You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scope:internal/outbox — the §8.2 state machine; retryable-vs-terminal
classification on the CR-07 typed errors (not HTTP); §8.3 per-kind
reconciliation predicates (marker for body-bearing; host-state for resolve_thread; mandatory marker for submit_review); §8.4 post algorithm
(reconcile → ordered post per §11.1 → finalize); §8.5 required-action set → outcome + exit code; the per-host posting token bucket (§14). Two
special errors (Codex 2nd-pass Pilot: add release machinery (version.txt, goreleaser, identity, reusable callers) #2/ci: adopt shared composite actions and add lint config #3): ErrStaleSHA is a run-level abort
sentinel — halt the whole post phase, outcome='aborted', exit 5 (never failed_terminal); ErrConflict (409) reconciles with an explicit
fallback (Codex re-review Pilot: add release machinery (version.txt, goreleaser, identity, reusable callers) #2) — re-check the §8.3 predicate on fresh host
state: satisfied → posted; else a more-specific wrapped typed error →
classify by it; else (bare 409) → failed_terminal (non-auth, exit 1 if
required). No blind success, never left unclassified. Embeds markers at
post time
(§8.4) — see CR-18. Reconciles + posts through the GitProvider interface
(CR-07); the fake provider is sufficient to test all idempotency/crash-
recovery behavior.
Out of scope: the gate's decision into the outbox (CR-14); the action planner that builds the rows (CR-18); concrete GitHub writes (CR-21 wires
CR-10).
DoD: §19 "kill mid-post, rerun, exactly the missing one posts, zero dupes"
per action kind incl. resolve_thread + submit_review; required-action exit
codes (1/3/5/0); retryable stays pending; ErrStaleSHA aborts the run
(exit 5), not failed_terminal — and earlier already-posted actions in
that run stay posted (audit evidence carrying the stale sha/base; a
later re-pinned run reconciles them — Codex re-review confirmed this is not an
idempotency bug); ErrConflict resolves by the 3-way fallback (predicate
satisfied → posted; wrapped error → reclassify; bare 409 → failed_terminal
non-auth) — all against the fake provider (injectable errors from CR-07);
green.
Depends: CR-06, CR-07, CR-11.
Keep this issue scoped to the section above. Follow the one-issue/one-branch/one-PR sequence and keep the repo green at merge.
Source plan:
issue-sequence.mddraft 6 in/Users/rianjs/dev.CR-12 — outbox / poster (host-agnostic) + per-host token bucket
Codex Pilot: migrate CI onto shared composite actions #1/Pilot: add release machinery (version.txt, goreleaser, identity, reusable callers) #2/CR-03: state paths + percent-encoding (§6 layout) #10.
internal/outbox— the §8.2 state machine; retryable-vs-terminalclassification on the CR-07 typed errors (not HTTP); §8.3 per-kind
reconciliation predicates (marker for body-bearing; host-state for
resolve_thread; mandatory marker forsubmit_review); §8.4 post algorithm(reconcile → ordered post per §11.1 → finalize); §8.5 required-action set →
outcome+ exit code; the per-host posting token bucket (§14). Twospecial errors (Codex 2nd-pass Pilot: add release machinery (version.txt, goreleaser, identity, reusable callers) #2/ci: adopt shared composite actions and add lint config #3):
ErrStaleSHAis a run-level abortsentinel — halt the whole post phase,
outcome='aborted', exit5(neverfailed_terminal);ErrConflict(409) reconciles with an explicitfallback (Codex re-review Pilot: add release machinery (version.txt, goreleaser, identity, reusable callers) #2) — re-check the §8.3 predicate on fresh host
state: satisfied →
posted; else a more-specific wrapped typed error →classify by it; else (bare 409) →
failed_terminal(non-auth, exit1ifrequired). No blind success, never left unclassified. Embeds markers at
post time
(§8.4) — see CR-18. Reconciles + posts through the
GitProviderinterface(CR-07); the fake provider is sufficient to test all idempotency/crash-
recovery behavior.
planner that builds the rows (CR-18); concrete GitHub writes (CR-21 wires
CR-10).
per action kind incl.
resolve_thread+submit_review; required-action exitcodes (
1/3/5/0); retryable stayspending;ErrStaleSHAaborts the run(exit 5), not
failed_terminal— and earlier already-postedactions inthat run stay
posted(audit evidence carrying the stale sha/base; alater re-pinned run reconciles them — Codex re-review confirmed this is not an
idempotency bug);
ErrConflictresolves by the 3-way fallback (predicatesatisfied →
posted; wrapped error → reclassify; bare 409 →failed_terminalnon-auth) — all against the fake provider (injectable errors from CR-07);
green.
Keep this issue scoped to the section above. Follow the one-issue/one-branch/one-PR sequence and keep the repo green at merge.