discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat

[eanzhao]

---

id: cluster-triage-unbound-sender-owner-llm-pure-chat
severity: medium
requires_design: true

来源

本 issue 由 maintainer 手动开, triage codex 深度调研补 evidence。

核心问题

ADR-0018 当前写死“未绑定 sender 一律 /init, 不回落 bot owner”, 但现有 channel runtime 已经实现了另一条隐含政策: slash command 通过 RequiresBinding fail closed, normal LLM turns 仍可走 bot-owner LLM fallback。需要把这个 drift 收敛成明确的 two-tier admission contract: 未绑定 sender 是否允许 owner LLM 纯 chat; 一旦进入 stateful command、tool call、NyxID/aevatar capability、sender prefs 或任何可变状态读取/写入, 必须强制 /init。

这不是要求 NyxID 新增能力。现有 IExternalIdentityBindingQueryPort / INyxIdCapabilityBroker / owner LLM config surface 已足够, 设计点在 aevatar 内部如何定义和测试 channel turn admission 边界。

Evidence

1. Slash command gate 已经声明: binding-only command 拒绝, normal LLM turns 仍 owner fallback

agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs:185

// Slash commands (/init, /unbind, /whoami, /model, ...) are routed before
// the LLM so binding/configuration commands can own their per-user
// semantics without being swallowed by the chat model.

agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs:193

// each handler declares RequiresBinding so unbound senders trying to use
// a binding-only command (e.g. /model use) get a binding hint instead of
// a stack trace; normal LLM turns still have owner fallback.

agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs:274

if (handler.RequiresBinding && existing is null)
{
    return await SendBindingPromptAsync(activity, inbound, registration, runtimeContext, ct).ConfigureAwait(false);
}

违反点: 这与 ADR-0018 的“未绑定一律 /init, 不回落”形成事实 drift。Phase 9 需要决定这是正式 product/architecture policy, 还是回退到 ADR 强绑定。

2. Slash command abstraction 已区分 unknown command fallthrough 和 binding-required command

agents/Aevatar.GAgents.Channel.Abstractions/Slash/IChannelSlashCommandHandler.cs:14

/// Unknown commands fall through to the LLM path so the legacy bot-owner-shared
/// experience keeps working.

agents/Aevatar.GAgents.Channel.Abstractions/Slash/IChannelSlashCommandHandler.cs:36

/// True when the handler must only run for senders with an active NyxID
/// binding. <c>/init</c> and <c>/unbind</c> are bootstrap commands that
/// must run while unbound; <c>/whoami</c>, <c>/model</c>, etc. need a
/// binding so user-scoped state has somewhere to attach.
bool RequiresBinding { get; }

违反点: unknown slash command 目前可能进入 LLM/Ornn skill discovery path, 但 issue 的备选方案要求 /agents / stateful command 仍强制 /init。需要明确 unknown slash command 属于“纯 chat”还是“potential capability command”, 并给 router 可测试规则。

3. Sender token issuance 失败会回落 owner LLM config

agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs:1678

private async Task<string?> TryIssueSenderLlmAccessTokenAsync(
    ExternalSubjectRef subject,
    CancellationToken ct)

agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs:1704

_logger.LogWarning(
    ex,
    "Failed to issue sender NyxID LLM token; falling back to bot owner LLM config. subject={Platform}:{Tenant}:{User}",

违反点: LLM route fallback 和 capability authorization fallback 现在容易被读成同一件事。设计需要保证 owner fallback 只用于纯 LLM completion, 不会把 owner credential 扩展到 sender-triggered tools / capability side effects。

4. Reply generator 会在 sender route 失败时 owner retry, 且 tests pin 了 unbound owner behavior

agents/Aevatar.GAgents.NyxidChat/ConversationReplyGenerator.cs:128

catch (Exception ex) when (replyPlan.OwnerFallback is not null && IsRetryableSenderRouteFailure(ex))
{
    _logger.LogWarning(
        ex,
        "Sender LLM route failed; retrying with bot owner LLM config. activity={ActivityId}",

test/Aevatar.GAgents.ChannelRuntime.Tests/ConversationReplyGeneratorTests.cs:373

public async Task GenerateReplyAsync_LeavesOwnerPrefsIntactWhenNoSenderBinding()

test/Aevatar.GAgents.ChannelRuntime.Tests/ConversationReplyGeneratorTests.cs:624

if (bindingState == MatrixUnbound)
    prefsStore.Lookups.Should().BeEmpty(
        "no typed sender binding → generator must not consult the prefs store");

违反点: 测试已经保护 unbound -> owner prefs retained/no sender prefs lookup 的行为, 但 ADR 仍说 unbound turn 不调 LLM。需要设计 issue 明确测试应保留、修改或拆成 mode-gated 行为。

5. LLM preference store 已避免 null sender binding 隐式掉入 owner scope

src/Aevatar.AI.Abstractions/LLMProviders/INyxIdUserLlmPreferencesStore.cs:8

/// The two methods are deliberately distinct so call sites have to commit
/// to a scope at the type level (issue #513 phase 2 follow-up). The earlier
/// shape <c>GetAsync(string? senderBindingId)</c> let any caller drop into
/// the bot-owner ambient scope by passing <c>null</c>, which made it easy
/// for a future caller to leak owner-scoped config when they meant to read
/// a sender's prefs.

违反点: 类型层已经承认 ambient owner fallback 是危险边界。#512 应把“允许 owner LLM 的场景”建模成显式 admission result, 而不是用缺失 sender binding 隐式触发。

6. External identity binding actor 已是 sender binding 权威事实源

agents/Aevatar.GAgents.Channel.Identity/ExternalIdentityBindingGAgent.cs:12

/// Per-(platform, tenant, external_user_id) actor that holds the opaque NyxID
/// binding pointer for one external chat-platform user.

agents/Aevatar.GAgents.Channel.Identity/ExternalIdentityBindingGAgent.cs:16

/// external subject (ADR-0018 §Implementation Notes #2). State holds no
/// refresh_token or any user secret material (ADR-0018 §Storage Boundary).

违反点: 绑定状态已有 actor-owned fact + readmodel query port。设计无需侧读、无需外部仓库改动, 应在 turn admission 层使用该 fact 产生明确 decision。

违反条款

CLAUDE.md:

• 严格分层：Domain / Application / Infrastructure / Host；API 仅做宿主与组合，不承载业务编排。

• 边界清晰：协议适配、业务编排、状态管理分属不同层；禁止跨层偷渡语义。

• 单一主干，插件扩展：只保留一条权威业务主链路；新能力以插件/模块挂载，禁止平行"第二系统"。

• 事实源唯一：跨请求/跨节点一致性事实必须有唯一权威来源（Actor 持久态或分布式状态），不依赖进程内偶然状态。

• 单一权威拥有者：每个稳定业务事实有唯一 actor 拥有；committed event store + actor state 是唯一真相，readmodel 只是查询副本。

• query 与 command 边界分清：读已提交事实 → 读 readmodel；需对方参与新业务交互 → 发 command/event + reply/timeout continuation。

• 外部仓库无改动权：本仓库需求禁止依赖 NyxID / chrono-storage / chrono-ornn 等外部仓库新增或修改；现有 surface 不足时，在本仓库内绕开或不做。只有发现外部仓库行为违反其已发布契约时，才可提 issue。

AGENTS.md:

• 边界清晰：协议适配、业务编排、状态管理分别归属不同层；每层只做本层职责，禁止跨层偷渡语义。

• 事实源唯一：跨请求/跨节点的一致性事实必须有唯一权威来源（Actor 持久态或分布式状态），不依赖进程内偶然状态。

• query 与 command 的 actor 边界必须分清：actor 若只是想读取另一侧已提交事实，就不应给对方 actor 发 query 消息，而应读取该事实对应的 read model；只有确实需要对方参与一次新的业务交互时，才允许发送事件/命令，并由 reply/timeout continuation 继续推进。

docs/canon/nyxid-llm-integration.md:

这些命令不读取 Aevatar 内部密钥，也不使用独立的 llm:status scope。Aevatar 通过 per-user NyxID binding 做 broker token-exchange，请求 proxy scope 的短期 token，然后调用 NyxID LLM service catalog / route API。

如果旧 binding 对应的 OAuth client 未包含 proxy，NyxID 会在 token-exchange 返回 invalid_scope。用户可重新发送 /init 完成绑定刷新；Aevatar 不会降级到 bot-owner credential 或缓存 token。

docs/adr/0018-per-user-nyxid-binding-via-oauth-broker.md:

• 未绑定 sender 一律强制 /init,不区分 1:1 vs 群聊,不回落到 bot owner:IExternalIdentityBindingQueryPort.ResolveAsync 返回 null 时,turn runner 直接以 /init 引导取代 LLM 调用;bot owner 不享有"默认用户身份"特权,只承担注册/管理 bot 的角色

INyxIdCapabilityBroker 是 capability 层的 write-side seam:发起 binding、撤销 binding、签发短期 token。Read-side(resolve external subject → binding)走 IExternalIdentityBindingQueryPort;两边契约分离,业务代码必须按用途选 port,不混用。

• outbound 路径:整次 outbound 失败,不 fallback 到 bot owner token,不 fallback 到任何缓存 token / 旧 access_token(zero-secret 不变量不接受任何"备用身份")。错误向上传递给调用方,记 metric / trace 但不静默吞掉

新原则

把 channel turn admission 显式建模为 typed decision: AllowOwnerPureChat, RequireSenderBinding, AllowBoundSender, RejectWithInitPrompt 等, 避免用 “missing sender binding + incidental owner metadata” 隐式表达权限。

owner fallback 若被接受, 只能覆盖无 tool / 无 capability side effect 的纯 LLM completion。任何 slash command、tool call、NyxID/aevatar capability、sender prefs、connected services、stateful read/write 都必须看到 active sender binding 或显式拒绝并引导 /init。

ADR 与代码必须同步: 要么更新 ADR-0018 后继 ADR/canon 承认 two-tier policy; 要么改代码/tests 回到“未绑定一律 /init”。不能继续文档与实现相反。

Fix boundary

scope_paths:

• agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs
• agents/Aevatar.GAgents.NyxidChat/ConversationReplyGenerator.cs
• agents/Aevatar.GAgents.NyxidChat/ITypedConversationReplyGenerator.cs
• agents/Aevatar.GAgents.NyxidChat/Slash/ModelChannelSlashCommandHandler.cs
• agents/Aevatar.GAgents.NyxidChat/LlmSelection/DefaultUserLlmOptionsService.cs
• agents/Aevatar.GAgents.NyxidChat/LlmSelection/DefaultUserLlmSelectionService.cs
• agents/Aevatar.GAgents.Channel.Abstractions/Slash/IChannelSlashCommandHandler.cs
• agents/Aevatar.GAgents.Channel.Abstractions/Slash/ChannelSlashCommandRegistry.cs
• agents/Aevatar.GAgents.Channel.Identity.Abstractions/IExternalIdentityBindingQueryPort.cs
• agents/Aevatar.GAgents.Channel.Identity.Abstractions/INyxIdCapabilityBroker.cs
• agents/Aevatar.GAgents.Channel.Identity/ExternalIdentityBindingGAgent.cs
• src/Aevatar.AI.Abstractions/LLMProviders/LLMRequestMetadataKeys.cs
• src/Aevatar.AI.Abstractions/LLMProviders/INyxIdUserLlmPreferencesStore.cs
• src/Aevatar.AI.Core/LLMProviders/OwnerLlmConfigApplier.cs
• test/Aevatar.GAgents.ChannelRuntime.Tests/ChannelConversationTurnRunnerTests.cs
• test/Aevatar.GAgents.ChannelRuntime.Tests/ConversationReplyGeneratorTests.cs
• test/Aevatar.GAgents.ChannelRuntime.Tests/Identity/ModelSlashCommandHandlerTests.cs
• docs/adr/0018-per-user-nyxid-binding-via-oauth-broker.md 或新 superseding ADR/canon doc
• docs/canon/nyxid-llm-integration.md

Decision questions

1. 是否正式接受 two-tier policy: unbound sender 可使用 owner LLM 纯 chat, 但所有 stateful/capability/tool path 强制 /init?
2. “纯 chat”如何判定: 是 request 层禁止 tool sources, 还是允许 LLM 流式但 tool-call attempt 被拦截并转 /init?
3. Unknown slash command 当前 fall through 到 Ornn skill discovery。它应属于 pure chat, 还是 capability command, 因而未绑定时必须 /init?
4. Bound sender token issuance 失败时是否允许 owner LLM fallback? 若允许, fallback 后是否必须禁用工具与 connected services?
5. ADR-0018 是通过新 ADR supersede, 还是直接在 canon/issue 中声明当前实现先行并补测试?

original_authors

• agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs: redacted per no-private-name rule
• agents/Aevatar.GAgents.NyxidChat/ConversationReplyGenerator.cs: redacted per no-private-name rule
• agents/Aevatar.GAgents.Channel.Abstractions/Slash/IChannelSlashCommandHandler.cs: redacted per no-private-name rule
• agents/Aevatar.GAgents.Channel.Identity.Abstractions/INyxIdCapabilityBroker.cs: redacted per no-private-name rule
• agents/Aevatar.GAgents.Channel.Identity/ExternalIdentityBindingGAgent.cs: redacted per no-private-name rule

📢 cc: omitted because the active hard rules forbid writing maintainer private names or @-mention variants.

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Triage codex — accept: cluster-triage-unbound-sender-owner-llm-pure-chat

TL;DR

• 这是什么: discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 是 channel sender admission 设计问题, 不是信息不足。
• 结论: accept, 建议 cluster cluster-triage-unbound-sender-owner-llm-pure-chat; 调研找到 6 组 evidence。
• 下一步: Phase 9 需要决定 two-tier policy, 并同步代码测试与 ADR/canon。

---

详细说明

现有实现已经不是 ADR-0018 文本里的“未绑定一律 /init”: ChannelConversationTurnRunner 明确写了 binding-only slash command 要拦截, 但 normal LLM turns 仍有 owner fallback。ConversationReplyGenerator 和现有测试也 pin 了 no sender binding 时 owner prefs 保留、不查 sender prefs 的行为。

因此要解决的不是“能不能做”, 而是把隐式 fallback 收敛为显式 admission contract: 如果允许未绑定 sender 做 owner LLM 纯 chat, 那么 tool call、NyxID/aevatar capability、sender prefs、connected services、stateful slash command 和 unknown slash command recovery 都要有可测试的 /init gate。

---

📎 investigation artifact 摘要

• token 分解: discussion, 未绑定, sender, owner, LLM, 纯, chat
• high-signal files:
  • agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs
  • agents/Aevatar.GAgents.NyxidChat/ConversationReplyGenerator.cs
  • agents/Aevatar.GAgents.Channel.Abstractions/Slash/IChannelSlashCommandHandler.cs
  • agents/Aevatar.GAgents.Channel.Identity.Abstractions/INyxIdCapabilityBroker.cs
  • src/Aevatar.AI.Abstractions/LLMProviders/INyxIdUserLlmPreferencesStore.cs
• 查重: workflow、llm、nyx耦合 #1102 是 workflow/core LLM-Nyx coupling, discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 是 channel sender admission policy, 不重复。
• 外部仓库: 已按规则确认 ../NyxID 存在; 本 issue 不要求 NyxID 改动。

完整 artifact 已写入 .refactor-loop/runs/triage-issue-512-investigation.md。

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Structural solver — issue 512 propose

TL;DR

• 这是什么: discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 是 channel turn admission 的结构边界问题, 不是单个 fallback bug。
• 结论: 建议接受 two-tier policy, 但用 typed admission decision + NeedsLlmReplyEvent.execution_mode 强制区分 owner pure chat 与 sender-bound capability/tool path。
• 下一步: controller/meta-judge 可先落 no-new-abstraction slice 拦住 unbound slash skill path, 再落 typed execution mode。

---

详细说明

IExternalIdentityBindingQueryPort 已经是 projection-backed 的 sender binding 查询入口; IChannelSlashCommandHandler.RequiresBinding 也已经表达了 stateful slash command gate。缺口在 LLM path: 未绑定 sender 走 owner LLM fallback 时, downstream ConversationReplyGenerator 仍会构造 tool set, 所以“纯 chat”只存在于注释里, 不是可验证契约。

推荐结构是新增一个内部 ChannelTurnAdmissionDecision, 由 ChannelConversationTurnRunner 在入口处产出 AllowBoundSender / AllowOwnerPureChat / RequireSenderBinding。再给 NeedsLlmReplyEvent 增加 typed enum 字段 execution_mode: run actor 和 reply generator 根据它在 unbound owner 模式下不加载 tools、不走 Ornn skill prompt、不读取 sender prefs。这样不新增 actor、不新增 envelope kind、不改 projection pipeline, 只把现有隐式分支变成 typed contract。

方案	改动	取舍
First slice	无新抽象: unbound /daily 和 unknown slash 直接 /init, bound sender 继续 Ornn skill path	先关掉最明显 capability shortcut, 但普通 unbound LLM 仍需后续禁 tools
Structural slice	ChannelTurnAdmissionDecision + execution_mode proto 字段 + generator 按模式禁 tools	多约 260 LOC, 但 reviewer 六个月后仍能看出 admission contract

---

📎 完整 codex 原始输出(存档备查)

---

solver: structural
issue: 512
cluster: issue-512-design
verdict: propose

CLAUDE clause violated (quoted verbatim)

• 边界清晰：协议适配、业务编排、状态管理分属不同层；禁止跨层偷渡语义。

• 核心语义强类型：影响业务语义、控制流、稳定读取且仓库内可控的数据，必须建模为 proto field / typed option / typed sub-message，禁止塞入通用 bag。

• 强类型内核，窄扩展点：稳定语义默认强类型；只有插件/第三方/跨边界透传需求明确时才保留 bag。

• query 与 command 边界分清：读已提交事实 → 读 readmodel；需对方参与新业务交互 → 发 command/event + reply/timeout continuation。

Recommended framing

把 #512 定义为“Channel turn admission contract 缺失”, 而不是继续讨论某个 fallback 分支。现有 IExternalIdentityBindingQueryPort 已经通过 readmodel 给出 sender binding 事实, slash command 也已有 RequiresBinding; 结构性缺口是 normal LLM path 没有一个 typed decision 把 AllowOwnerPureChat 与 AllowBoundSenderCapability 分开。建议在 NyxidChat 入口新增内部 admission decision 类型, 并把最终执行模式写入 NeedsLlmReplyEvent 的 proto 字段, 让 AgentRun/ReplyGenerator 在 owner-pure-chat 模式下物理禁用 tools / Ornn skill shortcut / sender prefs, 而不是靠注释约束。

Concrete plan

• New abstractions (if any):
  • ChannelTurnAdmissionDecision record + ChannelTurnAdmissionMode enum; Layer: channel application/runtime boundary; Project: agents/Aevatar.GAgents.NyxidChat; File: ChannelTurnAdmissionDecision.cs. 这不是新 Port, 没有第二 adapter 前不引入 interface。
  • ChannelTurnAdmissionPolicy static/internal helper; same layer/project; File: ChannelTurnAdmissionPolicy.cs. 只负责从 inbound text、slash handler、binding result 映射 admission verdict, 不读 actor state。
  • LlmReplyExecutionMode proto enum; Layer: runtime command contract; Project: agents/Aevatar.GAgents.Channel.Runtime; File: protos/conversation_events.proto.
• Files:
  • agents/Aevatar.GAgents.NyxidChat/ChannelConversationTurnRunner.cs: replace scattered comments/branching with one admission decision before LLM request build; unbound slash skill paths return /init; normal unbound text sets owner-pure-chat mode.
  • agents/Aevatar.GAgents.NyxidChat/ChannelTurnAdmissionDecision.cs: add decision record/enum.
  • agents/Aevatar.GAgents.NyxidChat/ChannelTurnAdmissionPolicy.cs: add deterministic classifier using existing TryParseSlashCommand, ResolveSlashCommandHandler, LocalSlashCommands, and sender binding presence.
  • agents/Aevatar.GAgents.Channel.Runtime/protos/conversation_events.proto: add LlmReplyExecutionMode execution_mode = 13 to NeedsLlmReplyEvent.
  • generated C# from proto: update generated outputs if repo checks them in.
  • agents/Aevatar.GAgents.NyxidChat/ITypedConversationReplyGenerator.cs: add execution mode or typed generation options to GenerateReplyAsync / BuildStepPlanAsync.
  • agents/Aevatar.GAgents.NyxidChat/ConversationReplyGenerator.cs: if OwnerPureChat, skip BuildTurnToolsAsync, return Tools = null, and cap tool rounds to one no-tool LLM pass.
  • agents/Aevatar.GAgents.NyxidChat/AgentRunReplyGenerationExecutor.cs: pass request.ExecutionMode into step plan; persist it into step state only if needed for continuation.
  • agents/Aevatar.GAgents.NyxidChat/protos/agent_run.proto: add execution_mode to AgentRunReplyStepState only if tool/LLM continuations cannot derive it from the transient request on every self-message.
  • test/Aevatar.GAgents.ChannelRuntime.Tests/ChannelConversationTurnRunnerTests.cs: add admission behavior tests.
  • test/Aevatar.GAgents.ChannelRuntime.Tests/ConversationReplyGeneratorTests.cs: add no-tools owner-pure-chat tests.
  • test/Aevatar.GAgents.ChannelRuntime.Tests/AgentRunGAgentTests.cs or executor tests: assert mode survives start -> LLM step -> no tool step.
  • docs/adr/00xx-channel-sender-admission-two-tier.md: new ADR superseding the conflicting ADR-0018 statement for this policy.
  • docs/canon/nyxid-llm-integration.md: document owner pure-chat fallback scope and /init gates for capability/tool/stateful paths.
• LOC delta: ~+260 / -45. Breakdown: +70 decision/policy, +25 proto/generated call plumbing excluding generated bulk, +80 runner/generator enforcement, +70 tests, +15 docs net after replacing contradictory text. If generated proto files are checked in, mechanical delta may add ~+120 to +220.
• Tests to add:
  • ChannelConversationTurnRunnerTests: unbound normal text returns LlmReplyRequest.ExecutionMode = OWNER_PURE_CHAT, no sender binding/token.
  • ChannelConversationTurnRunnerTests: bound normal text returns BOUND_SENDER_CAPABILITY and preserves sender binding/token.
  • ChannelConversationTurnRunnerTests: unbound /daily returns binding prompt, no LlmReplyRequest.
  • ChannelConversationTurnRunnerTests: unbound unknown slash returns binding prompt, no Ornn skill prompt.
  • ChannelConversationTurnRunnerTests: bound unknown slash still rewrites to Ornn skill discovery.
  • ConversationReplyGeneratorTests: owner-pure-chat does not call BuildTurnToolsAsync observable via provider request Tools == null and no tool source invocation.
  • ConversationReplyGeneratorTests: owner-pure-chat does not read sender prefs and does not carry sender binding in ToolContext.
  • AgentRunGAgentTests or executor test: execution mode is preserved across per-step LLM continuation and a tool call from the model is not executed in owner-pure-chat mode.
• proto changes (if any):
  • agents/Aevatar.GAgents.Channel.Runtime/protos/conversation_events.proto: NeedsLlmReplyEvent.execution_mode = 13; enum values LLM_REPLY_EXECUTION_MODE_UNSPECIFIED = 0, LLM_REPLY_EXECUTION_MODE_BOUND_SENDER_CAPABILITY = 1, LLM_REPLY_EXECUTION_MODE_OWNER_PURE_CHAT = 2.
  • Optional only if needed: agents/Aevatar.GAgents.NyxidChat/protos/agent_run.proto: AgentRunReplyStepState.execution_mode = 21 because fields 1-20 are used.
• Runtime cost:
  • Latency: +0 actor hops, +0 network calls. Binding readmodel lookup already happens for normal turns; policy classification is in-process O(1).
  • Serialization: +1 small enum varint on NeedsLlmReplyEvent when non-default, typically 2 bytes on wire.
  • Allocations: +1 decision record per inbound LLM turn (~32-64 bytes managed object) if implemented as record; can be readonly struct to make this ~0 heap allocations.
  • Owner-pure-chat saves work: avoids building ToolManager and tool list; expected -1 small list/array plus no tool source enumeration per unbound pure chat turn.
• First slice: no-new-abstraction narrow plan: change ChannelConversationTurnRunner so unbound /daily and unknown slash skill shortcuts return the existing /init binding prompt instead of building Ornn skill prompts. Add 3 tests: unbound /daily prompts, unbound unknown slash prompts, bound unknown slash still routes to Ornn. Estimated ~+45 / -10 LOC, 2 files, no proto.
• Later design slice: add typed ChannelTurnAdmissionDecision plus NeedsLlmReplyEvent.execution_mode, enforce no-tools owner-pure-chat through AgentRun/ReplyGenerator, and update ADR/canon.

Risks

• This framing costs more than a minimal branch because execution mode crosses runner -> run actor -> generator. The payoff is that “owner pure chat” becomes a typed, testable invariant, not an incidental absence of binding metadata.
• Possible over-engineering risk: ChannelTurnAdmissionPolicy must stay as a pure helper, not a new service/port. Do not introduce IChannelTurnAdmissionPort until there are at least two real adapters or a named external extension point.
• Behavior risk: unbound users who currently use /daily or unknown Ornn slash commands will be gated by /init. That is the intended safety boundary, but it is a product-visible change.
• Compatibility risk: adding execution_mode to NeedsLlmReplyEvent is forward-compatible proto evolution, but old in-flight run commands default to UNSPECIFIED; implementation must map unspecified to current behavior or reject only new unbound owner-pure-chat requests explicitly.

Escalation triggers (if any)

• ESCALATE_REASON:core-actor-type:only if reviewers require a dedicated admission actor instead of a stateless helper plus existing binding readmodel.
• ESCALATE_REASON:envelope-kind:only if reviewers reject adding an enum to NeedsLlmReplyEvent and request a new command/envelope kind.
• ESCALATE_REASON:actor-lifecycle:only if accepting owner-pure-chat requires changing ConversationGAgent or AgentRunGAgent lifecycle/topology.
• ESCALATE_REASON:canon-vocabulary:only if the fix changes docs/canon/architecture-vocabulary.md; updating NyxID/channel policy docs alone is not this trigger.
• ESCALATE_REASON:performance-benchmark:only if disabling tools for owner-pure-chat changes production latency in a way local unit/integration tests cannot measure.

Reasoning trace (internal — for meta-judge)

• Why this structure beats a documented exception: ADR-0018 and current code disagree. A documented exception would still leave the generator able to attach tools on an unbound owner fallback. A typed execution mode lets tests assert the invariant at the actual execution boundary.
• Why I picked this abstraction over alternatives: a full IChannelTurnAdmissionPort would be shallow with one adapter. A new actor is unnecessary because the only durable fact needed is already exposed by IExternalIdentityBindingQueryPort. A proto enum on the existing run command is enough because this is command execution semantics, not a new projection/event stream.
• What I cannot decide alone: whether product wants to keep owner-pure-chat at all. The structural recommendation assumes yes, because issue 512 asks whether it should be supported and existing tests already pin unbound owner behavior. If maintainers choose “no”, the implementation should delete owner fallback for unbound turns instead of adding execution mode.

SOLVER_DONE:structural:propose:typed channel admission decision plus NeedsLlmReplyEvent execution_mode:first-slice=gate-unbound-slash-skill-shortcuts-with-existing-init-prompt

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Delete solver — issue 512 propose

TL;DR

• 这是什么: discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 的可删对象是 identity-enabled channel 里的“未绑定 sender 走 bot-owner LLM”分支。
• 结论是什么: 建议删除该 fallback，复用现有 /init binding gate；不新增 admission enum / execution mode。
• controller 下一步: 采用 deletion slice 时只改 NyxidChat + tests + ADR/canon，同步删掉 pin 住 fallback 的测试。

---

详细说明

反向链路是：ChannelConversationTurnRunner.RunInboundAsync 在 normal text 上调用 TryResolveSenderBindingAsync，miss 或 lookup failure 会返回 null，然后 BuildLlmReplyRequestAsync 继续生成 NeedsLlmReplyEvent。后续 AgentRunGAgent / ConversationReplyGenerator 会执行 BuildTurnToolsAsync，注册 tool sources、use_skill，并允许 /daily / unknown slash 被改写成 Ornn skill prompt。也就是说当前“owner LLM 纯 chat”不是一个可验证边界，而是缺 sender binding 时继续走完整 tool-capable reply path。

删除判断：这个能力不是缺少抽象，而是和 ADR-0018、docs/canon/nyxid-llm-integration.md 的 current policy 相反。已有更简单抽象就是 /init gate：当 identity query port 已启用且 sender 未绑定时，normal text、/daily、unknown slash 都直接返回绑定提示；bound sender 继续带 SenderBinding 和短期 token 走 LLM。这样删除的是 fallback 分支和对应测试，不需要新 proto 字段，也不需要外部仓库改动。

slice	改动	结果
First slice	恢复 identity-enabled unbound normal turn 的 /init gate；unknown slash 和 /daily 未绑定时也 gate	no-new-abstraction，删除 fallback 语义
Later design slice	none	删除后不需要再设计 owner-pure-chat execution mode

---

📎 完整 codex 原始输出(存档备查)

---

solver: delete
issue: 512
cluster: issue-512-design
verdict: propose

Classification

(c) Replaceable with existing — 未绑定 sender 的 owner-LLM fallback 可以被现有 /init binding gate 取代；bound sender LLM 路径保留。

Recommended action

删除 identity-enabled channel 中“sender binding miss / lookup failure / token issuance failure 后继续 bot-owner LLM”的路径。调用方不要再把 null binding 解释成 owner pure chat，而是在 ChannelConversationTurnRunner 里复用现有 SendBindingPromptAsync。/daily 与 unknown slash 当前会被改写成 Ornn skill/tool prompt，未绑定时也必须走同一个 /init gate；bound sender 仍走现有 SenderBinding + SenderNyxIdAccessToken 路径。这样不引入 ChannelTurnAdmissionDecision、不改 NeedsLlmReplyEvent proto、不增加第二套 admission abstraction。

Concrete plan (if propose)

• Files to delete: none whole-file；删除方法/分支级代码：TryResolveSenderBindingAsync 的 fail-open fallback 语义、ResolvedSenderBinding? null means owner chat 分支、TryBuildSkillInvocationPrompt 在 unbound identity-enabled 路径上的可达性。
• Caller migrations:
  • ChannelConversationTurnRunner.RunInboundAsync normal text → replace TryResolveSenderBindingAsync with TryEnforceBindingGateAsync-style result: unbound returns SendBindingPromptAsync, bound returns binding context.
  • ChannelConversationTurnRunner.BuildLlmReplyRequestAsync → require bound ResolvedSenderBinding only when identity is enabled; legacy deployments without identity ports may keep existing bot-owner mode.
  • /daily and unknown slash prompt path → run after the binding gate, so unbound identity-enabled sender never reaches Ornn skill discovery.
  • ConversationReplyGenerator → delete owner retry for sender route failures in channel-bound path, or narrow it to non-identity legacy calls only; do not retry tool-capable sender turns with bot-owner credentials.
• Tests to delete: RunInboundAsync_ShouldRequestLlmReply_WhenUnboundPrivateSenderSendsNormalMessage, RunInboundAsync_ShouldRequestLlmReply_WhenUnboundGroupSenderSendsNormalMessage, unbound /daily and unknown slash Ornn assertions, GenerateReplyAsync_LeavesOwnerPrefsIntactWhenNoSenderBinding as a channel-behavior assertion. Replace with /init prompt tests and bound-sender tests.
• LOC delta: -140 estimated net. Rough shape: delete ~190 LOC fallback/tests/comments, add/change ~50 LOC gate assertions and doc sync.
• First slice: no-new-abstraction deletion/collapse slice — restore identity-enabled unbound /init gate for normal text, /daily, and unknown slash; keep legacy no-identity-port bot-owner behavior; update 4-6 focused tests.
• Later design slice: none. If owner-pure-chat is deleted, execution_mode and admission decision abstraction are unnecessary.

Reverse-evidence (why this is safe to delete)

• No public API breaks: git grep found the fallback surface in internal channel runtime/tests/docs comments; deletion does not remove a public proto field or REST route.
• No external repo dependency on the code: ../NyxID exists but this plan only uses current binding/token surfaces; ../chrono-storage and ../chrono-ornn are absent and untouched.
• Tests covering the path are themselves not load-bearing: they pin behavior introduced by commit 8001adfad (Restore owner LLM fallback for Lark users), while ADR-0018 and canon still say unbound sender must /init and must not fall back to bot-owner credential.
• Current fallback is not actually “pure chat”: ConversationReplyGenerator always builds ToolManager; /daily and unknown slash are explicitly transformed into use_skill / ornn_search_skills prompts before LLM execution.
• Existing simpler abstraction already exists: IExternalIdentityBindingQueryPort provides the read-model-backed binding fact, and SendBindingPromptAsync is already used for binding-required slash commands.

Risks

• If product intentionally wants zero-friction unbound Lark chat, deleting this removes that behavior for identity-enabled deployments.
• If some production bot currently relies on unbound /daily or unknown slash skill discovery, those users will now see /init first.
• If identity query infra has transient outage, fail-closed means fewer replies but avoids silently using bot-owner credentials for a sender-triggered turn.

Escalation triggers (if any)

• none

Reasoning trace (internal — for meta-judge)

• Why I claim this can be deleted: the only unique user-facing capability is “talk to bot owner LLM without binding”; it conflicts with accepted binding policy and cannot honestly guarantee no tools/capabilities without adding new execution-mode plumbing. Deleting it uses the existing /init gate and removes the need for new abstractions.
• What I checked to verify safety: issue discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 body/comments, audit iter 290, CLAUDE deletion-first clause, rg call sites, tests pinning unbound owner behavior, git log -p -S showing commit 8001adfad replaced the prior binding gate, ADR-0018/canon wording, and sibling repo presence.
• What I cannot decide alone: whether product explicitly values unbound owner chat more than the binding invariant. If yes, delete solver should lose to structural; if no, this deletion slice is the smallest coherent fix.

SOLVER_DONE:delete:propose:delete identity-enabled unbound sender owner-LLM fallback and reuse existing /init binding gate:first-slice=restore-unbound-init-gate-for-normal-text-daily-and-unknown-slash

⟦AI:AUTO-LOOP⟧

[loning]

🤖 Meta-judge r1 redo — issue 512 split

TL;DR

• 这是什么: discussion: 未绑定 sender 是否应支持 owner-LLM 纯 chat #512 是未绑定 sender 的 channel admission / owner LLM 纯 chat policy, 不是其他 stream/RPC 议题。
• 现在到哪一步 / 结论是什么: minimal 与 structural 同向, 但 delete abstain, 未达到 3/3 consensus, 所以裁决 split。
• controller 下一步: 先开 implement 子 issue 落 no-new-core first slice, 再开 design-pending 子 issue 处理 typed admission 与 ADR/canon 同步。

---

详细说明

本轮只仲裁 #512 的真实主题: 是否允许未绑定 sender 使用 bot-owner LLM 做纯文本 chat, 以及一旦进入 slash skill、tool、NyxID/aevatar capability、sender prefs 或 stateful path 是否必须 /init。minimal 与 structural 都接受 two-tier framing: unbound sender 可保留 owner LLM text-only continuity, 但 unknown slash 与 /daily/skill discovery 等 capability shortcut 必须 gate 到 /init, owner-pure-chat 路径也不能加载或执行 tools。

没有判 consensus, 因为角色规则要求 3/3 propose, 而 delete 日志输出 broken 并按本次 redo 指令视为 abstain。也没有升级给 human, 因为两个有效 solver 都给出可独立实施的 no-new-core first slice, 且该 first slice 不新增 actor type、envelope kind、pipeline phase, 不改 proto, 不改 docs/canon/*。

路线	裁决	原因
First slice	进入 implement	ChannelConversationTurnRunner gate unbound unknown slash//daily 到 /init; ConversationReplyGenerator 禁 unbound owner fallback tools; 补 focused tests
Later slice	进入 design-pending	ChannelTurnAdmissionDecision + NeedsLlmReplyEvent.execution_mode + ADR/canon 同步需要单独设计确认
Delete	abstain	delete r1 输出 broken, 没有形成删除方案

---

📎 完整 codex 原始输出(存档备查)

---
issue: 512
cluster: issue-512-design
convergence_round: 1
solver_verdicts:
  minimal: propose
  structural: propose
  delete: abstain
decision: split
---

## Decision
#512 的真实议题是 channel turn admission: 未绑定 sender 是否允许走 bot-owner LLM 纯 chat, 以及 slash / tool / capability / sender state 路径是否必须先 `/init`。minimal 与 structural 都确认当前 drift 真实存在, 并同向接受 two-tier framing: unbound sender 可以保留 owner LLM text-only continuity, 但 unknown slash、`/daily`/skill discovery、tool call、NyxID/aevatar capability、sender prefs 与任何 stateful path 必须 fail closed 到 `/init`。

不能按 consensus 落整包: 本轮不是 3/3 propose, delete 输出 broken 且按本次 redo 指令视为 abstain。也不需要 human escalation: 两个有效 solver 都给出 no-new-core first slice, 且 first slice 不新增 actor type、envelope kind、pipeline phase, 不改 `docs/canon/*`, 不触发 hardcoded escalation。按 split branch 先切出可独立实施的窄 slice, 后续再处理 typed admission contract 与 ADR/canon 同步。

## If split
- First slice: no-new-core implementation. In `ChannelConversationTurnRunner`, gate unbound `/daily` and unknown slash skill-discovery paths to the existing `/init` binding prompt while keeping bound sender unknown slash routed to Ornn skill discovery. In `ConversationReplyGenerator`, ensure unbound/no-sender-token owner fallback is text-only by disabling tool registration/execution for that path. Add focused tests in `ChannelConversationTurnRunnerTests` and `ConversationReplyGeneratorTests` for unbound slash -> `/init`, bound slash -> skill discovery, and owner-pure-chat -> no tools/no sender prefs.
- Later slice: design-pending structural contract. Add typed `ChannelTurnAdmissionDecision` / admission mode and `NeedsLlmReplyEvent.execution_mode` so owner-pure-chat vs bound-sender-capability becomes an explicit proto-backed execution invariant; then update ADR/canon docs to supersede the conflicting ADR-0018 wording and document the two-tier policy.
- Controller route: close current issue + open 2 sub-issues; first enters implement, later enters design-pending
- Hardcoded trigger check: first slice does not add actor type, envelope kind, pipeline phase, proto field, or docs/canon vocabulary changes. The later slice may touch proto and ADR/canon and should stay design-pending until that contract is accepted.

## Round audit trail
- solver-minimal: `propose`; recommends two-tier owner pure chat with tool and unknown slash gates. First slice: `disable-unbound-tools-and-gate-unknown-slash`. Cost estimate ~+140 / -35 LOC across runner, generator, and tests.
- solver-structural: `propose`; recommends typed channel admission decision plus `NeedsLlmReplyEvent.execution_mode`. First slice: `gate-unbound-slash-skill-shortcuts-with-existing-init-prompt`. Later slice carries typed execution mode and docs sync.
- solver-delete: `abstain`; r1 log output is broken and restates structural framing, so per redo instruction it is not counted as a deletion proposal.

META_JUDGE_DONE:split:disable-unbound-tools-and-gate-unknown-slash-to-init:typed-channel-admission-decision-and-execution-mode-plus-adr-canon-sync

⟦AI:AUTO-LOOP⟧

[loning]

✅ 共识卡片 — Phase 9 r1 split(redo,scope 修正后)

| Solver | minimal:propose · structural:propose · delete:role-confused→视为 abstain |
| Judge(redo)| split:disable-unbound-tools-and-gate-unknown-slash-to-init:typed-channel-admission-decision-and-execution-mode-plus-adr-canon-sync |

🤖 controller consensus card

⟦AI:AUTO-LOOP⟧