Merged
Conversation
Member
NathanFlurry
commented
Apr 12, 2026
NathanFlurry
commented
- feat: US-001 - Extract state types from service.rs and expand protocol.rs
- feat: US-002 - Extract vm.rs from service.rs
- feat: US-003 - Extract bootstrap.rs and bridge.rs from service.rs
- feat: US-004 - Extract filesystem.rs from service.rs
- feat: US-005 - Extract execution.rs from service.rs
- feat: US-006 - Reorganize existing plugin files into plugins/ directory
- feat: US-007 - Move inline service.rs tests to crates/sidecar/tests/
- feat: US-008 - Convert sidecar main loop from nix::poll to tokio::select!
- chore: scope test commands in PRD to avoid pre-existing failures, add US-029 for full green
- docs: clarify Node.js execution model in crates/CLAUDE.md
- docs: add critical no-host-escape invariant to all CLAUDE.md files, flag Node.js execution as broken
- docs: add recovery reference for secure-exec polyfill code to CLAUDE.md files
- chore: add US-008a - restore V8 isolate execution engine as next priority
- feat: US-008a - Restore V8 isolate execution engine with kernel-backed polyfills
- feat: US-009 - Add bidirectional frame support to wire protocol and TypeScript client
- chore: add US-009a - register missing V8 bridge functions and clean up dead node code
- chore: add US-028a - fix V8 dgram/UDP bridge wiring
- docs: absolute no-host-execution rule in all CLAUDE.md - no fallbacks, no flags, no exceptions
- feat: US-009a - Register missing V8 bridge functions, remove dead node_binary() code, verify tests exercise V8 path
- feat: US-010 - Implement declarative permissions in Rust and replace TypeScript permission-descriptors.ts
- feat: [US-011] - Add layer RPCs and native module access
- feat: US-030 - Fix timer scheduling so setTimeout/setInterval actually fire
- chore: fix prd story status
- chore: fix prd story statuses
- feat: US-031 - Wire stdin reads to kernel process stdin
- feat: US-032 - Implement crypto basic handlers (randomFill, randomUUID, hash, hmac, pbkdf2, scrypt)
- feat: US-012 - Add JS-bridge mount plugin for TypeScript VirtualFileSystem callbacks
- feat: US-034 - Add TCP socket advanced ops to sidecar dispatch
- feat: US-035 - Add TLS support to sidecar dispatch
- feat: US-036 - Add HTTP/1 server request/respond handlers to sidecar
- feat: US-033 - Implement crypto advanced handlers (ciphers, keys, signatures, DH, subtle)
- feat: US-039 - Wire PTY raw mode to kernel
- feat: US-039 - Wire PTY raw mode to kernel
- feat: US-038 - Add upgrade socket and dgram extras to sidecar
- chore: mark US-038 passed in prd
- feat: US-040 - Triage and fix failing execution tests for V8 path
- feat: US-037 - Add HTTP/2 full stack to sidecar
- feat: US-017 - Move command resolution and path mapping to sidecar
- feat: US-018 - Delete TypeScript command resolution and path mapping code
- feat: US-019 - Implement virtual process support in kernel process table
- feat: US-020 - Implement tool dispatch, shim gen, prompt gen, and argv parsing in sidecar
- feat: US-021 - Delete TypeScript host-tools files and add zodToJsonSchema converter
- feat: US-022 - Implement JSON-RPC 2.0 NDJSON codec and ACP client in Rust
- feat: US-023 - Implement session state machine and agent compatibility layer in Rust
- feat: US-024 - Implement inbound ACP request handling in Rust
- feat: US-025 - Delete TypeScript ACP/session files and wire to sidecar RPCs
- feat: US-026 - Embed rusqlite and expose SQLite RPCs in sidecar
- feat: US-027 - Consolidate sidecar/ TypeScript files and eliminate native-kernel-proxy.ts
- feat: US-028 - Gut runtime.ts to types.ts and verify final target architecture
- feat: US-028a - Fix V8 bridge dgram/UDP wiring so guest UDP packets reach the host
- feat: US-029 - Fix all remaining test failures and get full pnpm test green
- feat: US-048 - Comprehensive module resolution test suite for V8 LocalBridgeState resolver
- feat: US-049 - Fix module resolution bugs found by test suite
- feat: US-050 - Pi SDK boot probe — require Pi SDK in V8 and log all failures
- feat: US-051 - Node.js builtin conformance tests scoped to Pi SDK dependencies
- feat: US-056 - Replace hand-written polyfill stubs with node-stdlib-browser
- feat: US-057 - Replace _networkFetchRaw with undici over kernel TCP sockets
- feat: US-054 - Comprehensive CJS/ESM interop and edge case test suite
- feat: US-054 - Comprehensive CJS/ESM interop and edge case test suite
- feat: US-055 - Fix CJS/ESM interop gaps found by test suite
- feat: US-055 - Fix CJS/ESM interop gaps found by test suite
- feat: US-058 - Add formal bridge contract and restore _loadPolyfill mechanism
- feat: US-051 - Node.js builtin conformance tests scoped to Pi SDK dependencies
- feat: US-052 - Fix V8 polyfill conformance gaps found by boot probe and conformance tests
- feat: US-059 - Add missing Node.js builtin polyfills: os, tty, perf_hooks, zlib, timers/promises, stream/promises
- feat: US-053 - Pi agent E2E with full SDK — boot, prompt, tool use, response
- feat: US-046 - Port signal handling to V8 bridge
- feat: US-047 - CI pipeline for V8 runtime binary
- feat: US-060 - Deny dangerous builtins explicitly: vm, worker_threads, inspector, v8, cluster, diagnostics_channel, async_hooks
- feat: US-061 - Implement fs.watch/fs.watchFile and createReadStream/createWriteStream
- feat: US-062 - Add HTTP/2 secure server/client support and fix stub handlers
- feat: US-063 - Python/Pyodide: Add network access through kernel and child_process support
- feat: US-069 - Builtin completeness gate test — every Node.js builtin loads or explicitly denies
- feat: US-070 - Fix WASM command PATH resolution so agents find sh, grep, sed, etc.
- feat: US-071 - Test and fix require.resolve() for guest code
- feat: US-072 - CJS export extraction runtime fallback via Object.keys()
- docs: record CJS fallback guidance
- feat: US-073 - AbortSignal/AbortController completeness for fetch and HTTP timeouts
- feat: US-074 - fs.promises true async behavior — don't block on concurrent operations
- feat: US-064 - Python/Pyodide: Add micropip support and dynamic package installation
- feat: US-075 - Verify unmodified Pi CLI (pi-acp) works E2E via createSession('pi-cli')
- feat: US-079 - Test session cleanup and resource leak prevention for all agent types
- feat: US-066 - Add POSIX compliance tests for /proc, /dev, signals, and process model
- feat: US-080 - Test suite for POSIX path edge cases from agent-os-posix-path-repro
- feat: US-109 - Commit and verify Claude adapter configuration changes (shell, env flags, stdio)
- feat: US-110 - Fix Claude SDK CLI patching for V8 runtime (build-patched-cli.mjs)
- feat: US-111 - Claude agent E2E: text response, xu command, nested node spawn all pass
- feat: US-076 - Verify Claude agent (claude-agent-sdk) works E2E via createSession('claude')
- feat: US-CC-001 - Fix @rivet-dev/agent-os workspace name → @rivet-dev/agent-os-core across all packages
- feat: US-CC-002 - Fix node:events module shape — EventEmitter must be the default export
- feat: US-CC-003 - Fix stream async iterator — Symbol.asyncIterator for Readable streams
- feat: US-CC-004 - Fix WASM child process stdout relay
- feat: US-CC-005 - Fix Claude adapter shell default and environment flags
- feat: US-CC-006 - Fix Claude SDK CLI patching for V8 runtime
- feat: US-CC-007 - Claude agent full E2E — text, xu command, nested node spawn, session lifecycle
- feat: US-CC-008 - Quickstart agent-session.ts works E2E with Claude without modification
- feat: US-001 - Restore root workspace install and lockfile consistency
- feat: US-002 - Restore package-local Vitest resolution and pnpm exec paths
- feat: US-003 - Archive stale Ralph artifacts and reset test-policy docs
- feat: US-004 - Fix execution WASM tests for SyncRpcRequest events
- feat: US-005 - Fix V8 bridge registration drift from the canonical bridge contract
- feat: US-006 - Restore the full agent-os-v8-runtime suite and isolated snapshot workflow
- feat: US-007 - Fix sidecar VM dispose and kill cleanup semantics for active guest executions
- feat: US-008 - Restore moduleAccessCwd visibility for projected node_modules packages
- feat: US-009 - Restore OpenCode package projection and headless package tests
- feat: US-010 - Restore Claude Code package projection and investigation tests
- feat: US-011 - Restore listAgents surface and add agent launch-environment coverage
- feat: US-012 - Restore read-only base-filesystem behavior for preseeded lowers
- feat: US-013 - Restore /etc/agentos instructions readability from inside guest exec
- feat: US-014 - Restore vm.exec cwd handling and simple shell pipelines
- feat: [US-015] - [Restore shell redirect, command-substitution, and heredoc semantics]
- feat: US-016 - Restore cron exec actions that write inside the VM
- feat: US-017 - Restore coreutils command resolution and basic file-operation parity
- feat: US-018 - Restore grep and sed command-package parity
- feat: US-019 - Restore awk, jq, and yq command-package parity
- feat: US-020 - Restore find, xargs, and diff command-package parity
- feat: US-021 - Restore tar and gzip command-package parity
- feat: US-022 - Restore rg, fd, and tree command-package parity
- feat: US-023 - Restore curl package availability and local HTTP round-trip parity
- feat: US-024 - Restore permission, stat, chmod, and ls command parity
- feat: US-025 - Restore cross-package pipeline coverage in the command matrix
- feat: US-CC-009 - Fix VFS layer visibility: vm.writeFile() must be visible to WASM guest processes (sh, ls, cat)
- feat: US-CC-010 - Fix VFS layer visibility: agent session writes (Claude bash tool) must be visible to vm.readFile()
- feat: US-026 - Restore shell invocation of agentos tools from guest scripts
- docs: note tool shell dispatch pattern
- feat: US-027 - Fix Pi SDK bash-tool output persistence in end-to-end sessions
- feat: US-028 - Fix Pi CLI bash-tool output persistence in end-to-end sessions
- feat: US-029 - Re-verify full Pi SDK end-to-end flow including write, bash, and response lifecycle
- feat: US-030 - Re-verify full Pi CLI end-to-end flow including write, bash, and cleanup lifecycle
- feat: US-031 - Fix OpenCode ACP session-new handshake failures
- feat: US-032 - Restore OpenCode write-tool end-to-end coverage
- feat: US-033 - Restore OpenCode bash-tool end-to-end coverage
- feat: US-034 - Restore OpenCode lifecycle, mode, permission, and rawSend coverage
- feat: US-035 - Fix Codex WASM host_net imports and runner startup
- feat: US-036 - Restore Codex session config state for model and thought level
- feat: US-037 - Restore Codex single-turn shell tool end-to-end coverage
- feat: US-038 - Restore Codex multi-turn history, cancel, and destroy coverage
- feat: US-039 - Implement synthetic session-update coverage for agents that do not emit notifications
- feat: US-040 - Add ACP timeout diagnostics with process exit code and killed state
- feat: US-041 - Restore session cleanup and leak-prevention coverage across all agent types
- feat: US-042 - Add kernel socket-table scaffolding and resource accounting
- feat: US-043 - Implement kernel TCP listener lifecycle
- feat: US-044 - Implement kernel TCP connect, read, write, shutdown, and close lifecycle
- feat: US-045 - Implement kernel loopback routing for guest-owned TCP listeners
- feat: US-046 - Implement kernel DNS resolver and policy hooks
- feat: US-047 - Implement kernel UDP datagram sockets
- feat: US-048 - Implement kernel Unix domain sockets
- feat: US-049 - Implement kernel poll across pipes, PTYs, and sockets
- feat: US-049a - Wire kernel poll to V8 bridge and WASM runtime surfaces
- feat: US-050 - Wire V8 net, dns, and dgram bridge calls through kernel socket state
- feat: US-051 - Wire V8 http, https, and http2 flows through kernel sockets
- feat: US-052 - Wire WASM networking imports through kernel socket state
- feat: US-053 - Add cross-runtime networking conformance suites and make them runnable
- feat: US-054 - Remove sidecar-managed socket state that duplicates kernel networking
- feat: US-055 - Implement LayerStore create, seal, import, and export primitives
- feat: US-056 - Implement multi-layer overlay composition for VM roots
- feat: US-057 - Add multi-layer snapshot lifecycle and per-VM isolation tests
- feat: US-058 - Implement kernel user and group identity syscalls and process metadata
- feat: US-059 - Add guest-visible JS, WASM, and Python identity tests
- feat: US-060 - Add bootstrap suppression for kernel-reserved directories and files
- feat: US-061 - Add fcntl support to the kernel FD table
- feat: US-062 - Add pwrite support to HostDirFilesystem
- feat: US-063 - Enforce maximum tool-description length in Rust tool registration
- feat: US-064 - Restore missing public type exports in packages/core index surface
- feat: US-065 - Verify guest V8 SQLite works through the sidecar sqlite bridge
- feat: US-066 - Filter AGENT_OS env vars and virtualize host identity across all runtimes
- feat: US-067 - Restore nested child-process visibility in allProcesses and processTree
- feat: US-068 - Remove legacy feature-gated JS host-Node execution paths
- feat: US-069 - Migrate Python execution and prewarm off host node_binary launches
- feat: US-070 - Migrate WASM execution and prewarm off host node_binary launches
- feat: US-071 - Delete node_process.rs and remaining host-Node runtime scaffolding
- feat: US-072 - Unignore and pass the sidecar guest env and escape hardening test
- feat: US-073 - Unignore and pass sidecar JS filesystem and fd-stream V8 integration tests
- feat: US-074 - Unignore and pass sidecar transport, TCP, DNS, Unix, TLS, HTTP, and HTTP2 V8 tests
- feat: US-075 - Unignore and pass sidecar network policy, listener, and socket-state V8 tests
- feat: US-076 - Unignore and pass nested child-process, stdio-binary, and VM-lifecycle V8 harness tests
- feat: US-077 - Unignore and pass execution javascript_v8 child-process command-resolution coverage
- feat: US-078 - Convert pi-tool-llmock to llmock-only coverage or move it out of default package tests
- feat: US-079 - Make the registry node-binary behavior suite fully green
- feat: US-080 - Make the registry cross-runtime network suite runnable and green
- feat: US-081 - Make packages/core investigation suites green
- feat: US-082 - Define a BARE sidecar IPC schema and compatibility plan
- feat: US-083 - Implement Rust BARE codec and framing behind the new schema
- feat: US-084 - Migrate the TypeScript sidecar client and bridge transports to BARE and remove the JSON wire path
- feat: US-085 - Add an end-to-end migration parity suite covering every major subsystem
- feat: US-086 - Remove duplicate quickstart filesystem examples and stale first-party example drift
- feat: US-087 - Clear first-party dead-code and unused-import warnings in Rust crates
- feat: US-307 - US-079 WASI fd_write fast-path bypasses kernel VM-scoped stdio routing (isolation violation)
- feat: US-297 - LoopbackTlsEndpoint::read() panics on concurrent drain — guest-escapable DoS
- feat: US-295 - Allow WebAssembly code generation inside guest V8 isolates
- feat: US-201 - Replace timeout shim 1ms busy-wait loop with blocking wait
… US-029 for full green
…lag Node.js execution as broken
…, no flags, no exceptions
…e_binary() code, verify tests exercise V8 path
…TypeScript permission-descriptors.ts
…D, hash, hmac, pbkdf2, scrypt)
…across all runtimes
…s and processTree
…V8 integration tests
…LS, HTTP, and HTTP2 V8 tests
…d socket-state V8 tests
…and VM-lifecycle V8 harness tests
…s command-resolution coverage
… it out of default package tests
…ports to BARE and remove the JSON wire path
…y major subsystem
…ale first-party example drift
…ed stdio routing (isolation violation)
… — guest-escapable DoS
NathanFlurry
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.