refactor: rename spaces to channels

[pedronauck]

Summary by CodeRabbit

• New Features

  • Added full "bridge" management: REST endpoints (/api/bridges), CLI commands (bridge ...), test-delivery, route listing, and lifecycle actions (enable/disable/restart).

• Refactor

  • Replaced the "channel" domain with "bridge" across API, runtime, CLI and docs.
  • Renamed network "spaces" to "channels" in session/network payloads, CLI flags, and observability outputs.

• Bug Fixes

  • Network-terminal command allowlist updated to include the "channels" command name.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (4)

• .agh/memory/MEMORY.md is excluded by !**/*.md
• .agh/memory/agh-network-foundation.md is excluded by !**/*.md
• .agh/memory/agh-network-safety.md is excluded by !**/*.md
• .audits/architectural-analysis-2026-04-10-automation-techspec-review.md is excluded by !**/*.md

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 65aaa162-f9ba-4cf7-ab15-0d1f893f6a7e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR renames the "channels" domain to "bridges", replaces network/session "space" with "channel", adds a full bridges domain implementation (models, registry, broker, runtime), replaces handlers/HTTP/UDS/CLI/contracts/tests to bridges, and updates many tests and wiring. Also changes ACP terminal allowlist: spaces → channels.

Changes

Cohort / File(s)	Summary
API Contracts — Bridges internal/api/contract/bridges.go, internal/api/contract/bridges_test.go	Added bridge DTOs, validators/converters, delivery-test types, health/response wrappers; tests converted from channel → bridge semantics.
API Contracts — Removed Channels internal/api/contract/channels.go	Deleted channel contract types and converters.
Core Handlers — Bridges internal/api/core/bridges.go, internal/api/core/bridges_test.go, internal/api/core/interfaces.go, internal/api/core/errors.go, internal/api/core/conversions.go	Added BaseHandlers bridge endpoints, lifecycle transitions, health enrichment and bridge-specific interfaces; substituted channel error mapping and conversions to bridge variants.
Core Handlers — Removed Channels internal/api/core/channels.go, internal/api/core/channels_test.go	Removed channel HTTP handlers, helpers and their tests.
Network / Session renames internal/api/contract/contract.go, internal/api/core/network.go, internal/api/core/handlers.go, internal/api/core/conversions_parsers_test.go	Replaced Session/Network DTO fields and query params Space → Channel; NetworkSpaces → NetworkChannels and related tests.
HTTP API routing & server wiring internal/api/httpapi/routes.go, internal/api/httpapi/handlers.go, internal/api/httpapi/server.go, internal/api/httpapi/bridges_test.go, internal/api/httpapi/bridges_integration_test.go	Rewired REST from /api/channels → /api/bridges, updated handler wiring, added bridge HTTP tests and integration tests.
HTTP API — Removed channel tests internal/api/httpapi/channels_test.go, internal/api/httpapi/channels_integration_test.go	Deleted channel-focused HTTP tests.
UDS API — Bridges internal/api/udsapi/bridges_test.go, internal/api/udsapi/bridges_integration_test.go, internal/api/udsapi/routes.go, internal/api/udsapi/server.go	Added UDS bridge tests, route wiring, and server option changes to accept BridgeService.
UDS API — Removed channels internal/api/udsapi/channels_test.go, internal/api/udsapi/channels_integration_test.go	Removed UDS channel tests.
OpenAPI / Spec updates internal/api/spec/spec.go, internal/api/spec/spec_test.go	Replaced channel endpoints/enums with bridge equivalents in OpenAPI spec and tests.
Test utilities & stubs internal/api/testutil/apitest.go, internal/api/httpapi/helpers_test.go, internal/api/udsapi/helpers_test.go	Renamed stubs (StubChannelService → StubBridgeService), updated Observer/NetworkService stubs to bridge types and query param rename.
Domain: Bridges (new) internal/bridges/* (doc.go, types.go, lifecycle.go, routing.go, target.go, registry.go, delivery_*.go, dimensions.go, tests)	Introduced bridges package: models, errors, statuses, routing, delivery types, registry service/store interfaces, lifecycle validation, broker and delivery metrics, and tests.
Domain: Removed Channels internal/channels/doc.go, internal/channels/registry.go	Deleted old channels package doc and registry implementation.
Daemon: Bridge runtime & boot internal/daemon/bridges.go, internal/daemon/bridges_test.go, internal/daemon/boot.go, internal/daemon/daemon.go, internal/daemon/daemon_integration_test.go	Added bridge runtime (lifecycle, secret resolution, extension reload/rollback), wired into boot and daemon composition; tests updated.
Daemon: Removed Channel runtime internal/daemon/channels.go	Removed channel runtime implementation.
Extension: Bridge delivery & host API internal/extension/bridge_delivery_notifier.go, internal/extension/bridge_delivery_notifier_test.go, internal/extension/bridge_delivery_integration_test.go, internal/extension/contract/*, internal/extension/capability.go, internal/extension/contract/sdk.go	Replaced channel delivery notifier, host API methods and SDK root types with bridge equivalents; updated capability → host API mappings.
CLI: Bridge commands & client internal/cli/bridge.go, internal/cli/bridge_test.go, internal/cli/client.go, internal/cli/client_test.go, internal/cli/helpers_test.go	Added bridge CLI surface and tests; DaemonClient interface and client helpers now target bridges; tests updated.
CLI: Removed channel tests/commands internal/cli/channel_test.go	Removed legacy channel CLI tests.
CLI: Network/Session renames internal/cli/network.go, internal/cli/network_test.go, internal/cli/network_client_test.go, internal/cli/session.go, internal/cli/session_test.go	Replaced spaces with channels in network commands, session flags/outputs, and tests.
Config: default network key rename internal/config/config.go, internal/config/config_test.go, internal/config/merge.go, internal/config/merge_test.go	Renamed NetworkConfig.DefaultSpace → DefaultChannel and TOML key default_space → default_channel; validation and tests updated.
ACP handler small change internal/acp/handlers.go	Adjusted isAllowedNetworkTerminalArgv allowlist: replaced spaces with channels for argv[2].
Misc: test/handler wiring & helper tweaks many *_test.go and helpers across packages	Numerous test updates for channel→bridge renames and space→channel query/body keys; added mustMarkFlagRequired helper and used it in flag setup.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant HTTP_API as HTTP API (handlers)
  participant Core as core.BaseHandlers
  participant Registry as Bridge Registry
  participant Runtime as Bridge Runtime
  participant Broker as Bridge Broker
  Client->>HTTP_API: POST /api/bridges {create payload}
  HTTP_API->>Core: bind JSON -> ToCreateInstanceRequest()
  Core->>Registry: CreateInstance(ctx, req)
  Registry-->>Core: persisted BridgeInstance
  Core->>Runtime: StartInstance (if enabled) / reload extensions
  Runtime->>Broker: attach runtime / Broker()
  Runtime-->>Core: started (or error + rollback)
  Core->>HTTP_API: assemble BridgeResponse (health lookup)
  HTTP_API-->>Client: 201 Created {BridgeResponse}

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: add channels #14: Introduced the original "channels" domain; this PR systematically replaces that domain with "bridges" (contracts, handlers, registry, daemon/runtime, delivery).
• feat: add network implementation #15: Small change to isAllowedNetworkTerminalArgv allowlist (replacing "spaces" with "channels"); touches the same ACP handler file updated here.

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (11)

internal/api/udsapi/network_test.go (1)

56-87: ⚠️ Potential issue | 🟡 Minor

Assert the renamed channel field end-to-end.

This test now sends and returns channel, but it never checks that the handler actually preserves that field. It would still pass if channel were dropped while workflow metadata remained intact.

Suggested test tightening

 	if string(seenRequest.Ext["agh.workflow_id"]) != `"wf-1"` || string(seenRequest.Ext["agh.handoff_version"]) != `3` {
 		t.Fatalf("seenRequest.Ext = %#v, want preserved workflow metadata", seenRequest.Ext)
 	}
+	if seenRequest.Channel != "builders" {
+		t.Fatalf("seenRequest.Channel = %q, want %q", seenRequest.Channel, "builders")
+	}
 
 	inboxResp := performRequest(t, engine, http.MethodGet, "/api/network/inbox?session_id=sess-a", nil)
 	if inboxResp.Code != http.StatusOK {
 		t.Fatalf("inbox status = %d, want %d", inboxResp.Code, http.StatusOK)
 	}
-	if !strings.Contains(inboxResp.Body.String(), `"agh.workflow_id":"wf-1"`) || !strings.Contains(inboxResp.Body.String(), `"agh.handoff_version":3`) {
+	if !strings.Contains(inboxResp.Body.String(), `"channel":"builders"`) ||
+		!strings.Contains(inboxResp.Body.String(), `"agh.workflow_id":"wf-1"`) ||
+		!strings.Contains(inboxResp.Body.String(), `"agh.handoff_version":3`) {
 		t.Fatalf("inbox body = %s, want workflow metadata", inboxResp.Body.String())
 	}

As per coding guidelines, Ensure tests can fail when business logic changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/udsapi/network_test.go` around lines 56 - 87, The test currently
doesn't assert that the "channel" field is preserved end-to-end; add assertions
that the outgoing send request's channel is preserved (e.g., check
seenRequest.Channel == "builders" after performRequest for /api/network/send)
and that the inbox response contains the channel (e.g., assert inboxResp.Body
contains `"channel":"builders"`), so the test fails if the handler drops or
renames the channel field; locate checks around sendResp, seenRequest, inboxResp
in network_test.go and add these two assertions.

internal/extension/capability_test.go (1)

57-120: ⚠️ Potential issue | 🟡 Minor

Add coverage for bridges/instances/report_state.

The production map now includes bridges/instances/report_state -> bridge.write, but this table only exercises bridges/instances/get and bridges/messages/ingest. A regression in the state-reporting gate would go uncaught.

Suggested table entry

 		{
 			name:     "allows bridge read method with matching grant",
 			actions:  []string{"bridges/instances/get"},
 			security: []string{"bridge.read"},
 			method:   "bridges/instances/get",
 		},
+		{
+			name:     "ShouldAllowBridgeStateReportWithWriteGrant",
+			actions:  []string{"bridges/instances/report_state"},
+			security: []string{"bridge.write"},
+			method:   "bridges/instances/report_state",
+		},
 		{
 			name:         "fails when action grant is missing",
 			actions:      nil,
 			security:     []string{"session.read"},
 			method:       "sessions/list",

As per coding guidelines, Ensure tests can fail when business logic changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/extension/capability_test.go` around lines 57 - 120, Add a test case
to TestCapabilityCheckerCheckHostAPIShouldEnforceDualGates that covers the new
mapping for "bridges/instances/report_state" -> "bridge.write": include an entry
where method is "bridges/instances/report_state" and assert failure when actions
do not include the required action or when security lacks "bridge.write" (set
wantRequired to []string{"bridge.write"} and wantGranted accordingly), plus a
passing case where actions include "bridges/instances/report_state" and security
includes "bridge.write"; use the existing test table pattern to add both
scenarios so regressions in the state-reporting gate are caught.

internal/cli/session_test.go (1)

547-569: ⚠️ Potential issue | 🟡 Minor

Assert the rendered channel label, not only the value.

Both assertions still pass if the UI keeps printing space and only the value remains builders. That misses the actual terminology change this PR is making.

Suggested assertion update

-	if !strings.Contains(human, "sess-1") || !strings.Contains(human, "/workspace/project") || !strings.Contains(human, "builders") {
+	if !strings.Contains(human, "sess-1") ||
+		!strings.Contains(human, "/workspace/project") ||
+		!strings.Contains(strings.ToLower(human), "channel") ||
+		!strings.Contains(human, "builders") {
 		t.Fatalf("sessionListBundle().human() = %q, want session, workspace, and channel output", human)
 	}
@@
-	if !strings.Contains(toon, "sessions") || !strings.Contains(toon, "sess-1") || !strings.Contains(toon, "builders") {
+	if !strings.Contains(toon, "sessions") ||
+		!strings.Contains(toon, "sess-1") ||
+		!strings.Contains(strings.ToLower(toon), "channel") ||
+		!strings.Contains(toon, "builders") {
 		t.Fatalf("sessionListBundle().toon() = %q, want sessions array output with channel", toon)
 	}

As per coding guidelines, Ensure tests can fail when business logic changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/session_test.go` around lines 547 - 569, Update the test
assertions in session_test.go that check bundle.human() and bundle.toon() to
assert the rendered channel label as well as the value: in the human() checks,
ensure you assert strings.Contains(human, "<channel label>") (e.g. "Channel" or
the exact label used by sessionListBundle.human()) in addition to
strings.Contains(human, "builders"); and similarly in the toon() checks assert
strings.Contains(toon, "<channel label>") plus strings.Contains(toon,
"builders"). Locate the assertions around the human, err := bundle.human() and
toon, err := bundle.toon() blocks and update the strings.Contains conditions
(used in those t.Fatalf checks) to include the channel label check so the test
fails if the label text changes.

internal/cli/network_client_test.go (1)

32-40: ⚠️ Potential issue | 🟡 Minor

Assert the renamed channel field in the send payload.

This mock only checks the extension metadata, so the test still passes if NetworkSend serializes the old space key or drops the channel entirely. That leaves the main contract rename unguarded.

Suggested assertion

-					if !strings.Contains(string(body), `"agh.workflow_id":"wf-1"`) || !strings.Contains(string(body), `"agh.handoff_version":3`) {
+					if !strings.Contains(string(body), `"channel":"builders"`) ||
+						!strings.Contains(string(body), `"agh.workflow_id":"wf-1"`) ||
+						!strings.Contains(string(body), `"agh.handoff_version":3`) {
 						t.Fatalf("network send body = %s, want ext metadata", body)
 					}

As per coding guidelines, "Ensure tests verify behavior outcomes, not just function calls".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/network_client_test.go` around lines 32 - 40, The test's mock
handler in network_client_test.go only asserts ext metadata but not the renamed
channel field, so update the handler inside the case for req.Method ==
http.MethodPost && req.URL.Path == "/api/network/send" to also assert that the
serialized send payload contains the renamed channel key (e.g., that the request
body includes `"channel":"builders"` or otherwise parse the JSON and verify the
"channel" field equals "builders"); this ensures NetworkSend (and not an old
"space" key) is being used—locate the request handling block in the test and add
the channel assertion alongside the existing ext metadata checks.

internal/cli/network.go (2)

350-384: ⚠️ Potential issue | 🟡 Minor

Add Channel to the human inbox table.

The machine-readable output now includes channel, but the default human table still omits it. For sessions receiving messages from multiple channels, the CLI view becomes ambiguous.

💡 Suggested fix

 	return listBundle(
 		messages,
 		messages,
 		"Network Inbox",
-		[]string{"ID", "Kind", "From", "To", "Reply To", "Trace", "Workflow", "Handoff"},
+		[]string{"ID", "Kind", "Channel", "From", "To", "Reply To", "Trace", "Workflow", "Handoff"},
 		"network_inbox",
 		[]string{"id", "kind", "channel", "from", "to", "reply_to", "trace_id", "causation_id", "workflow_id", "handoff_version", "expires_at"},
 		func(message NetworkEnvelopeRecord) []string {
 			return []string{
 				stringOrDash(message.ID),
 				stringOrDash(message.Kind),
+				stringOrDash(message.Channel),
 				stringOrDash(message.From),
 				stringOrDash(optionalString(message.To)),
 				stringOrDash(optionalString(message.ReplyTo)),
 				stringOrDash(optionalString(message.TraceID)),
 				stringOrDash(networkExtString(message.Ext, "agh.workflow_id")),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/network.go` around lines 350 - 384, The human-readable network
inbox table in networkInboxBundle omits the Channel column; update the header
slice to include "Channel" (e.g., "ID", "Kind", "Channel", "From", "To", "Reply
To", "Trace", "Workflow", "Handoff") and insert the corresponding value in the
human row formatter (the first func(message NetworkEnvelopeRecord) []string) by
adding stringOrDash(message.Channel) in the matching position so the human table
columns align with the machine-readable fields generated by the second
formatter.

---

150-165: ⚠️ Potential issue | 🟡 Minor

Handle MarkFlagRequired errors instead of discarding them.

Lines 162–165 discard the error return value with _ =, violating the guideline "Never ignore errors with _ — every error must be handled or have a written justification". If a flag name is misspelled or renamed, the error check silently fails at setup time. Either check and propagate the error, or add a comment explaining why it is safe to ignore.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/network.go` around lines 150 - 165, The calls to
cmd.MarkFlagRequired("session"/"channel"/"kind"/"body") currently ignore
returned errors; update the code around the cmd.MarkFlagRequired invocations to
capture the error (e.g., err := cmd.MarkFlagRequired(...)) and handle it instead
of using `_ =`, by returning the error from the enclosing function or logging
and exiting (use processLogger/fmt.Errorf/cli.Errorf or return err) so flag
registration failures don't go unnoticed; specifically modify each
cmd.MarkFlagRequired call in the network command setup to check err and
propagate or handle it for the "session", "channel", "kind", and "body" flags.

internal/api/core/network_test.go (1)

27-57: ⚠️ Potential issue | 🟡 Minor

Assert the renamed Channels/Channel fields explicitly.

These fixtures now populate the renamed fields, but the assertions only check neighboring data. The suite would still pass if the mapper dropped Channels or if /network/channels forgot to emit the channel name.

💡 Suggested fix

-		if payload == nil || payload.MessagesDelivered != 3 || len(payload.KindMetrics) != 1 || payload.KindMetrics[0].Kind != string(network.KindSay) {
+		if payload == nil || payload.Channels != 1 || payload.MessagesDelivered != 3 || len(payload.KindMetrics) != 1 || payload.KindMetrics[0].Kind != string(network.KindSay) {
 			t.Fatalf("NetworkStatusPayloadFromStatus() = %#v", payload)
 		}

-		if statusPayload.Network.QueuedMessages != 2 || len(statusPayload.Network.KindMetrics) != 1 {
+		if statusPayload.Network.Channels != 1 || statusPayload.Network.QueuedMessages != 2 || len(statusPayload.Network.KindMetrics) != 1 {
 			t.Fatalf("status payload = %#v", statusPayload.Network)
 		}

-		if len(channelsPayload.Channels) != 1 || channelsPayload.Channels[0].PeerCount != 2 {
+		if len(channelsPayload.Channels) != 1 || channelsPayload.Channels[0].Channel != "builders" || channelsPayload.Channels[0].PeerCount != 2 {
 			t.Fatalf("channels payload = %#v", channelsPayload.Channels)
 		}

As per coding guidelines, "Focus on critical paths: workflow execution, state management, error handling" and "Ensure tests verify behavior outcomes, not just function calls".

Also applies to: 150-203, 246-278

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/core/network_test.go` around lines 27 - 57, The test fails to
explicitly assert the renamed channel fields: update the
NetworkStatusPayloadFromStatus test to assert that the mapped channel count
matches the source (check payload.Channels equals status.Channels) and also
assert the channel identity is emitted (if the payload exposes a single channel
field like payload.Channel or a slice of channel entries, assert it's non-empty
and contains the expected name); modify the assertions around
core.NetworkStatusPayloadFromStatus, referencing NetworkStatus.Channels and the
payload's Channels/Channel (or ChannelName) field(s) so the test will fail if
channel data is dropped or not emitted.

internal/cli/bridge.go (1)

539-556: ⚠️ Potential issue | 🟡 Minor

Enforce the advertised object|null contract for delivery defaults.

json.Valid only checks syntax, so values like "text", 123, or [] currently pass even though the flag help says this field must be a JSON object or null. When these invalid types reach downstream code, they are silently ignored during unmarshaling into the deliveryTargetDefaults struct, making it easy to persist or send a bridge configuration that behaves unexpectedly.

Suggested fix

 func parseRequiredBridgeJSON(raw string) (*json.RawMessage, error) {
 	trimmed := strings.TrimSpace(raw)
 	if trimmed == "" {
 		return nil, errors.New("cli: delivery defaults must be valid JSON; use null to clear")
 	}
-	if !json.Valid([]byte(trimmed)) {
+	var decoded any
+	if err := json.Unmarshal([]byte(trimmed), &decoded); err != nil {
 		return nil, errors.New("cli: delivery defaults must be valid JSON")
 	}
+	switch decoded.(type) {
+	case nil, map[string]any:
+	default:
+		return nil, errors.New("cli: delivery defaults must be a JSON object or null")
+	}
 	value := json.RawMessage(trimmed)
 	return &value, nil
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/bridge.go` around lines 539 - 556, The parsing currently only
checks JSON syntax, allowing non-object values; update parseRequiredBridgeJSON
(and by extension parseOptionalBridgeJSON which delegates to it) to reject any
JSON that is not either an object or null: after json.Valid, json.Unmarshal the
trimmed string into an interface{} and ensure the resulting value is either nil
(for "null") or a map[string]interface{} (a JSON object); if not, return an
error like "cli: delivery defaults must be a JSON object or null". Ensure
parseOptionalBridgeJSON still returns nil for empty input and that
parseRequiredBridgeJSON returns a json.RawMessage for valid object or "null".

internal/cli/cli_integration_test.go (1)

1406-1475: ⚠️ Potential issue | 🟡 Minor

Wire bridgeService into the observer too.

This harness now passes bridgeService into UDS, but the observer in Run is still built without observe.WithBridgeSource(bridgeService). That leaves CLI integration running against a partially migrated daemon and can miss bridge-status/health regressions.

🧪 Suggested alignment with production wiring

-	observer, err := observe.New(
+	bridgeService := newIntegrationBridgeService(registry)
+	observer, err := observe.New(
 		context.Background(),
 		observe.WithHomePaths(d.homePaths),
 		observe.WithRegistry(registry),
 		observe.WithSessionSource(manager),
+		observe.WithBridgeSource(bridgeService),
 		observe.WithLogger(discardLogger()),
 		observe.WithStartTime(d.startedAt),
 	)
@@
-	bridgeService := newIntegrationBridgeService(registry)
 	dreamTrigger := &integrationDreamTrigger{

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/cli_integration_test.go` around lines 1406 - 1475, Observer is
constructed without the bridgeService, so add
observe.WithBridgeSource(bridgeService) to the observer options where the
observer is created (so the observer passed into udsapi.New includes the bridge
source); locate the observer construction (the observe.New/observe.Options call
used in Run) and include observe.WithBridgeSource(bridgeService) among its
options to mirror production wiring and ensure bridge status/health is observed.

internal/daemon/boot.go (1)

583-597: ⚠️ Potential issue | 🟠 Major

Delay publishing the bridge-backed extension runtime until Start succeeds.

state.bridges.setExtensionRuntime(manager) and state.setExtensionRuntime(manager) happen before manager.Start(ctx), but a start failure is explicitly non-fatal here. That leaves bridge deliveries and state.deps.Extensions pointing at a manager that never finished starting.

🛠️ Suggested fix

-	if state.bridges != nil {
-		state.bridges.setExtensionRuntime(manager)
-	}
-	state.setExtensionRuntime(manager)
-	state.deps.Extensions = newDaemonExtensionService(extRegistry, manager, state.hooks, state.logger, d.now)
 	cleanup.add(func(ctx context.Context) error {
 		return manager.Stop(ctx)
 	})

 	if err := manager.Start(ctx); err != nil {
 		state.logger.Error("daemon: extension manager start failed; continuing without blocking boot", "error", err)
+		return nil
+	}
+	if state.bridges != nil {
+		state.bridges.setExtensionRuntime(manager)
 	}
+	state.setExtensionRuntime(manager)
+	state.deps.Extensions = newDaemonExtensionService(extRegistry, manager, state.hooks, state.logger, d.now)
 	if state.hooks != nil {
 		if err := state.hooks.Rebuild(ctx); err != nil {
 			state.logger.Error("daemon: rebuild hooks after extension boot failed; continuing without extension hooks", "error", err)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/daemon/boot.go` around lines 583 - 597, Currently the extension
runtime (state.bridges.setExtensionRuntime and state.setExtensionRuntime) and
state.deps.Extensions = newDaemonExtensionService(...) are assigned before
manager.Start(ctx), which can fail and leave bridges/deps pointing at a
non-started manager; change the flow so you only call
state.bridges.setExtensionRuntime(manager), state.setExtensionRuntime(manager)
and assign state.deps.Extensions after manager.Start(ctx) returns nil; always
still register the manager.Stop cleanup via cleanup.add(func(ctx
context.Context) error { return manager.Stop(ctx) }) before Start so Stop is
guaranteed, but if manager.Start returns an error log it (as now) and do not set
the bridge/runtime or deps to the failed manager.

internal/bridges/delivery_types.go (1)

80-95: ⚠️ Potential issue | 🟡 Minor

Reject snapshots on non-resume requests.

The contract comment says Snapshot is recovery-only state, but Validate() only enforces the resume -> snapshot direction. A start/delta/final/error request with a non-nil snapshot still passes validation, which makes the wire format ambiguous and allows stale recovery state to leak into normal deliveries.

Suggested fix

 func (r DeliveryRequest) Validate() error {
+	eventType := normalizeDeliveryEventType(r.Event.EventType)
 	if err := r.Event.Validate(); err != nil {
 		return err
 	}
 	if r.Snapshot == nil {
-		if normalizeDeliveryEventType(r.Event.EventType) == DeliveryEventTypeResume {
+		if eventType == DeliveryEventTypeResume {
 			return errors.New("bridges: resume delivery request requires a snapshot")
 		}
 		return nil
 	}
+	if eventType != DeliveryEventTypeResume {
+		return errors.New("bridges: only resume delivery requests may include a snapshot")
+	}
 
 	if err := r.Snapshot.Validate(); err != nil {
 		return err
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/bridges/delivery_types.go` around lines 80 - 95, The validation
currently only enforces that resume events require a Snapshot but does not
reject snapshots on non-resume events; update the Validate logic in the delivery
request type (the block that checks r.Snapshot and calls
normalizeDeliveryEventType and compares to DeliveryEventTypeResume) to return an
error when r.Snapshot is non-nil and
normalizeDeliveryEventType(r.Event.EventType) is NOT DeliveryEventTypeResume
(i.e., reject snapshots on start/delta/final/error), while keeping the existing
resume->snapshot checks (call to r.Snapshot.Validate() and matching of
r.Snapshot.DeliveryID and r.Snapshot.BridgeInstanceID to r.Event.DeliveryID /
r.Event.BridgeInstanceID) intact.

🧹 Nitpick comments (7)

internal/api/core/handlers_test.go (1)

306-307: Add an explicit assertion for payload.Daemon.Network.Channels.

The fixture now sets Channels, but the response assertion block doesn’t verify it yet.

Suggested patch

 	if got, want := payload.Daemon.Network.RemotePeers, 2; got != want {
 		t.Fatalf("daemon network remote peers = %d, want %d", got, want)
 	}
+	if got, want := payload.Daemon.Network.Channels, 3; got != want {
+		t.Fatalf("daemon network channels = %d, want %d", got, want)
+	}
 	if strings.Contains(strings.ToLower(resp.Body.String()), "token") {
 		t.Fatalf("daemon status leaked credentials: %s", resp.Body.String())
 	}

As per coding guidelines, "MUST test meaningful business logic, not trivial operations."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/core/handlers_test.go` around lines 306 - 307, The test
currently sets payload.Daemon.Network.Channels but never asserts it; add an
explicit assertion in the response assertion block to verify
payload.Daemon.Network.Channels equals the expected value (3) using the same
assertion style used elsewhere in handlers_test.go (e.g., the existing
response/assert helpers or testify/require calls) so the test validates the
meaningful business logic for the Daemon.Network.Channels field.

internal/cli/session.go (1)

40-40: Consider keeping a deprecated --space alias for CLI compatibility.

Line 76 introduces a hard flag rename, which can break existing automation scripts. A short deprecation window would reduce churn.

Proposed backward-compatible flag transition

 func newSessionCreateCommand(deps commandDeps) *cobra.Command {
 	var (
 		agentName    string
 		cwd          string
 		name         string
 		channel      string
+		space        string
 		workspaceRef string
 	)
@@
-			created, err := client.CreateSession(cmd.Context(), CreateSessionRequest{
+			selectedChannel := strings.TrimSpace(channel)
+			if selectedChannel == "" {
+				selectedChannel = strings.TrimSpace(space)
+			}
+			created, err := client.CreateSession(cmd.Context(), CreateSessionRequest{
 				AgentName:     agentName,
 				Name:          name,
 				Workspace:     workspace,
 				WorkspacePath: workspacePath,
-				Channel:       strings.TrimSpace(channel),
+				Channel:       selectedChannel,
 			})
@@
 	cmd.Flags().StringVar(&name, "name", "", "Optional session label")
 	cmd.Flags().StringVar(&channel, "channel", "", "Optional network channel opt-in for the session")
+	cmd.Flags().StringVar(&space, "space", "", "Deprecated: use --channel")
+	_ = cmd.Flags().MarkDeprecated("space", "use --channel instead")
 	return cmd
 }

Also applies to: 63-64, 76-76

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/session.go` at line 40, Add a short compatibility layer so the
renamed flag accepts the old --space alias: when parsing flags, continue to bind
the same internal variable (channel) to both "--channel" and "--space"; if
"--space" is provided, copy its value into channel and emit a single deprecation
warning mentioning "--space" is deprecated and to use "--channel" instead, while
preferring "--channel" when both are set. Update the flag parsing logic that
defines/reads the channel variable (the channel field and the code that
registers/parses the CLI flags) to accept both names and perform the warning and
precedence handling.

internal/api/httpapi/bridges_test.go (1)

13-131: Collapse these handler cases into a table-driven t.Run("Should...") suite.

The router setup and assertion shape are almost identical across all three tests, so a single table-driven suite would keep this file smaller and make new bridge endpoints easier to cover consistently. As per coding guidelines, **/*_test.go: Use table-driven tests with subtests (\t.Run`) as defaultandMUST use t.Run("Should...") pattern for ALL test cases`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/httpapi/bridges_test.go` around lines 13 - 131, Collapse the
three separate tests (TestCreateBridgeHandlerCreatesBridgeInstance,
TestListBridgeRoutesHandlerReturnsRequestedRouteSet,
TestBridgeTestDeliveryHandlerResolvesTypedTarget) into a single table-driven
test that iterates subtests with t.Run("Should ...") names; factor out the
repeated setup (homePaths := newTestHomePaths(t), engine := newTestRouter(...
newTestHandlersWithBridges ...), performRequest, and decodeJSONResponse) and
express each case as an entry with the unique inputs (stub implementations for
stubBridgeService methods ResolveDeliveryTargetFn/CreateInstanceFn/ListRoutesFn,
HTTP method, path, request body) plus expected status and assertions (e.g.
expected Bridge ID/status, Routes length and fields, DeliveryTarget fields); in
each iteration invoke the appropriate stubbed behavior, call performRequest,
check recorder.Code, decodeJSONResponse and run the case-specific assertions —
keeping test logic encapsulated in the case struct and naming each subtest with
the "Should..." pattern.

internal/extension/bridge_delivery_integration_test.go (1)

66-241: Prefer one table-driven t.Run("Should...") suite for these bridge delivery scenarios.

These three cases reuse the same harness and only vary in script input, broker options, and expected marker progression. Folding them into a single table-driven suite will cut setup duplication and make future bridge-delivery cases cheaper to add. As per coding guidelines, **/*_test.go: Use table-driven tests with subtests (\t.Run`) as defaultandMUST use t.Run("Should...") pattern for ALL test cases`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/extension/bridge_delivery_integration_test.go` around lines 66 -
241, These three tests
(TestBridgeDeliveryIntegrationPromptProducesOrderedDeliveryStream,
TestBridgeDeliveryIntegrationSlowAdapterCoalescesIntermediateDeltas,
TestBridgeDeliveryIntegrationRestartResumesActiveDelivery) share identical
harness/setup and should be collapsed into a single table-driven test that runs
each scenario as a subtest via t.Run("Should ..."). Create a slice of cases
containing the unique inputs (scripted prompt events for
newScriptedPromptDriver, markerPath, extension/handler names like
"record_deliveries", "slow_record_deliveries", "exit_once_record_deliveries",
and any bridgepkg options such as WithDeliveryBrokerQueueCapacity or
WithDeliveryBrokerRetryDelay) plus expected assertions (e.g. final seq, max
marker count, presence of Resume and snapshot). Move the common setup code
(withDaemonVersion, env := newDeliveryIntegrationEnv(...), instance creation,
params construction, env.callWithContext, waitForDeliveryMarkers,
readDeliveryMarkers, and shared assertions like using
waitForDeliveryMarkers/readDeliveryMarkers) into the loop, and inside each t.Run
execute only the per-case customization and its specific checks (e.g. coalescing
and resume-specific checks). Keep helper functions waitForDeliveryMarkers and
readDeliveryMarkers as-is and reference them from each subtest.

internal/daemon/daemon.go (1)

299-303: WithSignalBridge makes this option name misleading.

This function injects an OS signal channel, not bridge runtime state. Renaming it as part of the bridge migration makes the API harder to read and forces an unrelated breaking rename. Prefer a neutral name and keep this as a compatibility alias.

♻️ Proposed fix

-// WithSignalBridge overrides OS signal delivery, mainly for tests.
-func WithSignalBridge(ch <-chan os.Signal) Option {
+// WithSignalSource overrides OS signal delivery, mainly for tests.
+func WithSignalSource(ch <-chan os.Signal) Option {
 	return func(d *Daemon) {
 		d.signalCh = ch
 	}
 }
+
+// WithSignalBridge is kept as a deprecated alias for compatibility with the
+// bridge migration.
+func WithSignalBridge(ch <-chan os.Signal) Option {
+	return WithSignalSource(ch)
+}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/daemon/daemon.go` around lines 299 - 303, The option function name
WithSignalBridge is misleading because it injects an OS signal channel
(d.signalCh) rather than bridge runtime state; rename the API to a neutral name
such as WithSignalChannel or WithSignalChan and update references to use that
new function, while keeping WithSignalBridge as a thin compatibility wrapper
that simply delegates to the new WithSignalChannel (both should set d.signalCh =
ch); also update any godoc/comments on the function to reflect it accepts an
os.Signal channel.

internal/api/httpapi/bridges_integration_test.go (1)

376-385: Avoid raw sleep-based polling in the shared wait helper.

This helper backs multiple integration tests, so the fixed time.Sleep interval becomes a suite-wide flake point. Prefer a timeout context plus ticker, or ideally a state-change signal from the runtime, instead of direct sleep polling.

♻️ Proposed fix

 func waitForHTTPCondition(t *testing.T, fn func() bool) {
 	t.Helper()
 
-	deadline := time.Now().Add(2 * time.Second)
-	for time.Now().Before(deadline) {
-		if fn() {
-			return
-		}
-		time.Sleep(10 * time.Millisecond)
-	}
-	t.Fatal("condition did not become true before timeout")
+	ctx, cancel := context.WithTimeout(testutil.Context(t), 2*time.Second)
+	defer cancel()
+
+	ticker := time.NewTicker(10 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		if fn() {
+			return
+		}
+		select {
+		case <-ctx.Done():
+			t.Fatal("condition did not become true before timeout")
+		case <-ticker.C:
+		}
+	}
 }

As per coding guidelines, "Never use time.Sleep() in orchestration — use proper synchronization primitives"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/httpapi/bridges_integration_test.go` around lines 376 - 385, The
shared helper waitForHTTPCondition currently uses time.Sleep polling which
causes flakiness; replace it with a context-with-timeout plus a ticker (or wait
on a runtime-provided signal) so the loop uses select on ticker.C and ctx.Done
instead of time.Sleep: create ctx, defer cancel with a 2s timeout, use ticker :=
time.NewTicker(10*time.Millisecond) and a select that returns when fn() is true
or exits when ctx.Done(), and stop the ticker before return; update
waitForHTTPCondition to use this pattern (or hook into a provided state-change
channel if available) so tests no longer rely on raw sleeps.

internal/daemon/daemon_integration_test.go (1)

1386-1484: Extract a shared bridge-extension fixture for these scenarios.

These four tests repeat the same extension install, registry bootstrap, daemon boot, and bridge setup flow. Pulling that into one helper will reduce setup drift and make the next bridge-contract rename much safer to update.

As per coding guidelines, "Use shared test helpers from internal/testutil and internal/api/testutil"

Also applies to: 1486-1567, 1569-1715, 1717-1824

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/daemon/daemon_integration_test.go` around lines 1386 - 1484,
Multiple tests duplicate the same extension install, registry bootstrap, daemon
boot, and bridge setup code; extract that sequence into a shared test helper
(e.g., in internal/testutil or internal/api/testutil) that wraps
installExtensionForDaemonIntegration, openDaemonIntegrationGlobalDB +
bridgepkg.NewRegistry, bridgeRegistry.CreateInstance,
registry.PutBridgeSecretBinding, creation of recordingBridgeSecretResolver,
New(...), d.boot(...) and returns the created bridge instance ID, resolver,
daemon instance (d), markerPath and a cleanup function; then update
TestBootStartsBridgeExtensionWithBoundRuntime (and the other three tests) to
call that helper and assert only the test-specific expectations, ensuring the
helper handles error t.Fatalf on setup failures and registers t.Cleanup to
shutdown the daemon.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/api/core/bridges.go`:
- Around line 234-240: respondBridge currently treats any error from
bridgeResponse (which can fail due to observer health lookup) as a 500 via
respondError, turning successful mutations into failures; change respondBridge
so that when bridgeResponse returns an error it does not call respondError for
successful status codes—instead log the error and return the success status with
a best-effort response (e.g. the created/updated BridgeInstance or a response
with health set to "unknown"/nil) so clients see the write succeeded; keep
calling respondError only for genuine server-side failures when the operation
itself failed.

In `@internal/api/core/handlers.go`:
- Around line 146-148: The nil-logger panic occurs in SetStreamDone when it
dereferences h.Logger to call Warn while h may be a zero-valued BaseHandlers;
change SetStreamDone to guard before logging by first checking if h == nil or
h.Logger == nil and only call h.Logger.Warn when the logger is non-nil,
otherwise skip the log and still create/assign the fallback done channel (or
return safely); locate the SetStreamDone method and the done assignment branch
that uses h.Logger.Warn and wrap the log call with a nil-check for h and
h.Logger so the fallback channel is installed without panicking.

In `@internal/api/httpapi/bridges_integration_test.go`:
- Around line 389-399: The helper mustReadAll currently discards the error from
body.Close; change the defer to capture and handle Close's error (e.g., if cerr
:= body.Close(); cerr != nil { t.Fatalf("body.Close() error = %v", cerr) }) so
transport/handler Close failures surface in tests; keep the existing io.ReadAll
error handling and t.Helper usage and ensure you don't shadow the read error
variable when adding the Close error check.

In `@internal/bridges/registry.go`:
- Around line 485-487: New bridge instances are still minted with the old "chan"
prefix (instance.ID = store.NewID("chan")), which can leak the channel namespace
and cause collisions; update the ID generation in registry.go to use the new
bridge namespace (e.g., call store.NewID("bridge") when instance.ID == ""), and
scan for other usages of store.NewID("chan") in the bridge/registry logic to
replace or migrate them to the new "bridge" prefix to avoid cross-namespace
collisions with legacy channel records.

In `@internal/cli/bridge.go`:
- Around line 97-119: When building the CreateBridgeRequest after
parseBridgeScope(scopeRaw) and resolveBridgeStatus(...), add a client-side
validation: if the parsed scope indicates workspace (e.g., scope == "workspace"
or the enum value returned by parseBridgeScope) then ensure
strings.TrimSpace(workspaceID) is not empty and return a descriptive error if it
is; do the same validation in the analogous block that constructs the update
payload (the block referenced at lines 134-145) so workspace-scoped operations
are rejected client-side when --workspace-id is missing.

In `@internal/cli/client_test.go`:
- Around line 719-738: The mock transport handlers in client_test.go only check
a few fields so CreateBridge/UpdateBridge tests won't catch dropped fields;
update the POST (Create) and PATCH (Update) case handlers to fully validate the
decoded contract.CreateBridgeRequest and contract.UpdateBridgeRequest payloads
(not just DisplayName/Platform/ExtensionName) — for Create assert expected
Scope, Enabled, Status (or absence if not sent), RoutingPolicy fields
(IncludePeer, IncludeThread) and any other bridge-specific fields, and for
Update assert that optional pointers are set as expected and that RoutingPolicy
contains the expected flags; you can either compare the decoded payload against
an expected struct or add explicit checks for each field (e.g., payload.Scope,
payload.Enabled, payload.RoutingPolicy.IncludePeer/IncludeThread) in the cases
that handle CreateBridgeRequest and UpdateBridgeRequest.

In `@internal/cli/command_paths_test.go`:
- Around line 47-57: The stubs (networkPeersFn, networkChannelsFn,
networkSendFn, networkInboxFn) currently ignore incoming arguments; update each
closure to assert the expected inputs (e.g., compare the received
NetworkPeersQuery fields inside networkPeersFn, the NetworkSendRequest fields
inside networkSendFn, and the string arg inside networkInboxFn) against expected
values captured in the test scope and call t.Fatalf/t.Errorf on mismatch so
renames or arg-wiring regressions fail the test; for networkChannelsFn (which
has no params) add a closure-level expectation flag or capture an expected
context value in the test and assert it was observed inside the closure to
ensure the "network channels"/--channel call path is exercised.

In `@internal/config/config_test.go`:
- Around line 1047-1052: Rename the test case name field to follow the required
t.Run("Should...") pattern: replace the current name "invalid default channel"
with a description beginning with "Should..." (e.g., "Should reject invalid
default channel") in the test cases slice used by the table-driven test so that
t.Run uses the "Should..." prefix; locate the test cases by the name field in
the table and the use of cfg.Network.DefaultChannel within that specific case to
update only this entry.

---

Outside diff comments:
In `@internal/api/core/network_test.go`:
- Around line 27-57: The test fails to explicitly assert the renamed channel
fields: update the NetworkStatusPayloadFromStatus test to assert that the mapped
channel count matches the source (check payload.Channels equals status.Channels)
and also assert the channel identity is emitted (if the payload exposes a single
channel field like payload.Channel or a slice of channel entries, assert it's
non-empty and contains the expected name); modify the assertions around
core.NetworkStatusPayloadFromStatus, referencing NetworkStatus.Channels and the
payload's Channels/Channel (or ChannelName) field(s) so the test will fail if
channel data is dropped or not emitted.

In `@internal/api/udsapi/network_test.go`:
- Around line 56-87: The test currently doesn't assert that the "channel" field
is preserved end-to-end; add assertions that the outgoing send request's channel
is preserved (e.g., check seenRequest.Channel == "builders" after performRequest
for /api/network/send) and that the inbox response contains the channel (e.g.,
assert inboxResp.Body contains `"channel":"builders"`), so the test fails if the
handler drops or renames the channel field; locate checks around sendResp,
seenRequest, inboxResp in network_test.go and add these two assertions.

In `@internal/bridges/delivery_types.go`:
- Around line 80-95: The validation currently only enforces that resume events
require a Snapshot but does not reject snapshots on non-resume events; update
the Validate logic in the delivery request type (the block that checks
r.Snapshot and calls normalizeDeliveryEventType and compares to
DeliveryEventTypeResume) to return an error when r.Snapshot is non-nil and
normalizeDeliveryEventType(r.Event.EventType) is NOT DeliveryEventTypeResume
(i.e., reject snapshots on start/delta/final/error), while keeping the existing
resume->snapshot checks (call to r.Snapshot.Validate() and matching of
r.Snapshot.DeliveryID and r.Snapshot.BridgeInstanceID to r.Event.DeliveryID /
r.Event.BridgeInstanceID) intact.

In `@internal/cli/bridge.go`:
- Around line 539-556: The parsing currently only checks JSON syntax, allowing
non-object values; update parseRequiredBridgeJSON (and by extension
parseOptionalBridgeJSON which delegates to it) to reject any JSON that is not
either an object or null: after json.Valid, json.Unmarshal the trimmed string
into an interface{} and ensure the resulting value is either nil (for "null") or
a map[string]interface{} (a JSON object); if not, return an error like "cli:
delivery defaults must be a JSON object or null". Ensure parseOptionalBridgeJSON
still returns nil for empty input and that parseRequiredBridgeJSON returns a
json.RawMessage for valid object or "null".

In `@internal/cli/cli_integration_test.go`:
- Around line 1406-1475: Observer is constructed without the bridgeService, so
add observe.WithBridgeSource(bridgeService) to the observer options where the
observer is created (so the observer passed into udsapi.New includes the bridge
source); locate the observer construction (the observe.New/observe.Options call
used in Run) and include observe.WithBridgeSource(bridgeService) among its
options to mirror production wiring and ensure bridge status/health is observed.

In `@internal/cli/network_client_test.go`:
- Around line 32-40: The test's mock handler in network_client_test.go only
asserts ext metadata but not the renamed channel field, so update the handler
inside the case for req.Method == http.MethodPost && req.URL.Path ==
"/api/network/send" to also assert that the serialized send payload contains the
renamed channel key (e.g., that the request body includes `"channel":"builders"`
or otherwise parse the JSON and verify the "channel" field equals "builders");
this ensures NetworkSend (and not an old "space" key) is being used—locate the
request handling block in the test and add the channel assertion alongside the
existing ext metadata checks.

In `@internal/cli/network.go`:
- Around line 350-384: The human-readable network inbox table in
networkInboxBundle omits the Channel column; update the header slice to include
"Channel" (e.g., "ID", "Kind", "Channel", "From", "To", "Reply To", "Trace",
"Workflow", "Handoff") and insert the corresponding value in the human row
formatter (the first func(message NetworkEnvelopeRecord) []string) by adding
stringOrDash(message.Channel) in the matching position so the human table
columns align with the machine-readable fields generated by the second
formatter.
- Around line 150-165: The calls to
cmd.MarkFlagRequired("session"/"channel"/"kind"/"body") currently ignore
returned errors; update the code around the cmd.MarkFlagRequired invocations to
capture the error (e.g., err := cmd.MarkFlagRequired(...)) and handle it instead
of using `_ =`, by returning the error from the enclosing function or logging
and exiting (use processLogger/fmt.Errorf/cli.Errorf or return err) so flag
registration failures don't go unnoticed; specifically modify each
cmd.MarkFlagRequired call in the network command setup to check err and
propagate or handle it for the "session", "channel", "kind", and "body" flags.

In `@internal/cli/session_test.go`:
- Around line 547-569: Update the test assertions in session_test.go that check
bundle.human() and bundle.toon() to assert the rendered channel label as well as
the value: in the human() checks, ensure you assert strings.Contains(human,
"<channel label>") (e.g. "Channel" or the exact label used by
sessionListBundle.human()) in addition to strings.Contains(human, "builders");
and similarly in the toon() checks assert strings.Contains(toon, "<channel
label>") plus strings.Contains(toon, "builders"). Locate the assertions around
the human, err := bundle.human() and toon, err := bundle.toon() blocks and
update the strings.Contains conditions (used in those t.Fatalf checks) to
include the channel label check so the test fails if the label text changes.

In `@internal/daemon/boot.go`:
- Around line 583-597: Currently the extension runtime
(state.bridges.setExtensionRuntime and state.setExtensionRuntime) and
state.deps.Extensions = newDaemonExtensionService(...) are assigned before
manager.Start(ctx), which can fail and leave bridges/deps pointing at a
non-started manager; change the flow so you only call
state.bridges.setExtensionRuntime(manager), state.setExtensionRuntime(manager)
and assign state.deps.Extensions after manager.Start(ctx) returns nil; always
still register the manager.Stop cleanup via cleanup.add(func(ctx
context.Context) error { return manager.Stop(ctx) }) before Start so Stop is
guaranteed, but if manager.Start returns an error log it (as now) and do not set
the bridge/runtime or deps to the failed manager.

In `@internal/extension/capability_test.go`:
- Around line 57-120: Add a test case to
TestCapabilityCheckerCheckHostAPIShouldEnforceDualGates that covers the new
mapping for "bridges/instances/report_state" -> "bridge.write": include an entry
where method is "bridges/instances/report_state" and assert failure when actions
do not include the required action or when security lacks "bridge.write" (set
wantRequired to []string{"bridge.write"} and wantGranted accordingly), plus a
passing case where actions include "bridges/instances/report_state" and security
includes "bridge.write"; use the existing test table pattern to add both
scenarios so regressions in the state-reporting gate are caught.

---

Nitpick comments:
In `@internal/api/core/handlers_test.go`:
- Around line 306-307: The test currently sets payload.Daemon.Network.Channels
but never asserts it; add an explicit assertion in the response assertion block
to verify payload.Daemon.Network.Channels equals the expected value (3) using
the same assertion style used elsewhere in handlers_test.go (e.g., the existing
response/assert helpers or testify/require calls) so the test validates the
meaningful business logic for the Daemon.Network.Channels field.

In `@internal/api/httpapi/bridges_integration_test.go`:
- Around line 376-385: The shared helper waitForHTTPCondition currently uses
time.Sleep polling which causes flakiness; replace it with a
context-with-timeout plus a ticker (or wait on a runtime-provided signal) so the
loop uses select on ticker.C and ctx.Done instead of time.Sleep: create ctx,
defer cancel with a 2s timeout, use ticker :=
time.NewTicker(10*time.Millisecond) and a select that returns when fn() is true
or exits when ctx.Done(), and stop the ticker before return; update
waitForHTTPCondition to use this pattern (or hook into a provided state-change
channel if available) so tests no longer rely on raw sleeps.

In `@internal/api/httpapi/bridges_test.go`:
- Around line 13-131: Collapse the three separate tests
(TestCreateBridgeHandlerCreatesBridgeInstance,
TestListBridgeRoutesHandlerReturnsRequestedRouteSet,
TestBridgeTestDeliveryHandlerResolvesTypedTarget) into a single table-driven
test that iterates subtests with t.Run("Should ...") names; factor out the
repeated setup (homePaths := newTestHomePaths(t), engine := newTestRouter(...
newTestHandlersWithBridges ...), performRequest, and decodeJSONResponse) and
express each case as an entry with the unique inputs (stub implementations for
stubBridgeService methods ResolveDeliveryTargetFn/CreateInstanceFn/ListRoutesFn,
HTTP method, path, request body) plus expected status and assertions (e.g.
expected Bridge ID/status, Routes length and fields, DeliveryTarget fields); in
each iteration invoke the appropriate stubbed behavior, call performRequest,
check recorder.Code, decodeJSONResponse and run the case-specific assertions —
keeping test logic encapsulated in the case struct and naming each subtest with
the "Should..." pattern.

In `@internal/cli/session.go`:
- Line 40: Add a short compatibility layer so the renamed flag accepts the old
--space alias: when parsing flags, continue to bind the same internal variable
(channel) to both "--channel" and "--space"; if "--space" is provided, copy its
value into channel and emit a single deprecation warning mentioning "--space" is
deprecated and to use "--channel" instead, while preferring "--channel" when
both are set. Update the flag parsing logic that defines/reads the channel
variable (the channel field and the code that registers/parses the CLI flags) to
accept both names and perform the warning and precedence handling.

In `@internal/daemon/daemon_integration_test.go`:
- Around line 1386-1484: Multiple tests duplicate the same extension install,
registry bootstrap, daemon boot, and bridge setup code; extract that sequence
into a shared test helper (e.g., in internal/testutil or internal/api/testutil)
that wraps installExtensionForDaemonIntegration, openDaemonIntegrationGlobalDB +
bridgepkg.NewRegistry, bridgeRegistry.CreateInstance,
registry.PutBridgeSecretBinding, creation of recordingBridgeSecretResolver,
New(...), d.boot(...) and returns the created bridge instance ID, resolver,
daemon instance (d), markerPath and a cleanup function; then update
TestBootStartsBridgeExtensionWithBoundRuntime (and the other three tests) to
call that helper and assert only the test-specific expectations, ensuring the
helper handles error t.Fatalf on setup failures and registers t.Cleanup to
shutdown the daemon.

In `@internal/daemon/daemon.go`:
- Around line 299-303: The option function name WithSignalBridge is misleading
because it injects an OS signal channel (d.signalCh) rather than bridge runtime
state; rename the API to a neutral name such as WithSignalChannel or
WithSignalChan and update references to use that new function, while keeping
WithSignalBridge as a thin compatibility wrapper that simply delegates to the
new WithSignalChannel (both should set d.signalCh = ch); also update any
godoc/comments on the function to reflect it accepts an os.Signal channel.

In `@internal/extension/bridge_delivery_integration_test.go`:
- Around line 66-241: These three tests
(TestBridgeDeliveryIntegrationPromptProducesOrderedDeliveryStream,
TestBridgeDeliveryIntegrationSlowAdapterCoalescesIntermediateDeltas,
TestBridgeDeliveryIntegrationRestartResumesActiveDelivery) share identical
harness/setup and should be collapsed into a single table-driven test that runs
each scenario as a subtest via t.Run("Should ..."). Create a slice of cases
containing the unique inputs (scripted prompt events for
newScriptedPromptDriver, markerPath, extension/handler names like
"record_deliveries", "slow_record_deliveries", "exit_once_record_deliveries",
and any bridgepkg options such as WithDeliveryBrokerQueueCapacity or
WithDeliveryBrokerRetryDelay) plus expected assertions (e.g. final seq, max
marker count, presence of Resume and snapshot). Move the common setup code
(withDaemonVersion, env := newDeliveryIntegrationEnv(...), instance creation,
params construction, env.callWithContext, waitForDeliveryMarkers,
readDeliveryMarkers, and shared assertions like using
waitForDeliveryMarkers/readDeliveryMarkers) into the loop, and inside each t.Run
execute only the per-case customization and its specific checks (e.g. coalescing
and resume-specific checks). Keep helper functions waitForDeliveryMarkers and
readDeliveryMarkers as-is and reference them from each subtest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9928ac09-df1d-4f80-9ad2-4a4301c697cd

📥 Commits

Reviewing files that changed from the base of the PR and between 4f5a50e and 4a08a8d.

⛔ Files ignored due to path filters (10)

• .codex/plans/2026-04-13-network-rename-hard-cut.md is excluded by !**/*.md
• docs/rfcs/003_agh-network-OLD.md is excluded by !**/*.md
• docs/rfcs/003_agh-network-v0.md is excluded by !**/*.md
• docs/rfcs/004_agh-network-v1.md is excluded by !**/*.md
• internal/skills/bundled/skills/agh-network/SKILL.md is excluded by !**/*.md
• openapi/agh.json is excluded by !**/*.json
• sdk/examples/telegram-reference/README.md is excluded by !**/*.md
• sdk/examples/telegram-reference/extension.toml is excluded by !**/*.toml
• sdk/typescript/src/generated/contracts.ts is excluded by !**/generated/**
• web/src/generated/agh-openapi.d.ts is excluded by !**/generated/**

📒 Files selected for processing (182)

• internal/acp/handlers.go
• internal/api/contract/bridges.go
• internal/api/contract/bridges_test.go
• internal/api/contract/channels.go
• internal/api/contract/contract.go
• internal/api/contract/responses.go
• internal/api/core/bridges.go
• internal/api/core/bridges_test.go
• internal/api/core/channels.go
• internal/api/core/channels_test.go
• internal/api/core/conversions.go
• internal/api/core/conversions_parsers_test.go
• internal/api/core/errors.go
• internal/api/core/errors_test.go
• internal/api/core/handlers.go
• internal/api/core/handlers_test.go
• internal/api/core/hooks_test.go
• internal/api/core/interfaces.go
• internal/api/core/network.go
• internal/api/core/network_test.go
• internal/api/core/test_helpers_test.go
• internal/api/httpapi/bridges_integration_test.go
• internal/api/httpapi/bridges_test.go
• internal/api/httpapi/channels_integration_test.go
• internal/api/httpapi/channels_test.go
• internal/api/httpapi/handlers.go
• internal/api/httpapi/handlers_test.go
• internal/api/httpapi/helpers_test.go
• internal/api/httpapi/httpapi_integration_test.go
• internal/api/httpapi/routes.go
• internal/api/httpapi/server.go
• internal/api/spec/spec.go
• internal/api/spec/spec_test.go
• internal/api/testutil/apitest.go
• internal/api/udsapi/bridges_integration_test.go
• internal/api/udsapi/bridges_test.go
• internal/api/udsapi/channels_integration_test.go
• internal/api/udsapi/channels_test.go
• internal/api/udsapi/handlers_test.go
• internal/api/udsapi/helpers_test.go
• internal/api/udsapi/network_test.go
• internal/api/udsapi/routes.go
• internal/api/udsapi/server.go
• internal/api/udsapi/server_test.go
• internal/api/udsapi/udsapi_integration_test.go
• internal/bridges/delivery_broker.go
• internal/bridges/delivery_broker_test.go
• internal/bridges/delivery_metrics.go
• internal/bridges/delivery_projection_test.go
• internal/bridges/delivery_types.go
• internal/bridges/dimensions.go
• internal/bridges/doc.go
• internal/bridges/lifecycle.go
• internal/bridges/registry.go
• internal/bridges/registry_integration_test.go
• internal/bridges/registry_test.go
• internal/bridges/routing.go
• internal/bridges/target.go
• internal/bridges/target_integration_test.go
• internal/bridges/target_test.go
• internal/bridges/types.go
• internal/bridges/types_test.go
• internal/channels/doc.go
• internal/channels/registry.go
• internal/cli/bridge.go
• internal/cli/bridge_test.go
• internal/cli/channel_test.go
• internal/cli/cli_integration_test.go
• internal/cli/client.go
• internal/cli/client_test.go
• internal/cli/command_paths_test.go
• internal/cli/daemon.go
• internal/cli/helpers_test.go
• internal/cli/network.go
• internal/cli/network_client_test.go
• internal/cli/network_test.go
• internal/cli/root.go
• internal/cli/session.go
• internal/cli/session_test.go
• internal/cli/skill_test.go
• internal/config/config.go
• internal/config/config_test.go
• internal/config/merge.go
• internal/config/merge_test.go
• internal/daemon/boot.go
• internal/daemon/bridges.go
• internal/daemon/bridges_test.go
• internal/daemon/channels.go
• internal/daemon/daemon.go
• internal/daemon/daemon_integration_test.go
• internal/daemon/daemon_test.go
• internal/extension/bridge_delivery_integration_test.go
• internal/extension/bridge_delivery_notifier.go
• internal/extension/bridge_delivery_notifier_test.go
• internal/extension/capability.go
• internal/extension/capability_test.go
• internal/extension/contract/host_api.go
• internal/extension/contract/sdk.go
• internal/extension/describe_test.go
• internal/extension/host_api.go
• internal/extension/host_api_bridges.go
• internal/extension/host_api_channels.go
• internal/extension/host_api_integration_test.go
• internal/extension/host_api_test.go
• internal/extension/manager.go
• internal/extension/manager_integration_test.go
• internal/extension/manager_test.go
• internal/extension/protocol/host_api.go
• internal/extension/protocol/host_api_test.go
• internal/extension/telegram_reference_integration_test.go
• internal/extensiontest/bridge_adapter_harness.go
• internal/extensiontest/bridge_adapter_harness_integration_test.go
• internal/extensiontest/bridge_adapter_harness_test.go
• internal/network/audit.go
• internal/network/audit_test.go
• internal/network/delivery.go
• internal/network/delivery_test.go
• internal/network/envelope.go
• internal/network/envelope_integration_test.go
• internal/network/helpers_test.go
• internal/network/lifecycle.go
• internal/network/lifecycle_test.go
• internal/network/manager.go
• internal/network/manager_test.go
• internal/network/peer.go
• internal/network/peer_test.go
• internal/network/router.go
• internal/network/router_integration_test.go
• internal/network/router_test.go
• internal/network/transport.go
• internal/network/transport_integration_test.go
• internal/network/transport_test.go
• internal/network/validate.go
• internal/network/validate_test.go
• internal/observe/bridges.go
• internal/observe/bridges_test.go
• internal/observe/channels.go
• internal/observe/channels_test.go
• internal/observe/health.go
• internal/observe/observer.go
• internal/observe/observer_test.go
• internal/observe/reconcile.go
• internal/session/interfaces.go
• internal/session/manager.go
• internal/session/manager_helpers.go
• internal/session/manager_hooks_test.go
• internal/session/manager_integration_test.go
• internal/session/manager_lifecycle.go
• internal/session/manager_network_skill.go
• internal/session/manager_start.go
• internal/session/manager_test.go
• internal/session/query.go
• internal/session/query_test.go
• internal/session/session.go
• internal/skills/bundled/bundled_test.go
• internal/store/globaldb/global_db.go
• internal/store/globaldb/global_db_bridge.go
• internal/store/globaldb/global_db_bridges_integration_test.go
• internal/store/globaldb/global_db_bridges_test.go
• internal/store/globaldb/global_db_channel.go
• internal/store/globaldb/global_db_channels_integration_test.go
• internal/store/globaldb/global_db_channels_test.go
• internal/store/globaldb/global_db_network_audit.go
• internal/store/globaldb/global_db_network_audit_test.go
• internal/store/globaldb/global_db_session.go
• internal/store/globaldb/global_db_session_test.go
• internal/store/globaldb/global_db_test.go
• internal/store/globaldb/migrate_workspace.go
• internal/store/meta_test.go
• internal/store/types.go
• internal/subprocess/handshake.go
• internal/subprocess/process_test.go
• sdk/examples/telegram-reference/main.go
• sdk/examples/telegram-reference/main_test.go
• sdk/typescript/src/extension.test.ts
• sdk/typescript/src/extension.ts
• sdk/typescript/src/host-api.test.ts
• sdk/typescript/src/host-api.ts
• sdk/typescript/src/index.ts
• web/src/systems/daemon/adapters/daemon-api.test.ts
• web/src/systems/daemon/hooks/use-daemon-health.test.ts
• web/src/systems/daemon/types.test.ts

💤 Files with no reviewable changes (11)

• internal/channels/doc.go
• internal/api/core/channels_test.go
• internal/api/httpapi/channels_integration_test.go
• internal/api/udsapi/channels_test.go
• internal/api/httpapi/channels_test.go
• internal/api/contract/channels.go
• internal/api/udsapi/channels_integration_test.go
• internal/cli/channel_test.go
• internal/channels/registry.go
• internal/daemon/channels.go
• internal/api/core/channels.go

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

internal/extension/bridge_delivery_integration_test.go (1)

177-180: Remove redundant loop variable capture for Go 1.25+

The tc := tc pattern is unnecessary in Go 1.25 (and Go 1.22+), as loop variables are now properly scoped per iteration. Removing this line will reduce clutter without affecting behavior.

♻️ Optional cleanup

 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/extension/bridge_delivery_integration_test.go` around lines 177 -
180, Remove the redundant loop-variable capture "tc := tc" inside the
table-driven test loop—the loop variable "tc" is already correctly scoped per
iteration in Go 1.25+, so delete the "tc := tc" line in the anonymous func
started by t.Run (the block that calls t.Parallel()) to clean up the code while
keeping the existing t.Run and t.Parallel usage intact.

internal/bridges/delivery_broker_test.go (1)

28-63: Add a compile-time interface verification for the fake transport.

The fakeDeliveryTransport implements DeliveryTransport but lacks the compile-time assertion var _ DeliveryTransport = (*fakeDeliveryTransport)(nil). This would catch method signature drift at compile time rather than at runtime. Per coding guidelines, use explicit interface verification: var _ Interface = (*Type)(nil).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/bridges/delivery_broker_test.go` around lines 28 - 63, Add a
compile-time interface assertion to ensure fakeDeliveryTransport implements
DeliveryTransport by adding the statement var _ DeliveryTransport =
(*fakeDeliveryTransport)(nil) near the fakeDeliveryTransport type definition (or
in the same file), so any method-signature drift on fakeDeliveryTransport will
be caught at compile time; reference the fakeDeliveryTransport type and
DeliveryTransport interface when adding this assertion.

internal/cli/cli_integration_test.go (1)

1118-1165: Add compile-time interface verification for integrationBridgeService.

The coding guidelines require compile-time interface verification, and the reference implementation in internal/api/udsapi/udsapi_integration_test.go:540 includes this check. Adding it here ensures the test double satisfies the required interface at compile time.

♻️ Proposed fix

 type integrationBridgeService struct {
 	*bridgepkg.Service
 }
+
+var _ core.BridgeService = (*integrationBridgeService)(nil)

Note: You'll need to import the core package if not already imported, or use the appropriate interface type that integrationBridgeService is expected to satisfy.

As per coding guidelines, "Use compile-time interface verification: var _ Interface = (*Type)(nil)"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/cli/cli_integration_test.go` around lines 1118 - 1165, Add a
compile-time interface assertion to verify integrationBridgeService implements
the required BridgeService interface (e.g. add a top-level line like: var _
core.BridgeService = (*integrationBridgeService)(nil)); place it near the
integrationBridgeService type definition and import the core package (or use the
correct interface type) if not already imported so the build will fail if the
type no longer satisfies the interface.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/api/httpapi/bridges_integration_test.go`:
- Around line 35-57: Add t.Parallel() as the first statement in each independent
test to enable parallel execution: insert it at the top of
TestHTTPBridgeCreateReturnsPersistedPayload and likewise in
TestHTTPBridgeRoutesEndpointReturnsOnlyRequestedInstanceRoutes,
TestHTTPBridgeTestDeliveryResolvesTargetWithoutLiveAdapter,
TestHTTPObserveHealthIncludesBridgeMetricsAndPreservesSessionFields,
TestHTTPBridgeDetailShowsAuthRequiredStatusAndHealth, and
TestHTTPBridgeDetailReportsBacklogAndClearsAfterDeliveryCompletes (each test
uses newIntegrationRuntime(t) so they are safe to run in parallel).

In `@internal/cli/bridge.go`:
- Around line 97-105: After parsing scope (parseBridgeScope) and resolving
status (resolveBridgeStatus) but before calling the daemon, validate the
composed create payload (the combination of enabled, resolved status, scope and
workspaceID) locally and return a clear error for invalid combinations (for
example flags like --enabled=false with status=ready); add a small validation
function or call the existing registry/bridge validation helper to enforce the
same rules the daemon uses and ensure the CLI rejects invalid combos early
(refer to enabled, statusRaw, resolveBridgeStatus, parseBridgeScope and
workspaceID when locating where to insert this check).

In `@internal/daemon/boot.go`:
- Around line 583-590: manager.Start(ctx) failures that are due to context
cancellation should not be treated as non-blocking success; change the handling
around the manager.Start(ctx) call so that if errors.Is(err, context.Canceled)
or errors.Is(err, context.DeadlineExceeded) you return the error (propagate
cancellation) instead of swallowing it, and only log and continue ("continue
without blocking boot") for non-context errors; use errors.Is for checks and
keep the cleanup.add(func(ctx context.Context) error { return manager.Stop(ctx)
}) behavior intact so Stop is still invoked when boot continues.

---

Nitpick comments:
In `@internal/bridges/delivery_broker_test.go`:
- Around line 28-63: Add a compile-time interface assertion to ensure
fakeDeliveryTransport implements DeliveryTransport by adding the statement var _
DeliveryTransport = (*fakeDeliveryTransport)(nil) near the fakeDeliveryTransport
type definition (or in the same file), so any method-signature drift on
fakeDeliveryTransport will be caught at compile time; reference the
fakeDeliveryTransport type and DeliveryTransport interface when adding this
assertion.

In `@internal/cli/cli_integration_test.go`:
- Around line 1118-1165: Add a compile-time interface assertion to verify
integrationBridgeService implements the required BridgeService interface (e.g.
add a top-level line like: var _ core.BridgeService =
(*integrationBridgeService)(nil)); place it near the integrationBridgeService
type definition and import the core package (or use the correct interface type)
if not already imported so the build will fail if the type no longer satisfies
the interface.

In `@internal/extension/bridge_delivery_integration_test.go`:
- Around line 177-180: Remove the redundant loop-variable capture "tc := tc"
inside the table-driven test loop—the loop variable "tc" is already correctly
scoped per iteration in Go 1.25+, so delete the "tc := tc" line in the anonymous
func started by t.Run (the block that calls t.Parallel()) to clean up the code
while keeping the existing t.Run and t.Parallel usage intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4b6c9238-a3a9-4f0c-bdba-ceca66926ceb

📥 Commits

Reviewing files that changed from the base of the PR and between 4a08a8d and 7f62572.

📒 Files selected for processing (31)

• internal/api/core/bridges.go
• internal/api/core/bridges_test.go
• internal/api/core/handlers.go
• internal/api/core/handlers_test.go
• internal/api/core/network_test.go
• internal/api/core/streamdone_internal_test.go
• internal/api/httpapi/bridges_integration_test.go
• internal/api/httpapi/bridges_test.go
• internal/api/udsapi/network_test.go
• internal/bridges/delivery_broker_test.go
• internal/bridges/delivery_projection_test.go
• internal/bridges/delivery_types.go
• internal/bridges/registry.go
• internal/bridges/registry_test.go
• internal/cli/automation.go
• internal/cli/bridge.go
• internal/cli/bridge_test.go
• internal/cli/cli_integration_test.go
• internal/cli/client_test.go
• internal/cli/command_paths_test.go
• internal/cli/flags.go
• internal/cli/memory.go
• internal/cli/network.go
• internal/cli/network_client_test.go
• internal/cli/network_test.go
• internal/cli/session_test.go
• internal/config/config_test.go
• internal/daemon/boot.go
• internal/daemon/daemon_test.go
• internal/extension/bridge_delivery_integration_test.go
• internal/extension/capability_test.go

✅ Files skipped from review due to trivial changes (2)

• internal/cli/session_test.go
• internal/config/config_test.go

🚧 Files skipped from review as they are similar to previous changes (8)

• internal/api/core/network_test.go
• internal/api/core/handlers.go
• internal/extension/capability_test.go
• internal/bridges/delivery_projection_test.go
• internal/cli/command_paths_test.go
• internal/api/udsapi/network_test.go
• internal/api/httpapi/bridges_test.go
• internal/api/core/bridges.go