feat: onboarding and improvements

[pedronauck]

Summary

• Adds the onboarding branch work already present on the onboarding branch.
• Fixes durable session reattach and background session behavior: accepted prompt execution is daemon-owned, transcript hydration renders persisted history on route remount, live-tail refetches durable truth on stream activity/gaps, large histories use TanStack Virtual, and agent/sidebar rows derive running indicators from daemon session truth.
• Keeps public prompt/transcript/stream API shapes compatible and documents the accepted prompt lifetime behavior in the bundled AGH runtime operations reference.

Verification

• rtk go test ./internal/api/core ./internal/session ./internal/api/httpapi ./internal/api/udsapi
• rtk bunx turbo run test --filter=./web -- --run src/systems/session/components/tests/session-chat-runtime-provider.test.tsx
• rtk bunx turbo run test --filter=./web
• rtk make bun-lint
• rtk make bun-typecheck
• rtk make bun-test
• rtk make lint
• rtk make verify before commit
• rtk make verify after commit
• cy-impl-peer-review round 3: SHIP, 0 blockers

UI Evidence

• /tmp/agh-ui-screens/session-reattach/session-thread-running.png
• /tmp/agh-ui-screens/session-reattach/agent-sessions-running.png
• /tmp/agh-ui-screens/session-reattach/app-sidebar-running.png

AGH Impact Audit

• Native tools: no public tool ID/schema break; checked session prompt/cancel/interrupt/steer, transcript, stream, HTTP and UDS prompt parity. No OpenAPI/generated contract changes required.
• Extensibility and hooks: prompt lifecycle hooks, transcript observers, runtime activity, and session streams continue to flow from durable pump events; no config lifecycle change.
• Workspace data isolation: transcript hydration, stream URLs/cursors, query keys, session lists, and running indicator derivation stay scoped by workspace_id; no cross-workspace cache reuse introduced.
• Official AGH skill: updated skills/agh/references/runtime-operations.md for daemon-owned accepted prompt lifetime and transcript/event-store reattach authority.

Peer Review Follow-Up

• Non-blocking round-3 risks remain for a future PR: incremental SSE-to-runtime merge, transcript latest-sequence cursor seed, typed stream event routing, and consolidating duplicate transcript hydration paths.

Summary by CodeRabbit

• New Features

  • Onboarding API (status/complete/reset) and CLI commands
  • Read‑only filesystem directory browser API
  • Agent creation flow (global/workspace) and native agent-authoring tool
  • Native network channel creation tool

• Improvements

  • Prompt streaming: explicit accepted turn ID and clearer delivery vs execution handling
  • Agent visibility: internal/reserved agents hidden from public listings
  • UI: truncated tool-call titles, message list virtualization, enhanced stepper components

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agh-site	Ready	Preview, Comment	May 26, 2026 8:33am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3ca56a40-2b64-4b53-aad8-66936fccd346

📥 Commits

Reviewing files that changed from the base of the PR and between 6ea0e29 and 45498c5.

📒 Files selected for processing (2)

• packages/ui/src/components/reui/hooks/use-stepper.ts
• packages/ui/src/components/reui/stepper.tsx

✅ Files skipped from review due to trivial changes (1)

• packages/ui/src/components/reui/hooks/use-stepper.ts

---

Walkthrough

Adds onboarding lifecycle (contracts, handlers, storage, CLI, server wiring), a filesystem browse API, a prompt-stream refactor (execution vs delivery contexts, start frame, accepted turn id), public/internal agent filtering and onboarding provisioning, native tools for channels/agent creation, Codex onboarding home handling, OpenAPI/routes, tests, and site/UI adjustments.

Changes

Onboarding lifecycle API, storage, CLI, server wiring, and OpenAPI

Layer / File(s)	Summary
Contracts and core onboarding handlers internal/api/contract/onboarding.go, internal/api/core/onboarding.go, internal/api/core/interfaces.go, internal/api/core/handlers.go	Adds onboarding payload/response types; implements GET/POST/DELETE handlers; exposes OnboardingStore and wires into BaseHandlers.
HTTP/UDS routes and servers inject onboarding store internal/api/httpapi/routes.go, internal/api/httpapi/server.go, internal/api/udsapi/routes.go, internal/api/udsapi/server.go	Registers onboarding routes; adds server options/fields and passes onboarding store into handler configs for both transports.
GlobalDB app metadata + onboarding store internal/store/globaldb/*, internal/store/store.go	Adds app_metadata migration and CRUD; implements onboarding status Get/Complete/Reset in GlobalDB with tests.
CLI client interface and onboarding commands internal/cli/*	Extends DaemonClient; implements onboarding client methods and CLI subcommands; installer ensures onboarding agent.
Daemon registry wiring and boot ensures internal/daemon/*	Embeds OnboardingStore in Registry; passes store into server options; boot ensures bootstrap and onboarding managed agents.
OpenAPI tags/operations and site navigation/icon internal/api/spec/spec.go, packages/site/lib/runtime-navigation.ts, packages/site/scripts/generate-openapi.ts	Adds onboarding/filesystem tags and operations; updates navigation and API tag icon mapping.

Filesystem directory browse API

Layer / File(s)	Summary
FS contracts and core handler internal/api/contract/fs.go, internal/api/core/fs_browse.go	Defines FSEntryPayload/FSBrowseResponse and implements BrowseDirectory with validation, symlink resolution, entry filtering, sorting, and status mapping.
Tests and route registration internal/api/core/fs_browse_test.go, internal/api/httpapi/routes.go, internal/api/udsapi/routes.go	Adds tests for browse behavior and registers HTTP/UDS browse routes.

Prompt streaming refactor: delivery context, start frame, accepted turn id

Layer / File(s)	Summary
PromptStreamEncoder Start and tool name resolution internal/api/core/prompt_stream.go, internal/api/core/prompt_stream_test.go	Adds AcceptedPromptStreamTurnID validator, PromptStreamEncoder.Start to emit initial SSE start frame, and refactors tool-name extraction from raw meta with tests.
HTTP API prompt session: contexts and SSE loop internal/api/httpapi/prompt.go, internal/api/httpapi/handlers.go, internal/api/httpapi/handlers_test.go	Separates executionCtx vs deliveryCtx, passes DeliveryContext into SendPrompt, validates turnID, starts encoder with turnID, cancels delivery on disconnect, and removes prompt-drain utilities; tests updated to SendPromptResult shape and separation behavior.
UDS API prompt session: contexts and SSE/raw loops internal/api/udsapi/prompt.go, internal/api/udsapi/handlers_test.go	Mirrors HTTP changes for UDS prompt handlers and tests; removes drain helpers and adjusts tests for SendPrompt result/NewTurnID.
HTTP/UDS prompt streaming tests and handler stubs internal/api/httpapi/*_test.go, internal/api/udsapi/handlers_test.go	Updates stubs to return session.SendPromptResult with NewTurnID, adds error case when NewTurnID missing, and adds execution vs delivery separation tests.
Handlers/Server cleanup: remove drains/wg internal/api/httpapi/handlers.go, internal/api/httpapi/prompt_drain_test.go, internal/api/udsapi/server_test.go	Removes prompt drain waitgroup and associated drain tests and imports.

Public vs internal-managed agents and onboarding agent ensure

Layer / File(s)	Summary
Config helpers and onboarding ensure internal/config/agent.go, internal/config/bootstrap.go, internal/config/bootstrap_test.go	Adds IsInternalManagedAgentName/IsPublicAgentDef/ValidatePublicAgentName, EnsureOnboardingAgent and onboarding agent contents generator with tests.
API handlers/workspaces filter internal/non-public and validate names internal/api/core/handlers.go, internal/api/core/workspaces.go	Skips internal-managed and non-public agents in List/Get/response paths; validates public agent names during create flow; filters workspace agent merges.
CLI create uses ValidatePublicAgentName and rejects onboarding name internal/cli/agent.go, internal/cli/agent_commands_test.go	Switches agent create validation to ValidatePublicAgentName and adds test rejecting reserved onboarding name.
Daemon catalog/workspace omit internal-managed and non-public agents internal/daemon/agent_skill_resources*.go	Prevents internal-managed matches and filters to public-only in listings/resolution; tests adjusted.
Session visibility helpers and tests internal/api/core/conversions.go, internal/api/core/handler_edge_cases_test.go, internal/api/core/memory_workspace_test.go	Adds visible-session filters to hide internal memory sessions and applies them in session payload construction and workspace queries.

Native tools: network_channel_create and workspace/agent_create

Layer / File(s)	Summary
Builtin tool IDs, descriptors, schemas, and toolsets internal/tools/builtin*, internal/tools/builtin_ids.go	Adds ToolIDNetworkChannelCreate and ToolIDAgentCreate, descriptors, JSON input schemas, toolset membership, and test updates.
Daemon native tool handlers and tests internal/daemon/native_create_tools.go, internal/daemon/native_create_tools_test.go	Implements native handlers for network channel creation and agent creation, request building, error mapping, and tests validating persistence, validation, and denial rules.
Native tool availability/bindings and workspace agent visibility internal/daemon/native_tools.go	Wires agentCreate availability, registers bindings for both tools, filters workspace agents to public-only, and changes workspace ID resolution source.

Session pipeline: delivery context and lifecycle separation

Layer / File(s)	Summary
Interfaces and SendPrompt opts internal/session/interfaces.go, internal/session/manager_busy_input.go	Adds DeliveryContext to PromptOpts and SendPromptOpts and forwards it through Manager.SendPrompt.
Manager prompt contexts and pump lifecycle internal/session/manager_prompt.go	Separates lifecycleCtx from deliveryCtx across submit/parse/start pump and uses lifecycleCtx for pump lifecycle while passing deliveryCtx for delivery-specific handling.
Prompt lifetime test for delivery cancellation internal/session/manager_prompt_lifetime_test.go	Tests that provider execution continues after delivery cancellation and that persisted events are recorded while delivery stops delivering events.

Managed onboarding Codex home for providers

Layer / File(s)	Summary
Provider runtime and helpers internal/session/provider_runtime.go	Adds managed onboarding Codex home logic: eligibility checks, managed home path creation, private dir enforcement, copying operator auth.json, and injecting CODEX_HOME/PROVIDER_CODEX_HOME for onboarding sessions.
Provider env EnsurePrivateDirUnder export internal/providerenv/env.go	Exports EnsurePrivateDirUnder helper used by provider runtime.
Provider runtime Codex onboarding tests internal/session/provider_runtime_test.go	Adds tests validating managed Codex home isolation, auth copy, permissions, and preservation for regular sessions.

Site landing metrics/provider data and UI components

Layer / File(s)	Summary
Provider data source and landing metrics packages/site/components/landing/*	Introduces SUPPORTED_AGENT_PROVIDERS/COUNT, refactors provider wiring, and updates hero/comparison and tests to use supported-count data.
Landing truth alignment and SSR import guard packages/site/lib/__tests__/landing-truth.test.tsx	Aligns provider-name checks to SUPPORTED_AGENT_PROVIDERS and adds assertion forbidding server-rendered modules from importing client-only supported-agents UI.
ToolCallCard header truncation and stories packages/ui/src/components/custom/*	Adds title attributes for long tool/file names, tests, and a long-header story.
Stepper components styling and re-exports packages/ui/src/components/reui/stepper.tsx, packages/ui/src/index.ts	Updates Stepper styles, adds StepperRail/StepperBody components, and re-exports them in packages UI index.

Assistant UI: virtualized thread messages hook

Layer / File(s)	Summary
useVirtualizedThreadMessages hook web/src/components/assistant-ui/hooks/use-virtualized-thread-messages.ts	Adds TanStack virtualizer hook that auto-scrolls to end when user is near-bottom and message count increases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• compozy/agh#164 — Related UI change touching ToolCallCard behavior and tests.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch onboarding

[coderabbitai]

Actionable comments posted: 13

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

internal/tools/builtin/builtin_test.go (1)

39-57: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add explicit risk-flag assertions for the newly added tools.

ToolIDNetworkChannelCreate and ToolIDAgentCreate were added to MVP scope, but they are not explicitly covered in the risk-class assertion block. Please add direct requireDescriptorRisk(...) checks for both to prevent silent risk-policy drift.

As per coding guidelines: "MUST test meaningful business logic" and "Focus on critical paths: workflow execution, state management, error handling".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/tools/builtin/builtin_test.go` around lines 39 - 57, Add explicit
risk assertions for the two newly added tools by calling requireDescriptorRisk
for ToolIDNetworkChannelCreate and ToolIDAgentCreate in the risk-class assertion
block of internal/tools/builtin/builtin_test.go; locate the existing
requireDescriptorRisk(...) calls and insert matching lines for the symbols
ToolIDNetworkChannelCreate and ToolIDAgentCreate so the test verifies their risk
classifications explicitly and prevents silent risk-policy drift.

internal/api/udsapi/handlers_test.go (1)

1677-1805: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert HTTP status and SSE output in both cancellation subtests.

These checks mostly validate context cancellation, and the second path doesn't assert the HTTP response at all. A regression that returns the wrong status or skips the accepted-turn start frame could still pass here.

Suggested assertions

+		if recorder.Code != http.StatusOK {
+			t.Fatalf("status = %d, want %d; body=%s", recorder.Code, http.StatusOK, recorder.Body.String())
+		}
+		if body := recorder.Body.String(); !strings.Contains(body, `"type":"start","messageId":"turn-accepted"`) {
+			t.Fatalf("response body = %q, want early start frame with accepted turn id", body)
+		}

As per coding guidelines, **/*_test.go: Assert both HTTP status code AND response body in HTTP tests — status-code-only assertions are insufficient.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/udsapi/handlers_test.go` around lines 1677 - 1805, Add
assertions in TestPromptSessionHandlerSeparatesPromptExecutionFromDelivery (both
inner t.Run blocks "ShouldCancelDeliveryOnlyAfterRequestCancellation" and
"ShouldCancelDeliveryOnlyWhenStreamShutsDown") to validate the HTTP response
code and SSE output: assert recorder.Code equals the expected HTTP status (e.g.,
http.StatusOK) and assert recorder.Body.String() contains the early start frame
string `"type":"start","messageId":"turn-accepted"`. Update the second subtest
(ShouldCancelDeliveryOnlyWhenStreamShutsDown) which currently lacks response
checks to include the same status and body assertions; reference the existing
recorder and the earlier body assertion used in the first subtest.

🧹 Nitpick comments (6)

internal/session/provider_runtime_test.go (1)

126-208: ⚡ Quick win

Consider documenting the agent-name-based isolation override.

The test configures HomePolicy: aghconfig.ProviderHomePolicyOperator but expects isolation behavior because the session uses AgentName: aghconfig.OnboardingAgentName. This implicit override—where onboarding sessions receive managed isolation regardless of the configured home policy—is a critical contract that is not immediately obvious from the test structure.

Adding a brief comment before the test explaining this override behavior would improve clarity for future maintainers.

📝 Suggested comment

+	// Onboarding sessions receive managed isolation regardless of home policy.
+	// The agent name triggers redirection to an AGH-owned runtime directory
+	// where only native auth files are copied from the operator codex home.
 	t.Run("Should isolate onboarding codex home while preserving native auth", func(t *testing.T) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/session/provider_runtime_test.go` around lines 126 - 208, Add a
short clarifying comment above the test that the onboarding session name
triggers an override in Manager.prepareProviderForStart: when Session.AgentName
== aghconfig.OnboardingAgentName the provider home is forced to an
isolated/managed path regardless of ResolvedAgent.HomePolicy (e.g.,
ProviderHomePolicyOperator), so the test intentionally expects managed
CODEX_HOME; reference Manager.prepareProviderForStart, Session.AgentName,
aghconfig.OnboardingAgentName and ResolvedAgent.HomePolicy in the comment.

internal/api/httpapi/prompt.go (1)

25-31: ⚡ Quick win

Move acceptedPromptStreamTurnID to core package to avoid duplication.

This helper is duplicated in internal/api/udsapi/prompt.go. Per coding guidelines, internal/api/core is the canonical handler home, and transport-duplicated parsing/validation should be avoided.

♻️ Suggested refactor

Move to internal/api/core/prompt_stream.go:

+// AcceptedPromptStreamTurnID extracts and validates the turn ID from a
+// SendPromptResult, returning an error if the turn ID is missing.
+func AcceptedPromptStreamTurnID(result session.SendPromptResult) (string, error) {
+	turnID := strings.TrimSpace(result.NewTurnID)
+	if turnID == "" {
+		return "", errors.New("accepted prompt stream missing turn id")
+	}
+	return turnID, nil
+}

Then update both httpapi/prompt.go and udsapi/prompt.go to call core.AcceptedPromptStreamTurnID(result).

As per coding guidelines: "internal/api/core is the canonical handler home. REST/UDS endpoints exist as shared BaseHandlers methods; HTTP and UDS only choose registration and authentication. No transport-duplicated parsing/validation."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/httpapi/prompt.go` around lines 25 - 31, Duplicate helper
acceptedPromptStreamTurnID should be moved into the core package and used by
both transports: create an exported function AcceptedPromptStreamTurnID(result
session.SendPromptResult) (string, error) in the core package (e.g.,
core/prompt_stream.go) that performs the same TrimSpace + empty-check logic,
replace calls in internal/api/httpapi/prompt.go and
internal/api/udsapi/prompt.go to call core.AcceptedPromptStreamTurnID(result),
remove the duplicated local acceptedPromptStreamTurnID implementations, and
update imports to reference the core package.

internal/api/httpapi/handlers_test.go (1)

1518-1550: 💤 Low value

Consider adding t.Parallel() for consistency.

Similar tests in this file mark the function level with t.Parallel(). This test has no timing dependencies that would require sequential execution.

Suggested fix

 func TestPromptSessionHandlerRequiresAcceptedTurnIDForAISDKStream(t *testing.T) {
+	t.Parallel()
+
 	t.Run("ShouldRejectAcceptedStreamWithoutDurableTurnID", func(t *testing.T) {
+		t.Parallel()
+
 		homePaths := newTestHomePaths(t)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/httpapi/handlers_test.go` around lines 1518 - 1550, The test
TestPromptSessionHandlerRequiresAcceptedTurnIDForAISDKStream is missing
t.Parallel() like other tests; add a call to t.Parallel() at the start of the
subtest function "ShouldRejectAcceptedStreamWithoutDurableTurnID" (or at the top
of TestPromptSessionHandlerRequiresAcceptedTurnIDForAISDKStream) so the test
runs in parallel with peers and maintains consistency with the rest of the file.

internal/daemon/native_create_tools.go (1)

129-131: ⚡ Quick win

Normalize the caller agent name before enforcing the onboarding global-scope guard.

The direct equality check can be brittle if caller identity formatting drifts. Normalize scope.AgentName before comparing to aghconfig.OnboardingAgentName.

♻️ Suggested hardening

-	if createReq.Scope == contract.AgentCreateScopeGlobal &&
-		strings.TrimSpace(scope.AgentName) == aghconfig.OnboardingAgentName {
+	if createReq.Scope == contract.AgentCreateScopeGlobal &&
+		aghconfig.NormalizeAgentName(scope.AgentName) == aghconfig.OnboardingAgentName {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/daemon/native_create_tools.go` around lines 129 - 131, The guard
that blocks creating a global-scope onboarding agent compares scope.AgentName
directly to aghconfig.OnboardingAgentName, which is brittle; normalize the
caller name before the comparison (e.g., trim whitespace and apply the same
casing normalization used elsewhere) and use that normalized value in the
conditional that checks createReq.Scope == contract.AgentCreateScopeGlobal and
compares against aghconfig.OnboardingAgentName so the check reliably detects the
onboarding agent (refer to scope.AgentName, createReq.Scope,
contract.AgentCreateScopeGlobal, and aghconfig.OnboardingAgentName).

internal/config/bootstrap_test.go (1)

337-395: ⚡ Quick win

Wrap this case in a t.Run("Should ...") subtest for policy compliance.

Line 337 currently defines the scenario directly in the top-level test body; please nest it under a t.Run("Should ...", ...) case.

As per coding guidelines **/*_test.go: MUST use t.Run("Should...") pattern for ALL test cases.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/config/bootstrap_test.go` around lines 337 - 395, Wrap the entire
body of TestEnsureOnboardingAgentCreatesValidProvisioningAgent in a t.Run
subtest (e.g. t.Run("Should create valid provisioning onboarding agent", func(t
*testing.T) { ... })) and move t.Parallel() inside that subtest; keep all
existing calls and assertions (EnsureOnboardingAgent, LoadAgentDef,
OnboardingAgentName, slices.Equal checks, file ReadFile checks, second
EnsureOnboardingAgent invocation) unchanged but nested so the test conforms to
the t.Run("Should ...") pattern required by the test guidelines.

internal/api/core/handlers_test.go (1)

805-808: ⚡ Quick win

Assert error body content alongside 404 status in new endpoint checks.

These new HTTP assertions only check status; add body assertions to verify the failure reason/path and avoid false positives.

♻️ Suggested assertion pattern

 onboardingResp := performRequest(t, fixture.Engine, http.MethodGet, "/agents/onboarding", nil)
 if onboardingResp.Code != http.StatusNotFound {
   t.Fatalf("get onboarding status = %d, want %d", onboardingResp.Code, http.StatusNotFound)
 }
+if !strings.Contains(onboardingResp.Body.String(), "not found") {
+  t.Fatalf("get onboarding body = %q, want not found message", onboardingResp.Body.String())
+}

As per coding guidelines: "Assert both HTTP status code AND response body in HTTP tests — status-code-only assertions are insufficient."

Also applies to: 1148-1151, 1270-1284

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/core/handlers_test.go` around lines 805 - 808, The test
currently only asserts the 404 status for the GET /agents/onboarding call using
performRequest and onboardingResp; update the test to also read and assert the
response body (e.g., onboardingResp.Body.String()/bytes) contains the expected
error message or path indicating why the resource is missing (for example an
error code or "/agents/onboarding" failure reason) so the test fails only when
both status AND body match; apply the same body-assertion pattern to the other
similar checks referenced (around lines 1148-1151 and 1270-1284) to ensure both
status and response payload are validated.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/api/core/fs_browse_test.go`:
- Around line 136-157: The tests currently only assert rec.Code (status) and
must also validate the error payload; for each subtest that calls browse(t,
engine, url.Values{...}) (e.g. the "Should reject relative paths", "Should
return 404 for a missing directory", and "Should return 400 when the path is a
file" cases) read rec.Body (rec.Body.String() or ioutil.ReadAll(rec.Body)),
assert the body is valid JSON and contains the expected error field/message
(e.g. unmarshal into map[string]string and assert map["error"] or map["message"]
contains the expected substring) and include that assertion alongside the
existing status assertion (use the appropriate status constants
http.StatusBadRequest/http.StatusNotFound to pick the expected message).

In `@internal/api/core/onboarding_test.go`:
- Around line 170-172: The test currently only checks rec.Code; add an assertion
that reads the response body (rec.Body.String()) and verifies the error payload
matches expectations for the 503 path (for example assert the body contains the
expected error text like "service unavailable" or unmarshal the JSON and assert
a specific error field/value). Update the subtest (where rec and the status
check live) to set wantBody (or check substring) and call t.Fatalf with both
rec.Code and the body when the assertion fails so regressions in the error
payload are caught.

In `@internal/cli/helpers_test.go`:
- Around line 34-36: The three stub function fields getOnboardingStatusFn,
completeOnboardingFn, and resetOnboardingFn currently lack a context parameter;
update their signatures to accept context.Context as the first argument and
change their return types to match contract.OnboardingStatusResponse, error,
then update the stub methods CompleteOnboarding, CompleteOnboarding, and
ResetOnboarding (the methods around lines 405–424) to forward the received ctx
to these function fields so the field types and method implementations match and
context is propagated correctly.

In `@internal/config/bootstrap.go`:
- Around line 133-148: The current check-then-write (os.Stat ... os.WriteFile)
can be raced; replace that flow with an atomic create: ensure agentDir is
created and chmod'ed as currently done, then attempt to create the file using
os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, privateFileMode) and write
contents to the returned file; if OpenFile fails with file-exists
(errors.Is(err, os.ErrExist) or syscall.EEXIST) return path, false, nil,
otherwise propagate the error with the same formatted messages; remove the
initial os.Stat branch and use os.OpenFile+write+close to guarantee no TOCTOU
overwrite for the managed agent file.

In `@internal/daemon/daemon_test.go`:
- Around line 2393-2415: Wrap the existing TestBootConfigEnsuresManagedAgents
body in a t.Run subtest (e.g., t.Run("Should ensure managed agents are present",
func(t *testing.T) { ... })) while preserving t.Parallel() and all
setup/assertions; move the homePaths, cfg, d, state, cleanup creation and the
call to d.bootConfig plus the loop that calls aghconfig.LoadAgentDef into the
subtest function. Ensure the outer TestBootConfigEnsuresManagedAgents remains as
the test entrypoint and only calls t.Run with the described subtest name.

In `@internal/daemon/native_create_tools_test.go`:
- Around line 177-199: Replace the weak nil-error assertions in the tests that
call registry.Call for toolspkg.ToolIDNetworkChannelCreate (the subtests "Should
reject an invalid channel name" and "Should require a purpose", and the similar
block at lines ~238-245) with specific error assertions: use testing helpers
like require.ErrorContains or errors.As/require.ErrorAs to assert the returned
error is the expected validation error type/class and that its message contains
the expected text (e.g., "invalid channel name" or "purpose cannot be blank");
locate the calls to registry.Call(t.Context(), toolspkg.Scope{},
toolspkg.CallRequest{...}) and replace the if err == nil { t.Fatal(...) } checks
with these targeted assertions referencing the validation error and expected
substring.

In `@internal/session/provider_runtime.go`:
- Around line 129-136: The gate in shouldUseManagedOnboardingCodexHome is using
resolved.Provider directly, which misses cases where resolved.RuntimeProvider is
set (alias/fallback); update shouldUseManagedOnboardingCodexHome to compute the
effective runtime provider (e.g., use resolved.RuntimeProvider if non-empty
otherwise resolved.Provider) and compare that value to runtimeProviderCodex
while keeping the other checks (sessionUsesManagedOnboardingAgent,
resolved.AuthMode, resolved.HomePolicy) unchanged; reference the
shouldUseManagedOnboardingCodexHome function and the runtimeProviderCodex symbol
so the comparison uses the effective provider rather than resolved.Provider
directly.

In `@internal/store/globaldb/global_db_app_metadata_test.go`:
- Around line 78-113: Wrap the existing test body of
TestAppMetadataReopenAfterRestart in a t.Run subtest (e.g. t.Run("Should reopen
and persist app metadata after restart", func(t *testing.T) { ... })) and move
t.Parallel() inside that subtest so the subtest uses the test runner's t; keep
the outer function name TestAppMetadataReopenAfterRestart but ensure all calls
(OpenGlobalDB, SetAppMetadata, Close, GetAppMetadata, t.Cleanup,
t.Fatalf/t.Errorf) use the subtest's t variable.
- Around line 55-61: The tests currently only assert non-nil errors for invalid
inputs in SetAppMetadata and GetAppMetadata; strengthen these by asserting the
specific error content or type: replace the err == nil checks in the "Should
reject blank keys" subtest (and the similar checks at lines 171-178) with
assertions that the error message contains an expected substring (e.g. "blank"
or "empty key") using ErrorContains, or match a sentinel error via errors.Is /
ErrorAs if the code exposes a specific error value (reference SetAppMetadata and
GetAppMetadata to locate where to change); ensure each invalid-input case
validates the exact error text/type rather than only non-nil.

In `@packages/site/components/landing/hero.tsx`:
- Around line 7-8: The computed additionalAgentCount can be negative when
SUPPORTED_AGENT_COUNT is less than featuredAgentNames.length; change the
calculation of additionalAgentCount to clamp to zero (e.g., use Math.max(0,
SUPPORTED_AGENT_COUNT - featuredAgentNames.length)) so the hero copy never
renders "and -N more." Update every place that computes or displays
additionalAgentCount (references: featuredAgentNames, additionalAgentCount,
SUPPORTED_AGENT_COUNT) to use the clamped value.

In `@packages/site/lib/__tests__/landing-truth.test.tsx`:
- Around line 127-136: The current string check using source.includes('from
"./supported-agents"') misses single-quote and aliased/path variants; replace it
with a regex test that matches import/require forms and any path segment ending
with "supported-agents" (e.g.
/from\s+['"][^'"]*\/?supported-agents(?:\/index)?['"]/ or include a require
variant) inside the test that iterates serverLandingMetricModules so the
violation triggers for single quotes, different relative paths, or alias
imports; update the code where source is checked in the test (the block
referencing serverLandingMetricModules and the includes call) to use this regex
instead.

In `@packages/ui/src/components/reui/stepper.tsx`:
- Around line 158-170: StepperRail and StepperBody currently destructure only
children and className and drop all other div props, preventing data-*, aria-*,
and event handlers from being passed through; update both components
(StepperRail and StepperBody) to accept the full ComponentProps<"div">, capture
remaining props via a rest parameter (e.g., ...props), merge className with cn
as before, and spread ...props onto the outer div so all attributes and handlers
(data-*, aria-*, events) are forwarded while preserving children and class
merging.
- Around line 145-146: The stepper component introduces ad-hoc arbitrary
Tailwind values (e.g., grid-cols-[26px_1fr], gap-x-[13px], and other occurrences
at the referenced ranges) which violate the tokens-only rule; replace each
arbitrary numeric utility in packages/ui/src/components/reui/stepper.tsx with
the corresponding design-token-backed utility from packages/ui/src/tokens.css
(refer to DESIGN.md for mappings) so the layout uses existing token
classes/variables (spacing, sizes, gaps, stroke widths, etc.) instead of raw
pixel brackets; update the className strings where grid-cols-[26px_1fr],
gap-x-[13px], and the other listed arbitrary values appear to use the proper
token names or CSS custom properties provided by the tokens file.

---

Outside diff comments:
In `@internal/api/udsapi/handlers_test.go`:
- Around line 1677-1805: Add assertions in
TestPromptSessionHandlerSeparatesPromptExecutionFromDelivery (both inner t.Run
blocks "ShouldCancelDeliveryOnlyAfterRequestCancellation" and
"ShouldCancelDeliveryOnlyWhenStreamShutsDown") to validate the HTTP response
code and SSE output: assert recorder.Code equals the expected HTTP status (e.g.,
http.StatusOK) and assert recorder.Body.String() contains the early start frame
string `"type":"start","messageId":"turn-accepted"`. Update the second subtest
(ShouldCancelDeliveryOnlyWhenStreamShutsDown) which currently lacks response
checks to include the same status and body assertions; reference the existing
recorder and the earlier body assertion used in the first subtest.

In `@internal/tools/builtin/builtin_test.go`:
- Around line 39-57: Add explicit risk assertions for the two newly added tools
by calling requireDescriptorRisk for ToolIDNetworkChannelCreate and
ToolIDAgentCreate in the risk-class assertion block of
internal/tools/builtin/builtin_test.go; locate the existing
requireDescriptorRisk(...) calls and insert matching lines for the symbols
ToolIDNetworkChannelCreate and ToolIDAgentCreate so the test verifies their risk
classifications explicitly and prevents silent risk-policy drift.

---

Nitpick comments:
In `@internal/api/core/handlers_test.go`:
- Around line 805-808: The test currently only asserts the 404 status for the
GET /agents/onboarding call using performRequest and onboardingResp; update the
test to also read and assert the response body (e.g.,
onboardingResp.Body.String()/bytes) contains the expected error message or path
indicating why the resource is missing (for example an error code or
"/agents/onboarding" failure reason) so the test fails only when both status AND
body match; apply the same body-assertion pattern to the other similar checks
referenced (around lines 1148-1151 and 1270-1284) to ensure both status and
response payload are validated.

In `@internal/api/httpapi/handlers_test.go`:
- Around line 1518-1550: The test
TestPromptSessionHandlerRequiresAcceptedTurnIDForAISDKStream is missing
t.Parallel() like other tests; add a call to t.Parallel() at the start of the
subtest function "ShouldRejectAcceptedStreamWithoutDurableTurnID" (or at the top
of TestPromptSessionHandlerRequiresAcceptedTurnIDForAISDKStream) so the test
runs in parallel with peers and maintains consistency with the rest of the file.

In `@internal/api/httpapi/prompt.go`:
- Around line 25-31: Duplicate helper acceptedPromptStreamTurnID should be moved
into the core package and used by both transports: create an exported function
AcceptedPromptStreamTurnID(result session.SendPromptResult) (string, error) in
the core package (e.g., core/prompt_stream.go) that performs the same TrimSpace
+ empty-check logic, replace calls in internal/api/httpapi/prompt.go and
internal/api/udsapi/prompt.go to call core.AcceptedPromptStreamTurnID(result),
remove the duplicated local acceptedPromptStreamTurnID implementations, and
update imports to reference the core package.

In `@internal/config/bootstrap_test.go`:
- Around line 337-395: Wrap the entire body of
TestEnsureOnboardingAgentCreatesValidProvisioningAgent in a t.Run subtest (e.g.
t.Run("Should create valid provisioning onboarding agent", func(t *testing.T) {
... })) and move t.Parallel() inside that subtest; keep all existing calls and
assertions (EnsureOnboardingAgent, LoadAgentDef, OnboardingAgentName,
slices.Equal checks, file ReadFile checks, second EnsureOnboardingAgent
invocation) unchanged but nested so the test conforms to the t.Run("Should ...")
pattern required by the test guidelines.

In `@internal/daemon/native_create_tools.go`:
- Around line 129-131: The guard that blocks creating a global-scope onboarding
agent compares scope.AgentName directly to aghconfig.OnboardingAgentName, which
is brittle; normalize the caller name before the comparison (e.g., trim
whitespace and apply the same casing normalization used elsewhere) and use that
normalized value in the conditional that checks createReq.Scope ==
contract.AgentCreateScopeGlobal and compares against
aghconfig.OnboardingAgentName so the check reliably detects the onboarding agent
(refer to scope.AgentName, createReq.Scope, contract.AgentCreateScopeGlobal, and
aghconfig.OnboardingAgentName).

In `@internal/session/provider_runtime_test.go`:
- Around line 126-208: Add a short clarifying comment above the test that the
onboarding session name triggers an override in Manager.prepareProviderForStart:
when Session.AgentName == aghconfig.OnboardingAgentName the provider home is
forced to an isolated/managed path regardless of ResolvedAgent.HomePolicy (e.g.,
ProviderHomePolicyOperator), so the test intentionally expects managed
CODEX_HOME; reference Manager.prepareProviderForStart, Session.AgentName,
aghconfig.OnboardingAgentName and ResolvedAgent.HomePolicy in the comment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c2ce408-26a5-4b9d-b916-e3358d51c1e6

📥 Commits

Reviewing files that changed from the base of the PR and between b32b11d and e67bc2b.

⛔ Files ignored due to path filters (74)

• .agents/skills/humanizer/README.md is excluded by !**/*.md, !.agents/**
• .agents/skills/humanizer/SKILL.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/SKILL.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/agents/impeccable-asset-producer.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/adapt.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/animate.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/audit.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/bolder.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/brand.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/clarify.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/codex.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/cognitive-load.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/color-and-contrast.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/colorize.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/craft.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/critique.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/delight.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/distill.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/document.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/extract.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/harden.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/heuristics-scoring.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/interaction-design.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/layout.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/live.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/motion-design.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/onboard.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/optimize.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/overdrive.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/personas.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/polish.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/product.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/quieter.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/responsive-design.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/shape.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/spatial-design.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/teach.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/typeset.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/typography.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/reference/ux-writing.md is excluded by !**/*.md, !.agents/**
• .agents/skills/impeccable/scripts/cleanup-deprecated.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/command-metadata.json is excluded by !**/*.json, !.agents/**
• .agents/skills/impeccable/scripts/critique-storage.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/design-parser.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/detect-csp.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/detect.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/impeccable-paths.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/is-generated.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-accept.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-browser-session.js is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-browser.js is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-complete.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-completion.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-inject.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-poll.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-resume.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-server.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-session-store.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-status.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live-wrap.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/live.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/load-context.mjs is excluded by !.agents/**
• .agents/skills/impeccable/scripts/modern-screenshot.umd.js is excluded by !.agents/**
• .agents/skills/impeccable/scripts/pin.mjs is excluded by !.agents/**
• COPY.md is excluded by !**/*.md
• internal/tools/builtin/testdata/native-tool-catalog.json is excluded by !**/*.json
• openapi/agh.json is excluded by !**/*.json
• packages/site/content/runtime/api-reference/meta.json is excluded by !**/*.json
• packages/site/content/runtime/core/agents/definitions.mdx is excluded by !**/*.mdx
• skills-lock.json is excluded by !**/*.json
• skills/agh/references/agent-definitions.md is excluded by !**/*.md
• skills/agh/references/native-tools.md is excluded by !**/*.md
• skills/agh/references/runtime-operations.md is excluded by !**/*.md
• web/src/generated/agh-openapi.d.ts is excluded by !**/generated/**

📒 Files selected for processing (148)

• internal/api/contract/fs.go
• internal/api/contract/onboarding.go
• internal/api/core/agent_create.go
• internal/api/core/conversions.go
• internal/api/core/fs_browse.go
• internal/api/core/fs_browse_test.go
• internal/api/core/handler_edge_cases_test.go
• internal/api/core/handlers.go
• internal/api/core/handlers_test.go
• internal/api/core/interfaces.go
• internal/api/core/memory_workspace_test.go
• internal/api/core/onboarding.go
• internal/api/core/onboarding_test.go
• internal/api/core/prompt_stream.go
• internal/api/core/prompt_stream_test.go
• internal/api/core/workspaces.go
• internal/api/httpapi/handlers.go
• internal/api/httpapi/handlers_error_test.go
• internal/api/httpapi/handlers_test.go
• internal/api/httpapi/prompt.go
• internal/api/httpapi/prompt_drain_test.go
• internal/api/httpapi/routes.go
• internal/api/httpapi/server.go
• internal/api/httpapi/stream_helpers_test.go
• internal/api/spec/spec.go
• internal/api/udsapi/handlers_test.go
• internal/api/udsapi/prompt.go
• internal/api/udsapi/routes.go
• internal/api/udsapi/server.go
• internal/api/udsapi/server_test.go
• internal/cli/agent.go
• internal/cli/agent_commands_test.go
• internal/cli/client.go
• internal/cli/client_onboarding.go
• internal/cli/helpers_test.go
• internal/cli/install.go
• internal/cli/onboarding.go
• internal/cli/root.go
• internal/config/agent.go
• internal/config/bootstrap.go
• internal/config/bootstrap_test.go
• internal/daemon/agent_skill_resources.go
• internal/daemon/agent_skill_resources_test.go
• internal/daemon/boot.go
• internal/daemon/daemon.go
• internal/daemon/daemon_test.go
• internal/daemon/native_create_tools.go
• internal/daemon/native_create_tools_test.go
• internal/daemon/native_tools.go
• internal/providerenv/env.go
• internal/session/interfaces.go
• internal/session/manager_busy_input.go
• internal/session/manager_prompt.go
• internal/session/manager_prompt_lifetime_test.go
• internal/session/provider_runtime.go
• internal/session/provider_runtime_test.go
• internal/store/globaldb/global_db.go
• internal/store/globaldb/global_db_app_metadata.go
• internal/store/globaldb/global_db_app_metadata_test.go
• internal/store/globaldb/global_db_test.go
• internal/store/store.go
• internal/tools/builtin/builtin_test.go
• internal/tools/builtin/descriptors.go
• internal/tools/builtin/network.go
• internal/tools/builtin/toolsets.go
• internal/tools/builtin/workspace.go
• internal/tools/builtin_ids.go
• packages/site/components/landing/__tests__/landing.test.tsx
• packages/site/components/landing/comparison.tsx
• packages/site/components/landing/hero.tsx
• packages/site/components/landing/provider-data.ts
• packages/site/components/landing/supported-agents.tsx
• packages/site/lib/__tests__/landing-truth.test.tsx
• packages/site/lib/runtime-navigation.ts
• packages/site/scripts/generate-openapi.ts
• packages/ui/src/components/custom/__tests__/tool-call-card.test.tsx
• packages/ui/src/components/custom/stories/tool-call-card.stories.tsx
• packages/ui/src/components/custom/tool-call-card.tsx
• packages/ui/src/components/reui/stepper.tsx
• packages/ui/src/index.ts
• web/src/components/assistant-ui/hooks/use-virtualized-thread-messages.ts
• web/src/components/assistant-ui/session-thread.tsx
• web/src/components/assistant-ui/stories/session-thread.stories.tsx
• web/src/hooks/routes/__tests__/use-session-page-controls.test.tsx
• web/src/hooks/routes/use-session-detail-page.ts
• web/src/hooks/routes/use-session-page-controls.ts
• web/src/hooks/routes/use-session-topbar-slot.tsx
• web/src/routes/__tests__/-_app.test.tsx
• web/src/routes/_app.tsx
• web/src/routes/_app/__tests__/-agents.$name.test.tsx
• web/src/routes/_app/agents.$name.tsx
• web/src/routes/_app/stories/-agents.$name.stories.tsx
• web/src/routes/_app/stories/-index.stories.tsx
• web/src/systems/agent/components/__tests__/agent-sessions-list.test.tsx
• web/src/systems/agent/components/agent-category-tree.tsx
• web/src/systems/agent/components/agent-sessions-list.tsx
• web/src/systems/agent/hooks/use-agent-category-tree-model.ts
• web/src/systems/agent/index.ts
• web/src/systems/agent/lib/__tests__/session-view.test.ts
• web/src/systems/agent/lib/session-status.ts
• web/src/systems/agent/lib/session-view.ts
• web/src/systems/onboarding/adapters/onboarding-api.ts
• web/src/systems/onboarding/components/__tests__/step-onboarding-chat.test.tsx
• web/src/systems/onboarding/components/directory-browser.tsx
• web/src/systems/onboarding/components/onboarding-wizard.tsx
• web/src/systems/onboarding/components/step-default-model.tsx
• web/src/systems/onboarding/components/step-onboarding-chat.tsx
• web/src/systems/onboarding/components/step-workspaces.tsx
• web/src/systems/onboarding/components/stories/onboarding-steps.stories.tsx
• web/src/systems/onboarding/hooks/__tests__/use-onboarding-chat.test.tsx
• web/src/systems/onboarding/hooks/use-complete-onboarding.ts
• web/src/systems/onboarding/hooks/use-directory-browser.ts
• web/src/systems/onboarding/hooks/use-onboarding-chat.ts
• web/src/systems/onboarding/hooks/use-onboarding-default-model.ts
• web/src/systems/onboarding/hooks/use-onboarding-status.ts
• web/src/systems/onboarding/hooks/use-onboarding-wizard.ts
• web/src/systems/onboarding/hooks/use-onboarding-workspaces.ts
• web/src/systems/onboarding/index.ts
• web/src/systems/onboarding/lib/__tests__/provider-request.test.ts
• web/src/systems/onboarding/lib/provider-request.ts
• web/src/systems/onboarding/lib/query-keys.ts
• web/src/systems/onboarding/lib/query-options.ts
• web/src/systems/onboarding/stores/__tests__/use-onboarding-draft-store.test.ts
• web/src/systems/onboarding/stores/use-onboarding-draft-store.ts
• web/src/systems/onboarding/types.ts
• web/src/systems/runtime/components/__tests__/app-sidebar.test.tsx
• web/src/systems/runtime/components/app-sidebar.tsx
• web/src/systems/session/adapters/__tests__/session-api.test.ts
• web/src/systems/session/adapters/session-api.ts
• web/src/systems/session/components/__tests__/session-chat-runtime-provider.test.tsx
• web/src/systems/session/components/__tests__/tool-call-card.test.tsx
• web/src/systems/session/components/permission-prompt.tsx
• web/src/systems/session/components/runtime-activity-notice.tsx
• web/src/systems/session/components/session-chat-runtime-provider.tsx
• web/src/systems/session/components/session-resume-failure.tsx
• web/src/systems/session/components/tool-call-card.tsx
• web/src/systems/session/hooks/use-runtime-transcript-hydration.ts
• web/src/systems/session/hooks/use-session-live-tail.ts
• web/src/systems/session/hooks/use-session-transcript-thread-messages.ts
• web/src/systems/session/index.ts
• web/src/systems/session/lib/__tests__/tool-labels.test.ts
• web/src/systems/session/lib/session-history-adapter.ts
• web/src/systems/session/lib/session-running.ts
• web/src/systems/session/lib/session-thread-repository.ts
• web/src/systems/session/lib/session-toolkit.tsx
• web/src/systems/session/lib/session-transcript-thread-context.tsx
• web/src/systems/session/lib/session-visibility.ts
• web/src/systems/session/lib/tool-labels.ts

💤 Files with no reviewable changes (3)

• internal/api/httpapi/prompt_drain_test.go
• internal/api/httpapi/stream_helpers_test.go
• internal/api/udsapi/server_test.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

internal/api/core/prompt_stream.go (1)

185-198: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Defer messageStarted state mutation until after WriteSSE succeeds.

Start() marks the stream as started before the write. If WriteSSE fails, retries are skipped and the encoder stays in an invalid state.

Proposed fix

 func (e *PromptStreamEncoder) Start(writer FlushWriter, messageID string) error {
 	e.ensureInitialized()
 	messageID = strings.TrimSpace(messageID)
 	if messageID == "" {
 		return errors.New("prompt stream start requires message id")
 	}
 	if e.messageStarted {
 		return nil
 	}
-	e.messageID = messageID
-	e.messageStarted = true
-	return WriteSSE(writer, SSEMessage{
-		Data: promptStartPayload{Type: "start", MessageID: e.messageID},
-	})
+	if err := WriteSSE(writer, SSEMessage{
+		Data: promptStartPayload{Type: "start", MessageID: messageID},
+	}); err != nil {
+		return err
+	}
+	e.messageID = messageID
+	e.messageStarted = true
+	return nil
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/core/prompt_stream.go` around lines 185 - 198, The Start method
currently sets e.messageStarted before attempting to write, so if WriteSSE fails
the encoder remains marked started; change PromptStreamEncoder.Start to assign
e.messageID (after trimming/validation) but defer setting e.messageStarted =
true until after WriteSSE returns nil, i.e., call WriteSSE(writer,
SSEMessage{...}) first and only on a successful (nil) return set
e.messageStarted = true and then return nil; keep the existing early-return when
e.messageStarted is true and ensure no state mutation occurs if WriteSSE errors.

internal/session/provider_runtime.go (1)

194-218: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove stale managed auth.json when the operator Codex login disappears.

If CODEX_HOME is unset or the operator auth.json has been removed, this returns nil and leaves any previously copied codexHome/auth.json in place. That allows managed onboarding to keep using stale native-CLI auth after the operator has logged out or switched accounts.

🛠️ Suggested fix

 func materializeOnboardingCodexAuth(env []string, codexHome string) error {
 	sourceHome := operatorCodexHome(env)
+	targetAuth := filepath.Join(codexHome, codexAuthFileName)
 	if sourceHome == "" {
+		if err := os.Remove(targetAuth); err != nil && !errors.Is(err, os.ErrNotExist) {
+			return fmt.Errorf("remove onboarding codex auth %q: %w", targetAuth, err)
+		}
 		return nil
 	}
 	sourceAuth := filepath.Join(sourceHome, codexAuthFileName)
-	targetAuth := filepath.Join(codexHome, codexAuthFileName)
 	if sourceAuth == targetAuth {
 		return nil
 	}
 	payload, err := os.ReadFile(sourceAuth)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
+			if rmErr := os.Remove(targetAuth); rmErr != nil && !errors.Is(rmErr, os.ErrNotExist) {
+				return fmt.Errorf("remove onboarding codex auth %q: %w", targetAuth, rmErr)
+			}
 			return nil
 		}
 		return fmt.Errorf("read operator codex auth %q: %w", sourceAuth, err)
 	}

As per coding guidelines "Provider auth boundary. Native ACP providers (auth_mode = native_cli) use provider-owned CLI login/session state and MUST NOT require AGH-bound API-key credential_slots."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/session/provider_runtime.go` around lines 194 - 218,
materializeOnboardingCodexAuth currently leaves a previously copied codex
auth.json in place when the operator CLI login disappears; update the function
so that when operatorCodexHome(env) returns empty or when
os.ReadFile(sourceAuth) returns os.ErrNotExist it removes any existing
targetAuth (filepath.Join(codexHome, codexAuthFileName)) before returning,
handling and propagating remove errors (use os.Remove or equivalent and wrap
errors with context like "remove onboarding codex auth %q"); keep the existing
successful write/Chmod path unchanged.

internal/api/httpapi/handlers_test.go (1)

1758-1772: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert the HTTP status in this cancellation-path test.

This only validates the SSE body. A regression that still writes the start frame but changes the response code would pass unnoticed.

💡 Suggested test tightening

 		select {
 		case <-done:
 		case <-time.After(time.Second):
 			t.Fatal("handler did not return after request cancellation")
 		}
 
 		if err := executionCtx.Err(); err != nil {
 			t.Fatalf("execution context err = %v, want nil after request cancellation", err)
 		}
 		if !errors.Is(deliveryCtx.Err(), context.Canceled) {
 			t.Fatalf("delivery context err = %v, want context.Canceled", deliveryCtx.Err())
 		}
+		if recorder.Code != http.StatusOK {
+			t.Fatalf("status = %d, want %d; body=%s", recorder.Code, http.StatusOK, recorder.Body.String())
+		}
 		if body := recorder.Body.String(); !strings.Contains(body, `"type":"start","messageId":"turn-accepted"`) {
 			t.Fatalf("response body = %q, want early start frame with accepted turn id", body)
 		}

As per coding guidelines "Assert both HTTP status code AND response body in HTTP tests — status-code-only assertions are insufficient."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/httpapi/handlers_test.go` around lines 1758 - 1772, The test
currently only checks the SSE body on request cancellation; add an assertion
that the HTTP response status code is the expected value (e.g. http.StatusOK)
before inspecting the body. Locate the test block using variables done,
executionCtx, deliveryCtx and recorder and add a check like: if recorder.Code !=
http.StatusOK { t.Fatalf(...)} (or use recorder.Result().StatusCode) ensuring
net/http's status constant is used and this assertion is placed prior to the
body content check.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@internal/api/core/prompt_stream.go`:
- Around line 185-198: The Start method currently sets e.messageStarted before
attempting to write, so if WriteSSE fails the encoder remains marked started;
change PromptStreamEncoder.Start to assign e.messageID (after
trimming/validation) but defer setting e.messageStarted = true until after
WriteSSE returns nil, i.e., call WriteSSE(writer, SSEMessage{...}) first and
only on a successful (nil) return set e.messageStarted = true and then return
nil; keep the existing early-return when e.messageStarted is true and ensure no
state mutation occurs if WriteSSE errors.

In `@internal/api/httpapi/handlers_test.go`:
- Around line 1758-1772: The test currently only checks the SSE body on request
cancellation; add an assertion that the HTTP response status code is the
expected value (e.g. http.StatusOK) before inspecting the body. Locate the test
block using variables done, executionCtx, deliveryCtx and recorder and add a
check like: if recorder.Code != http.StatusOK { t.Fatalf(...)} (or use
recorder.Result().StatusCode) ensuring net/http's status constant is used and
this assertion is placed prior to the body content check.

In `@internal/session/provider_runtime.go`:
- Around line 194-218: materializeOnboardingCodexAuth currently leaves a
previously copied codex auth.json in place when the operator CLI login
disappears; update the function so that when operatorCodexHome(env) returns
empty or when os.ReadFile(sourceAuth) returns os.ErrNotExist it removes any
existing targetAuth (filepath.Join(codexHome, codexAuthFileName)) before
returning, handling and propagating remove errors (use os.Remove or equivalent
and wrap errors with context like "remove onboarding codex auth %q"); keep the
existing successful write/Chmod path unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 02ad325f-a035-4a23-a9aa-33d5b970c4a1

📥 Commits

Reviewing files that changed from the base of the PR and between e67bc2b and 6ea0e29.

📒 Files selected for processing (21)

• internal/api/core/fs_browse_test.go
• internal/api/core/handlers_test.go
• internal/api/core/onboarding_test.go
• internal/api/core/prompt_stream.go
• internal/api/httpapi/handlers_test.go
• internal/api/httpapi/prompt.go
• internal/api/udsapi/handlers_test.go
• internal/api/udsapi/prompt.go
• internal/cli/helpers_test.go
• internal/config/bootstrap.go
• internal/config/bootstrap_test.go
• internal/daemon/daemon_test.go
• internal/daemon/native_create_tools.go
• internal/daemon/native_create_tools_test.go
• internal/session/provider_runtime.go
• internal/session/provider_runtime_test.go
• internal/store/globaldb/global_db_app_metadata_test.go
• internal/tools/builtin/builtin_test.go
• packages/site/components/landing/hero.tsx
• packages/site/lib/__tests__/landing-truth.test.tsx
• packages/ui/src/components/reui/stepper.tsx