Skip to content

[codex] Add session-scoped backup layout#139

Merged
guima-why merged 1 commit into
mainfrom
codex/fix-permission-audit-log
Jul 4, 2026
Merged

[codex] Add session-scoped backup layout#139
guima-why merged 1 commit into
mainfrom
codex/fix-permission-audit-log

Conversation

@guima-why

Copy link
Copy Markdown
Collaborator

Summary

This PR adds a session-scoped backup layout for durable iac-code runtime state. It consolidates session-owned artifacts under the v2 session directory and mirrors recoverable session state into IAC_CODE_CONFIG_BACKUP_DIR at explicit key points, while keeping global credentials, settings, telemetry, logs, and shared A2A indexes out of the session backup path.

Motivation

Pipeline, A2A, ACP, headless, and REPL flows can produce recoverable state in several places: transcripts, usage files, permission audit logs, tool results, image caches, pipeline sidecars, A2A snapshots, and artifacts. When the config directory is backed by a slow or remote filesystem, continuously writing everything to that mount is expensive. The new design keeps the active config local and copies only session-owned recoverable data to the configured backup directory at important durability boundaries.

What Changed

  • Added v2 session layout helpers for resolving canonical session directories and session-owned subpaths.
  • Added SessionBackupService to mirror recoverable session state into IAC_CODE_CONFIG_BACKUP_DIR.
  • Added safe mirror behavior:
    • no-follow checks for critical files and session-owned directories
    • rejection of unsafe symlink/reparse entries inside mirrored session trees
    • support for symlinked configured backup roots after resolving the real root
    • exclusion of local-only backup state files and hidden lock files from backup mirrors
    • stale destination cleanup for files that no longer exist in the active session
  • Moved session-owned runtime state under the session directory where appropriate, including image cache, tool results, A2A artifacts/snapshots, pipeline A2A metadata, usage, and permission-audit files.
  • Added backup trigger integration for REPL, headless, ACP, A2A, and pipeline flows.
  • Added critical pipeline/A2A backup handling so input-required, waiting-input, handoff, terminal, and selected pipeline checkpoints are not published as durable until backup succeeds or enters a recoverable blocked state.
  • Preserved compatibility with existing legacy session files and older metadata-only sessions.
  • Added/updated website documentation for the session backup config and runtime behavior across supported locales.
  • Added broad unit/integration coverage for layout resolution, backup safety, A2A recovery paths, pipeline state persistence, REPL/headless/ACP behavior, and permission/trusted-root interactions.

Compatibility and Safety Notes

  • Existing legacy session layouts continue to load through the old paths.
  • New sessions use the v2 metadata-backed session directory layout.
  • Global files such as settings.yml, .credentials.yml, .cloud-credentials.yml, logs, telemetry, and shared A2A task/context indexes are not mirrored by session backup.
  • Session backup is incremental/key-point based, not continuous syncing.
  • Critical backup failures are modeled as recoverable persistence issues rather than ordinary pipeline failures.
  • The branch is intentionally kept as a single commit.

Validation

Ran the full requested local validation sequence:

make format
make lint
make translate
make test

Results:

  • make format: completed successfully
  • make lint: ruff and ty passed
  • make translate: extraction, update, and compile passed for zh/es/fr/de/ja/pt
  • make test: 7845 passed, 1 skipped, 307 warnings

@guima-why guima-why force-pushed the codex/fix-permission-audit-log branch from 5f2e735 to c9d4b7d Compare July 4, 2026 05:40
- add session-scoped backup mirroring for pipeline, A2A, and REPL state
- harden recovery paths and trusted read/session-owned directories
- add real backup validation guide, translations, and coverage
@guima-why guima-why force-pushed the codex/fix-permission-audit-log branch from c9d4b7d to be65166 Compare July 4, 2026 05:53
@guima-why guima-why merged commit 06e50aa into main Jul 4, 2026
15 checks passed
@guima-why guima-why deleted the codex/fix-permission-audit-log branch July 4, 2026 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant