[codex] Guard fleet refresh workspace paths

[s-hiraoku]

Summary

• Reintroduce the fleet refresh CLI and dogfood script from the issue [monitor] Verify fleet refresh before returning to scheduled checks #78 work on top of current main.
• Validate registry project slugs and managed workspace paths before fleet refresh repairs or runs setup/verify.
• Add the stashed no-sync guard so setup/verify cannot run inside an unsafe registry workspace.

Verification

• npm test
• npm run typecheck
• npm run build
• git diff --check

Closes #78

Summary by CodeRabbit

• New Features

  • Added a new fleet refresh command to check registered workspaces and optionally sync them before verification.
  • Added a helper script to run the new fleet refresh flow from the repository.

• Bug Fixes

  • Strengthened workspace and project slug validation to reject unsafe or invalid values.
  • Improved command reporting so setup and verification results are surfaced more clearly.

• Tests

  • Expanded coverage for fleet refresh behavior, slug validation, registry handling, and CLI temp-directory setup.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: kaizen-agents-org/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 92c477a8-3078-4e2a-b0f0-265981f27dda

📥 Commits

Reviewing files that changed from the base of the PR and between 931ffe9 and d34a1cb.

📒 Files selected for processing (13)

• docs/02-cli-spec.md
• package.json
• scripts/dogfood-fleet-refresh.sh
• src/cli.ts
• src/commands/fleet.ts
• src/config/registry.ts
• src/config/schema.ts
• src/utils/slug.ts
• src/workspace/manager.ts
• test/fleet.test.ts
• test/registry.test.ts
• test/report.test.ts
• test/slug.test.ts

---

📝 Walkthrough

Walkthrough

Adds a kaizen fleet refresh command path, slug validation for registry projects, standardized workspace command results, and supporting docs, scripts, and tests. The refresh flow can sync workspaces and run setup/verify steps.

Changes

Fleet refresh and slug safety

Layer / File(s)	Summary
Slug validation and registry checks src/utils/slug.ts, src/config/schema.ts, src/config/registry.ts, test/slug.test.ts, test/registry.test.ts	isProjectSlug/assertProjectSlug are added, registry project keys use the same slug validation, slugFromRepo now throws on invalid derived slugs, and tests cover valid and rejected slugs.
Workspace results and refresh API src/workspace/manager.ts, src/commands/fleet.ts	runSetup and runVerify return standardized command results, and refreshFleet() exposes typed fleet refresh status with per-project step data.
Fleet refresh workflow src/commands/fleet.ts, test/fleet.test.ts	refreshProject() loads config, acquires a run lock, resolves workspace and remote state, runs sync/setup/verify steps, and records skipped or failed steps; tests cover sync, lock, safety, and failure cases.
CLI exposure and dogfood support src/cli.ts, docs/02-cli-spec.md, package.json, scripts/dogfood-fleet-refresh.sh, test/report.test.ts	kaizen fleet refresh is wired into the CLI, documented in the spec, added to the package script and dogfood shell script, and the CLI subprocess test harness uses separate temp directories.

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant refreshFleet
  participant refreshProject
  participant RunLock
  participant WorkspaceManager
  CLI->>refreshFleet: project, sync, runCommand
  refreshFleet->>refreshProject: target projects
  refreshProject->>RunLock: acquire(slug)
  refreshProject->>WorkspaceManager: runSetup(config)
  refreshProject->>WorkspaceManager: runVerify(config)
  refreshProject->>RunLock: release()
  refreshFleet-->>CLI: FleetRefreshResult

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• issue 84: Adds the refreshFleet path that discovers registry projects, syncs workspaces, runs setup/verify, and reports failure when any step fails.

Possibly related PRs

• kaizen-agents-org/kaizen-loop#1: Shares the slug, registry, and schema validation code paths that this PR extends.
• kaizen-agents-org/kaizen-loop#77: Implements the earlier fleet verify/refresh command area that this PR expands with the new refresh flow.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fleet-refresh-workspace-guard

---

_{Comment @coderabbitai help to get the list of available commands.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d34a1cbccb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject symlinked workspaces before syncing

When --sync is used and ~/.kaizen/workspaces/<slug> is a symlink to another checkout, this lexical path.resolve comparison still passes, so refresh proceeds to workspace.sync(), which runs git reset --hard and git clean -fdx plus setup/verify in the symlink target. That bypasses the unsafe-workspace guard this change adds and can delete files outside the managed workspace; check lstat/real paths and reject existing symlinks before running refresh.

Useful? React with 👍 / 👎.