Skip to content

[codex] Guard fleet refresh workspace paths#85

Merged
s-hiraoku merged 8 commits into
mainfrom
codex/fleet-refresh-workspace-guard
Jun 27, 2026
Merged

[codex] Guard fleet refresh workspace paths#85
s-hiraoku merged 8 commits into
mainfrom
codex/fleet-refresh-workspace-guard

Conversation

@s-hiraoku

@s-hiraoku s-hiraoku commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Reintroduce the fleet refresh CLI and dogfood script from the issue [monitor] Verify fleet refresh before returning to scheduled checks #78 work on top of current main.
  • Validate registry project slugs and managed workspace paths before fleet refresh repairs or runs setup/verify.
  • Add the stashed no-sync guard so setup/verify cannot run inside an unsafe registry workspace.

Verification

  • npm test
  • npm run typecheck
  • npm run build
  • git diff --check

Closes #78

Summary by CodeRabbit

  • New Features

    • Added a new fleet refresh command to check registered workspaces and optionally sync them before verification.
    • Added a helper script to run the new fleet refresh flow from the repository.
  • Bug Fixes

    • Strengthened workspace and project slug validation to reject unsafe or invalid values.
    • Improved command reporting so setup and verification results are surfaced more clearly.
  • Tests

    • Expanded coverage for fleet refresh behavior, slug validation, registry handling, and CLI temp-directory setup.

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: kaizen-agents-org/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 92c477a8-3078-4e2a-b0f0-265981f27dda

📥 Commits

Reviewing files that changed from the base of the PR and between 931ffe9 and d34a1cb.

📒 Files selected for processing (13)
  • docs/02-cli-spec.md
  • package.json
  • scripts/dogfood-fleet-refresh.sh
  • src/cli.ts
  • src/commands/fleet.ts
  • src/config/registry.ts
  • src/config/schema.ts
  • src/utils/slug.ts
  • src/workspace/manager.ts
  • test/fleet.test.ts
  • test/registry.test.ts
  • test/report.test.ts
  • test/slug.test.ts

📝 Walkthrough

Walkthrough

Adds a kaizen fleet refresh command path, slug validation for registry projects, standardized workspace command results, and supporting docs, scripts, and tests. The refresh flow can sync workspaces and run setup/verify steps.

Changes

Fleet refresh and slug safety

Layer / File(s) Summary
Slug validation and registry checks
src/utils/slug.ts, src/config/schema.ts, src/config/registry.ts, test/slug.test.ts, test/registry.test.ts
isProjectSlug/assertProjectSlug are added, registry project keys use the same slug validation, slugFromRepo now throws on invalid derived slugs, and tests cover valid and rejected slugs.
Workspace results and refresh API
src/workspace/manager.ts, src/commands/fleet.ts
runSetup and runVerify return standardized command results, and refreshFleet() exposes typed fleet refresh status with per-project step data.
Fleet refresh workflow
src/commands/fleet.ts, test/fleet.test.ts
refreshProject() loads config, acquires a run lock, resolves workspace and remote state, runs sync/setup/verify steps, and records skipped or failed steps; tests cover sync, lock, safety, and failure cases.
CLI exposure and dogfood support
src/cli.ts, docs/02-cli-spec.md, package.json, scripts/dogfood-fleet-refresh.sh, test/report.test.ts
kaizen fleet refresh is wired into the CLI, documented in the spec, added to the package script and dogfood shell script, and the CLI subprocess test harness uses separate temp directories.

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant refreshFleet
  participant refreshProject
  participant RunLock
  participant WorkspaceManager
  CLI->>refreshFleet: project, sync, runCommand
  refreshFleet->>refreshProject: target projects
  refreshProject->>RunLock: acquire(slug)
  refreshProject->>WorkspaceManager: runSetup(config)
  refreshProject->>WorkspaceManager: runVerify(config)
  refreshProject->>RunLock: release()
  refreshFleet-->>CLI: FleetRefreshResult
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

  • issue 84: Adds the refreshFleet path that discovers registry projects, syncs workspaces, runs setup/verify, and reports failure when any step fails.

Possibly related PRs

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fleet-refresh-workspace-guard

Comment @coderabbitai help to get the list of available commands.

@s-hiraoku s-hiraoku merged commit b8496e3 into main Jun 27, 2026
1 of 2 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d34a1cbccb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/commands/fleet.ts

function assertSafeWorkspacePath(slug: string, projectWorkspacePath: string): void {
assertProjectSlug(slug);
if (path.resolve(projectWorkspacePath) !== path.resolve(workspaceDir(slug))) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject symlinked workspaces before syncing

When --sync is used and ~/.kaizen/workspaces/<slug> is a symlink to another checkout, this lexical path.resolve comparison still passes, so refresh proceeds to workspace.sync(), which runs git reset --hard and git clean -fdx plus setup/verify in the symlink target. That bypasses the unsafe-workspace guard this change adds and can delete files outside the managed workspace; check lstat/real paths and reject existing symlinks before running refresh.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[monitor] Verify fleet refresh before returning to scheduled checks

1 participant