.

Risk: RC builds may contain unreviewed changes, security regressions, or unstable behavior not present in the stable release.

Confidence: 0.90

[From SubAgent: security]

[github-actions]

[LOW] Stdin write error silently ignored in execute_command_

The stdin write to the child process in execute_command_ silently ignores errors. If writing the JSON payload fails, the child may hang waiting for input or process empty input, producing confusing results.

Suggestion: Log the error at minimum: if let Err(e) = stdin.write_all(&payload).await { tracing::warn!(...); }. Consider propagating the error or killing the child process if the write fails.

Risk: Silent stdin write failures can cause plugins/hooks to hang or produce incorrect output without any diagnostic signal.

Confidence: 0.85

[From SubAgent: general]

[github-actions]

[LOW] Double blank lines in runtime-thread-surface-state.ts

Inconsistent spacing with double blank lines in the new state module.

Suggestion: Remove extra blank lines to maintain single-blank-line convention.

Risk: Minor style inconsistency; no functional impact.

Confidence: 0.90

[From SubAgent: general]