harivansh-afk/sandbox-agent
1
0
Fork 0
mirror of https://github.com/harivansh-afk/sandbox-agent.git synced 2026-04-17 06:04:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(foundry): workbench action responsiveness (#254)

Browse source 
* wip

* wip
This commit is contained in:
Nathan Flurry 2026-03-14 20:42:18 -07:00 committed by GitHub
parent 400f9a214e
commit 99abb9d42e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
171 changed files with 7260 additions and 7342 deletions
Download patch file Download diff file Expand all files Collapse all files

34
foundry/research/specs/async-action-fixes/00-end-to-end-async-realtime-plan.md
View file

@ -28,7 +28,7 @@ The goal is not just to make individual endpoints faster. The goal is to move Fo
### Workbench
- `getWorkbench` still represents a monolithic workspace read that aggregates repo, project, and task state.
- `getWorkbench` still represents a monolithic organization read that aggregates repo, repository, and task state.
- The remote workbench store still responds to every event by pulling a full fresh snapshot.
- Some task/workbench detail is still too expensive to compute inline and too broad to refresh after every mutation.
@ -57,7 +57,7 @@ Requests should not block on provider calls, repo sync, sandbox provisioning, tr
### View-model rule
- App shell view connects to app/session state and only the org actors visible on screen.
- Workspace/task-list view connects to a workspace-owned summary projection.
- Organization/task-list view connects to a organization-owned summary projection.
- Task detail view connects directly to the selected task actor.
- Sandbox/session detail connects only when the user opens that detail.
@ -99,7 +99,7 @@ The app shell should stop using `/app/snapshot` as the steady-state read model.
#### Changes
1. Introduce a small app-shell projection owned by the app workspace actor:
1. Introduce a small app-shell projection owned by the app organization actor:
- auth status
- current user summary
- active org id
@ -121,7 +121,7 @@ The app shell should stop using `/app/snapshot` as the steady-state read model.
#### Likely files
- `foundry/packages/backend/src/actors/workspace/app-shell.ts`
- `foundry/packages/backend/src/actors/organization/app-shell.ts`
- `foundry/packages/client/src/backend-client.ts`
- `foundry/packages/client/src/remote/app-client.ts`
- `foundry/packages/shared/src/app-shell.ts`
@ -133,42 +133,42 @@ The app shell should stop using `/app/snapshot` as the steady-state read model.
- Selecting an org returns quickly and the UI updates from actor events.
- App shell refresh cost is bounded by visible state, not every eligible organization on every poll.
### 3. Workspace summary becomes a projection, not a full snapshot
### 3. Organization summary becomes a projection, not a full snapshot
The task list should read a workspace-owned summary projection instead of calling into every task actor on each refresh.
The task list should read a organization-owned summary projection instead of calling into every task actor on each refresh.
#### Changes
1. Define a durable workspace summary model with only list-screen fields:
1. Define a durable organization summary model with only list-screen fields:
- repo summary
- project summary
- repository summary
- task summary
- selected/open task ids
- unread/session status summary
- coarse git/PR state summary
2. Update workspace actor workflows so task/project changes incrementally update this projection.
2. Update organization actor workflows so task/repository changes incrementally update this projection.
3. Change `getWorkbench` to return the projection only.
4. Change `workbenchUpdated` from "invalidate and refetch everything" to "here is the updated projection version or changed entity ids".
5. Remove task-actor fan-out from the default list read path.
#### Likely files
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/project/actions.ts`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/repository/actions.ts`
- `foundry/packages/backend/src/actors/task/index.ts`
- `foundry/packages/backend/src/actors/task/workbench.ts`
- task/workspace DB schema and migrations
- task/organization DB schema and migrations
- `foundry/packages/client/src/remote/workbench-client.ts`
#### Acceptance criteria
- Workbench list refresh does not call every task actor.
- A websocket event does not force a full cross-actor rebuild.
- Initial task-list load time scales roughly with workspace summary size, not repo count times task count times detail reads.
- Initial task-list load time scales roughly with organization summary size, not repo count times task count times detail reads.
### 4. Task detail moves to direct actor reads and events
Heavy task detail should move out of the workspace summary and into the selected task actor.
Heavy task detail should move out of the organization summary and into the selected task actor.
#### Changes
@ -258,7 +258,7 @@ Do not delete bootstrap endpoints first. Shrink them after the subscription mode
4. `06-daytona-provisioning-staged-background-flow.md`
5. App shell realtime subscription model
6. `02-repo-overview-from-cached-projection.md`
7. Workspace summary projection
7. Organization summary projection
8. `04-workbench-session-creation-without-inline-provisioning.md`
9. `05-workbench-snapshot-from-derived-state.md`
10. Task-detail direct actor reads/subscriptions
@ -270,7 +270,7 @@ Do not delete bootstrap endpoints first. Shrink them after the subscription mode
- Runtime hardening removes the most dangerous correctness bug before more UI load shifts onto actor connections.
- The first async workflow items reduce the biggest user-visible stalls quickly.
- App shell realtime is smaller and lower-risk than the workbench migration, and it removes the current polling loop.
- Workspace summary and task-detail split should happen after the async workflow moves so the projection model does not encode old synchronous assumptions.
- Organization summary and task-detail split should happen after the async workflow moves so the projection model does not encode old synchronous assumptions.
- Auth simplification is valuable but not required to remove the current refresh/polling/runtime problems.
## Observability Requirements
@ -291,7 +291,7 @@ Each log line should include a request id or actor/event correlation id where po
1. Ship runtime hardening and observability first.
2. Ship app-shell realtime behind a client flag while keeping snapshot bootstrap.
3. Ship workspace summary projection behind a separate flag.
3. Ship organization summary projection behind a separate flag.
4. Migrate one heavy detail pane at a time off the monolithic workbench payload.
5. Remove polling once the matching event path is proven stable.
6. Only then remove or demote the old snapshot-heavy steady-state flows.

14
foundry/research/specs/async-action-fixes/01-task-creation-bootstrap-only.md
View file

@ -10,8 +10,8 @@ That makes a user-facing action depend on queue-backed and provider-backed work
## Current Code Context
- Workspace entry point: `foundry/packages/backend/src/actors/workspace/actions.ts`
- Project task creation path: `foundry/packages/backend/src/actors/project/actions.ts`
- Organization entry point: `foundry/packages/backend/src/actors/organization/actions.ts`
- Repository task creation path: `foundry/packages/backend/src/actors/repository/actions.ts`
- Task action surface: `foundry/packages/backend/src/actors/task/index.ts`
- Task workflow: `foundry/packages/backend/src/actors/task/workflow/index.ts`
- Task init/provision steps: `foundry/packages/backend/src/actors/task/workflow/init.ts`
@ -33,8 +33,8 @@ That makes a user-facing action depend on queue-backed and provider-backed work
- persisting any immediately-known metadata
- returning the current task record
3. After initialize completes, enqueue `task.command.provision` with `wait: false`.
4. Change `workspace.createTask` to:
- create or resolve the project
4. Change `organization.createTask` to:
- create or resolve the repository
- create the task actor
- call `task.initialize(...)`
- stop awaiting `task.provision(...)`
@ -51,12 +51,12 @@ That makes a user-facing action depend on queue-backed and provider-backed work
## Files Likely To Change
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/project/actions.ts`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/repository/actions.ts`
- `foundry/packages/backend/src/actors/task/index.ts`
- `foundry/packages/backend/src/actors/task/workflow/index.ts`
- `foundry/packages/backend/src/actors/task/workflow/init.ts`
- `foundry/packages/frontend/src/components/workspace-dashboard.tsx`
- `foundry/packages/frontend/src/components/organization-dashboard.tsx`
- `foundry/packages/client/src/remote/workbench-client.ts`
## Client Impact

30
foundry/research/specs/async-action-fixes/02-repo-overview-from-cached-projection.md
View file

@ -15,11 +15,11 @@ The frontend polls repo overview repeatedly, so this design multiplies slow work
## Current Code Context
- Workspace overview entry point: `foundry/packages/backend/src/actors/workspace/actions.ts`
- Project overview implementation: `foundry/packages/backend/src/actors/project/actions.ts`
- Branch sync poller: `foundry/packages/backend/src/actors/project-branch-sync/index.ts`
- PR sync poller: `foundry/packages/backend/src/actors/project-pr-sync/index.ts`
- Repo overview client polling: `foundry/packages/frontend/src/components/workspace-dashboard.tsx`
- Organization overview entry point: `foundry/packages/backend/src/actors/organization/actions.ts`
- Repository overview implementation: `foundry/packages/backend/src/actors/repository/actions.ts`
- Branch sync poller: `foundry/packages/backend/src/actors/repository-branch-sync/index.ts`
- PR sync poller: `foundry/packages/backend/src/actors/repository-pr-sync/index.ts`
- Repo overview client polling: `foundry/packages/frontend/src/components/organization-dashboard.tsx`
## Target Contract
@ -30,27 +30,27 @@ The frontend polls repo overview repeatedly, so this design multiplies slow work
## Proposed Fix
1. Remove inline `forceProjectSync()` from `getRepoOverview`.
2. Add freshness fields to the project projection, for example:
2. Add freshness fields to the repository projection, for example:
- `branchSyncAt`
- `prSyncAt`
- `branchSyncStatus`
- `prSyncStatus`
3. Let the existing polling actors own cache refresh.
4. If the client needs a manual refresh, add a non-blocking command such as `project.requestOverviewRefresh` that:
4. If the client needs a manual refresh, add a non-blocking command such as `repository.requestOverviewRefresh` that:
- enqueues refresh work
- updates sync status to `queued` or `running`
- returns immediately
5. Keep `getRepoOverview` as a pure read over project SQLite state.
5. Keep `getRepoOverview` as a pure read over repository SQLite state.
## Files Likely To Change
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/project/actions.ts`
- `foundry/packages/backend/src/actors/project/db/schema.ts`
- `foundry/packages/backend/src/actors/project/db/migrations.ts`
- `foundry/packages/backend/src/actors/project-branch-sync/index.ts`
- `foundry/packages/backend/src/actors/project-pr-sync/index.ts`
- `foundry/packages/frontend/src/components/workspace-dashboard.tsx`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/repository/actions.ts`
- `foundry/packages/backend/src/actors/repository/db/schema.ts`
- `foundry/packages/backend/src/actors/repository/db/migrations.ts`
- `foundry/packages/backend/src/actors/repository-branch-sync/index.ts`
- `foundry/packages/backend/src/actors/repository-pr-sync/index.ts`
- `foundry/packages/frontend/src/components/organization-dashboard.tsx`
## Client Impact

24
foundry/research/specs/async-action-fixes/03-repo-actions-via-background-workflow.md
View file

@ -10,20 +10,20 @@ These flows depend on repo/network state and can take minutes. They should not h
## Current Code Context
- Workspace repo action entry point: `foundry/packages/backend/src/actors/workspace/actions.ts`
- Project repo action implementation: `foundry/packages/backend/src/actors/project/actions.ts`
- Branch/task index state lives in the project actor SQLite DB.
- Organization repo action entry point: `foundry/packages/backend/src/actors/organization/actions.ts`
- Repository repo action implementation: `foundry/packages/backend/src/actors/repository/actions.ts`
- Branch/task index state lives in the repository actor SQLite DB.
- Current forced sync uses the PR and branch polling actors before and after the action.
## Target Contract
- Repo-affecting actions are accepted quickly and run in the background.
- The project actor owns a durable action record with progress and final result.
- Clients observe status via project/task state instead of waiting for a single response.
- The repository actor owns a durable action record with progress and final result.
- Clients observe status via repository/task state instead of waiting for a single response.
## Proposed Fix
1. Introduce a project-level workflow/job model for repo actions, for example:
1. Introduce a repository-level workflow/job model for repo actions, for example:
- `sync_repo`
- `restack_repo`
- `restack_subtree`
@ -49,11 +49,11 @@ These flows depend on repo/network state and can take minutes. They should not h
## Files Likely To Change
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/project/actions.ts`
- `foundry/packages/backend/src/actors/project/db/schema.ts`
- `foundry/packages/backend/src/actors/project/db/migrations.ts`
- `foundry/packages/frontend/src/components/workspace-dashboard.tsx`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/repository/actions.ts`
- `foundry/packages/backend/src/actors/repository/db/schema.ts`
- `foundry/packages/backend/src/actors/repository/db/migrations.ts`
- `foundry/packages/frontend/src/components/organization-dashboard.tsx`
- Any shared types in `foundry/packages/shared/src`
## Client Impact
@ -70,5 +70,5 @@ These flows depend on repo/network state and can take minutes. They should not h
## Implementation Notes
- Keep validation cheap in the request path; expensive repo inspection belongs in the workflow.
- If job rows are added, decide whether they are project-owned only or also mirrored into history events for UI consumption.
- If job rows are added, decide whether they are repository-owned only or also mirrored into history events for UI consumption.
- Fresh-agent check: branch-backed task creation and explicit repo stack actions should use the same background job/status vocabulary where possible.

4
foundry/research/specs/async-action-fixes/04-workbench-session-creation-without-inline-provisioning.md
View file

@ -8,7 +8,7 @@ Creating a workbench tab currently provisions the whole task if no active sandbo
## Current Code Context
- Workspace workbench action entry point: `foundry/packages/backend/src/actors/workspace/actions.ts`
- Organization workbench action entry point: `foundry/packages/backend/src/actors/organization/actions.ts`
- Task workbench behavior: `foundry/packages/backend/src/actors/task/workbench.ts`
- Task provision action: `foundry/packages/backend/src/actors/task/index.ts`
- Sandbox session creation path: `foundry/packages/backend/src/actors/sandbox-instance/index.ts`
@ -36,7 +36,7 @@ Creating a workbench tab currently provisions the whole task if no active sandbo
## Files Likely To Change
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/task/workbench.ts`
- `foundry/packages/backend/src/actors/task/index.ts`
- `foundry/packages/backend/src/actors/task/db/schema.ts`

4
foundry/research/specs/async-action-fixes/05-workbench-snapshot-from-derived-state.md
View file

@ -17,7 +17,7 @@ The remote workbench client refreshes after each action and on update events, so
## Current Code Context
- Workspace workbench snapshot builder: `foundry/packages/backend/src/actors/workspace/actions.ts`
- Organization workbench snapshot builder: `foundry/packages/backend/src/actors/organization/actions.ts`
- Task workbench snapshot builder: `foundry/packages/backend/src/actors/task/workbench.ts`
- Sandbox session event persistence: `foundry/packages/backend/src/actors/sandbox-instance/persist.ts`
- Remote workbench client refresh loop: `foundry/packages/client/src/remote/workbench-client.ts`
@ -43,7 +43,7 @@ The remote workbench client refreshes after each action and on update events, so
## Files Likely To Change
- `foundry/packages/backend/src/actors/workspace/actions.ts`
- `foundry/packages/backend/src/actors/organization/actions.ts`
- `foundry/packages/backend/src/actors/task/workbench.ts`
- `foundry/packages/backend/src/actors/task/db/schema.ts`
- `foundry/packages/backend/src/actors/task/db/migrations.ts`

48
foundry/research/specs/async-action-fixes/07-auth-identity-simplification.md
View file

@ -17,8 +17,8 @@ Authentication and user identity are conflated into a single `appSessions` table
## Current Code Context
- Custom OAuth flow: `foundry/packages/backend/src/services/app-github.ts` (`buildAuthorizeUrl`, `exchangeCode`, `getViewer`)
- Session + identity management: `foundry/packages/backend/src/actors/workspace/app-shell.ts` (`ensureAppSession`, `updateAppSession`, `initGithubSession`, `syncGithubOrganizations`)
- Session schema: `foundry/packages/backend/src/actors/workspace/db/schema.ts` (`appSessions` table)
- Session + identity management: `foundry/packages/backend/src/actors/organization/app-shell.ts` (`ensureAppSession`, `updateAppSession`, `initGithubSession`, `syncGithubOrganizations`)
- Session schema: `foundry/packages/backend/src/actors/organization/db/schema.ts` (`appSessions` table)
- Shared types: `foundry/packages/shared/src/app-shell.ts` (`FoundryUser`, `FoundryAppSnapshot`)
- HTTP routes: `foundry/packages/backend/src/index.ts` (`resolveSessionId`, `/v1/auth/github/*`, all `/v1/app/*` routes)
- Frontend session persistence: `foundry/packages/client/src/backend-client.ts` (`persistAppSessionId`, `x-foundry-session` header, `foundrySession` URL param extraction)
@ -41,7 +41,7 @@ Authentication and user identity are conflated into a single `appSessions` table
- BetterAuth uses a custom adapter that routes all DB operations through RivetKit actors.
- Each user has their own actor. BetterAuth's `user`, `session`, and `account` tables live in the per-user actor's SQLite via `c.db`.
- The adapter resolves which actor to target based on the primary key BetterAuth passes for each operation (user ID, session ID, account ID).
- A lightweight **session index** on the app-shell workspace actor maps session tokens → user actor identity, so inbound requests can be routed to the correct user actor without knowing the user ID upfront.
- A lightweight **session index** on the app-shell organization actor maps session tokens → user actor identity, so inbound requests can be routed to the correct user actor without knowing the user ID upfront.
### Canonical user record
@ -70,9 +70,9 @@ BetterAuth expects a single database. Foundry uses per-actor SQLite — each act
When an HTTP request arrives, the backend has a session token but doesn't know the user ID yet. BetterAuth calls adapter methods like `findSession(sessionId)` to resolve this. But which actor holds that session row?
**Solution: session index on the app-shell workspace actor.**
**Solution: session index on the app-shell organization actor.**
The app-shell workspace actor (which already handles auth routing) maintains a lightweight index table:
The app-shell organization actor (which already handles auth routing) maintains a lightweight index table:
```
sessionIndex
@ -83,7 +83,7 @@ sessionIndex
The adapter flow for session lookup:
1. BetterAuth calls `findSession(sessionId)`.
2. Adapter queries `sessionIndex` on the workspace actor to resolve `userActorKey`.
2. Adapter queries `sessionIndex` on the organization actor to resolve `userActorKey`.
3. Adapter gets the user actor handle and queries BetterAuth's `session` table in that actor's `c.db`.
The adapter flow for user creation (OAuth callback):
@ -91,12 +91,12 @@ The adapter flow for user creation (OAuth callback):
2. Adapter resolves the GitHub numeric ID from the user data.
3. Adapter creates/gets the user actor keyed by GitHub ID.
4. Adapter inserts into BetterAuth's `user` table in that actor's `c.db`.
5. When `createSession` follows, adapter writes to the user actor's `session` table AND inserts into the workspace actor's `sessionIndex`.
5. When `createSession` follows, adapter writes to the user actor's `session` table AND inserts into the organization actor's `sessionIndex`.
### User actor shape
```text
UserActor (key: ["ws", workspaceId, "user", githubNumericId])
UserActor (key: ["ws", organizationId, "user", githubNumericId])
├── BetterAuth tables: user, session, account (managed by BetterAuth schema)
├── userProfiles (app-specific: eligibleOrganizationIds, starterRepoStatus, roleLabel)
└── sessionState (app-specific: activeOrganizationId per session)
@ -127,15 +127,15 @@ The adapter must inspect `model` and `where` to determine the target actor:
| Model | Routing strategy |
|-------|-----------------|
| `user` (by id) | User actor key derived directly from user ID |
| `user` (by email) | `emailIndex` on workspace actor → user actor key |
| `session` (by token) | `sessionIndex` on workspace actor → user actor key |
| `session` (by id) | `sessionIndex` on workspace actor → user actor key |
| `user` (by email) | `emailIndex` on organization actor → user actor key |
| `session` (by token) | `sessionIndex` on organization actor → user actor key |
| `session` (by id) | `sessionIndex` on organization actor → user actor key |
| `session` (by userId) | User actor key derived directly from userId |
| `account` | Always has `userId` in where or data → user actor key |
| `verification` | Workspace actor (not user-scoped — used for email verification, password reset) |
| `verification` | Organization actor (not user-scoped — used for email verification, password reset) |
On `create` for `session` model: write to user actor's `session` table AND insert into workspace actor's `sessionIndex`.
On `delete` for `session` model: delete from user actor's `session` table AND remove from workspace actor's `sessionIndex`.
On `create` for `session` model: write to user actor's `session` table AND insert into organization actor's `sessionIndex`.
On `delete` for `session` model: delete from user actor's `session` table AND remove from organization actor's `sessionIndex`.
#### Adapter construction
@ -188,14 +188,14 @@ session: {
#### BetterAuth core tables
Four tables, all in the per-user actor's SQLite (except `verification` which goes on workspace actor):
Four tables, all in the per-user actor's SQLite (except `verification` which goes on organization actor):
**`user`**: `id`, `name`, `email`, `emailVerified`, `image`, `createdAt`, `updatedAt`
**`session`**: `id`, `token`, `userId`, `expiresAt`, `ipAddress?`, `userAgent?`, `createdAt`, `updatedAt`
**`account`**: `id`, `userId`, `accountId` (GitHub numeric ID), `providerId` ("github"), `accessToken?`, `refreshToken?`, `scope?`, `createdAt`, `updatedAt`
**`verification`**: `id`, `identifier`, `value`, `expiresAt`, `createdAt`, `updatedAt`
For `findUserByEmail`, a secondary index (email → user actor key) is needed on the workspace actor alongside `sessionIndex`.
For `findUserByEmail`, a secondary index (email → user actor key) is needed on the organization actor alongside `sessionIndex`.
## Implementation Plan
@ -210,12 +210,12 @@ Research confirms:
1. **Prototype the adapter + user actor end-to-end** — wire up `createAdapterFactory` with a minimal actor-routed implementation. Confirm that BetterAuth's GitHub OAuth flow completes successfully with user/session/account records landing in the correct per-user actor's SQLite.
2. **Verify `findOne` for session model** — confirm the `where` clause BetterAuth passes for session lookup includes the `token` field (not just `id`), so the adapter can route via `sessionIndex` keyed by token.
3. **Measure cookie-cached vs uncached request latency** — confirm that with cookie caching enabled, the adapter is not called on every request, and that the uncached fallback (workspace actor index → user actor → session table) is acceptable.
3. **Measure cookie-cached vs uncached request latency** — confirm that with cookie caching enabled, the adapter is not called on every request, and that the uncached fallback (organization actor index → user actor → session table) is acceptable.
### Phase 1: User actor + adapter infrastructure (no behavior change)
1. **Install `better-auth` package** in `packages/backend`.
2. **Define `UserActor`** with actor key `["ws", workspaceId, "user", githubNumericId]`. Include BetterAuth's required tables (`user`, `session`, `account`) plus app-specific tables in its schema.
2. **Define `UserActor`** with actor key `["ws", organizationId, "user", githubNumericId]`. Include BetterAuth's required tables (`user`, `session`, `account`) plus app-specific tables in its schema.
3. **Create `userProfiles` table** in user actor schema:
```
userProfiles
@ -237,7 +237,7 @@ Research confirms:
├── createdAt (integer)
├── updatedAt (integer)
```
5. **Create `sessionIndex` and `emailIndex` tables** on the app-shell workspace actor:
5. **Create `sessionIndex` and `emailIndex` tables** on the app-shell organization actor:
```
sessionIndex
├── sessionId (text, PK)
@ -256,7 +256,7 @@ Research confirms:
### Phase 2: Migrate OAuth flow to BetterAuth
1. **Replace `startAppGithubAuth`** — delegate to BetterAuth's GitHub OAuth initiation instead of hand-rolling `buildAuthorizeUrl` + `oauthState` + `oauthStateExpiresAt`.
2. **Replace `completeAppGithubAuth`** — delegate to BetterAuth's callback handler. BetterAuth creates/updates the user record in the user actor and creates a signed session. The adapter writes to `sessionIndex` on the workspace actor.
2. **Replace `completeAppGithubAuth`** — delegate to BetterAuth's callback handler. BetterAuth creates/updates the user record in the user actor and creates a signed session. The adapter writes to `sessionIndex` on the organization actor.
3. **After BetterAuth callback completes**, populate `userProfiles` in the user actor with app-specific fields and enqueue the slow org sync (same background workflow pattern as today).
4. **Replace `signOutApp`** — delegate to BetterAuth session invalidation. Adapter removes entry from `sessionIndex`.
5. **Update `resolveSessionId`** in `index.ts` — validate the session via BetterAuth (which routes through the adapter → `sessionIndex` → user actor). BetterAuth verifies the signature and checks expiration.
@ -288,18 +288,18 @@ Research confirms:
## Constraints
- **Actor-routed adapter.** BetterAuth does not natively support per-user actor databases. The custom adapter must route every DB operation to the correct actor. This adds a layer of indirection and latency (actor handle resolution + message) on adapter calls.
- **Session index cost is mitigated by cookie caching.** With `cookieCache` enabled, BetterAuth validates sessions from a signed cookie on most requests — the adapter (and thus the `sessionIndex` lookup + user actor round-trip) is only called when the cache expires or on writes. Without caching, every authenticated request would hit the workspace actor's `sessionIndex` table then the user actor.
- **Two-actor write on session create/destroy.** Creating or destroying a session requires writing to both the user actor (BetterAuth's `session` table) and the workspace actor (`sessionIndex`). These must be consistent — if the user actor write succeeds but the index write fails, the session exists but is unreachable.
- **Session index cost is mitigated by cookie caching.** With `cookieCache` enabled, BetterAuth validates sessions from a signed cookie on most requests — the adapter (and thus the `sessionIndex` lookup + user actor round-trip) is only called when the cache expires or on writes. Without caching, every authenticated request would hit the organization actor's `sessionIndex` table then the user actor.
- **Two-actor write on session create/destroy.** Creating or destroying a session requires writing to both the user actor (BetterAuth's `session` table) and the organization actor (`sessionIndex`). These must be consistent — if the user actor write succeeds but the index write fails, the session exists but is unreachable.
- **Background org sync pattern must be preserved.** The fast-path/slow-path split (`initGithubSession` returns immediately, `syncGithubOrganizations` runs in workflow queue) is critical for avoiding proxy timeout retries. BetterAuth handles the OAuth exchange, but the org sync stays as a background workflow.
- **`GitHubAppClient` is still needed.** BetterAuth replaces the OAuth user-auth flow, but installation tokens, webhook verification, repo listing, and org listing are GitHub App operations that BetterAuth does not cover.
- **User ID migration.** Changing user IDs from `user-${slugify(login)}` to GitHub numeric IDs affects `organizationMembers`, `seatAssignments`, and any cross-actor references to user IDs. Existing data needs a migration path.
- **`findUserByEmail` requires a secondary index.** BetterAuth sometimes looks up users by email (e.g., account linking). An `emailIndex` table on the workspace actor is needed. This must be kept in sync with the user actor's email field.
- **`findUserByEmail` requires a secondary index.** BetterAuth sometimes looks up users by email (e.g., account linking). An `emailIndex` table on the organization actor is needed. This must be kept in sync with the user actor's email field.
## Risk Assessment
- **Adapter call context — RESOLVED.** Research confirms BetterAuth adapter methods are plain async functions with no request context dependency. The adapter closes over the RivetKit registry at init time and resolves actor handles on demand. No ambient `c` context needed.
- **Hot-path latency — MITIGATED.** Cookie caching (`cookieCache` with `strategy: "compact"`) means most authenticated requests validate the session from a signed cookie without calling the adapter at all. The adapter (and thus the actor round-trip) is only hit when the cache expires (configurable, e.g., every 5 minutes) or on writes. This makes the session index + user actor lookup acceptable.
- **Two-actor consistency.** Session create/destroy touches two actors (user actor + workspace index). If either write fails, the system is in an inconsistent state. Recommended: write index first, then user actor. A dangling index entry pointing to a nonexistent session is benign — BetterAuth treats it as "session not found" and the user just re-authenticates.
- **Two-actor consistency.** Session create/destroy touches two actors (user actor + organization index). If either write fails, the system is in an inconsistent state. Recommended: write index first, then user actor. A dangling index entry pointing to a nonexistent session is benign — BetterAuth treats it as "session not found" and the user just re-authenticates.
- **Cookie vs header auth.** BetterAuth defaults to HTTP-only cookies (`better-auth.session_token`). The current system uses a custom `x-foundry-session` header with `localStorage`. BetterAuth supports `bearer` token mode for programmatic clients via its `bearer` plugin. Enable both for browser + API access.
- **Dev bootstrap flow.** `bootstrapAppGithubSession` bypasses the normal OAuth flow for local development. BetterAuth supports programmatic session creation via its internal adapter — the dev path can call the adapter's `create` method directly for the `session` and `account` models.
- **Actor lifecycle for users.** User actors are long-lived but low-traffic. RivetKit will idle/unload them. With cookie caching, cold-start only happens when the cache expires — not on every request. Acceptable.

6
foundry/research/specs/async-action-fixes/README.md
View file

@ -19,7 +19,7 @@ The governing policy now lives in `foundry/CLAUDE.md`:
- Backend actor entry points live under `foundry/packages/backend/src/actors`.
- Provider-backed long-running work lives under `foundry/packages/backend/src/providers`.
- The main UI consumers are:
- `foundry/packages/frontend/src/components/workspace-dashboard.tsx`
- `foundry/packages/frontend/src/components/organization-dashboard.tsx`
- `foundry/packages/frontend/src/components/mock-layout.tsx`
- `foundry/packages/client/src/remote/workbench-client.ts`
- Existing non-blocking examples already exist in app-shell GitHub auth/import flows. Use those as the reference pattern for request returns plus background completion.
@ -32,7 +32,7 @@ The governing policy now lives in `foundry/CLAUDE.md`:
4. `06-daytona-provisioning-staged-background-flow.md`
5. App shell realtime subscription work from `00-end-to-end-async-realtime-plan.md`
6. `02-repo-overview-from-cached-projection.md`
7. Workspace summary projection work from `00-end-to-end-async-realtime-plan.md`
7. Organization summary projection work from `00-end-to-end-async-realtime-plan.md`
8. `04-workbench-session-creation-without-inline-provisioning.md`
9. `05-workbench-snapshot-from-derived-state.md`
10. Task-detail direct subscription work from `00-end-to-end-async-realtime-plan.md`
@ -42,7 +42,7 @@ The governing policy now lives in `foundry/CLAUDE.md`:
- Runtime hardening and the first async workflow items remove the highest-risk correctness and timeout issues first.
- App shell realtime is a smaller migration than the workbench and removes the current polling loop early.
- Workspace summary and task-detail subscription work are easier once long-running mutations already report durable background state.
- Organization summary and task-detail subscription work are easier once long-running mutations already report durable background state.
- Auth simplification is important, but it should not block the snapshot/polling/runtime fixes.
## Fresh Agent Checklist

4
foundry/research/specs/frontend.md
View file

@ -24,8 +24,8 @@ be thorough and careful with your impelmentaiton. this is going to be the ground
- left sidebar is similar to the hf switch ui:
- list each repo
- under each repo, show all of the tasks
- you should see all tasks for the entire workspace here grouped by repo
- the main content area shows the current workspace
- you should see all tasks for the entire organization here grouped by repo
- the main content area shows the current organization
- there is a main agent session for the main agent thatn's making the change, so show this by default
- build a ui for interacting with sessions
- see ~/sandbox-agent/frontend/packages/inspector/ for reference ui

44
foundry/research/specs/github-data-actor.md
View file

@ -4,7 +4,7 @@
Replace the per-repo polling PR sync actor (`ProjectPrSyncActor`) and per-repo PR cache (`prCache` table) with a single organization-scoped `github-state` actor that owns all GitHub data (repos, PRs, members). All GitHub state updates flow exclusively through webhooks, with a one-shot full sync on initial connection. Manual reload actions are exposed per-entity (org, repo, PR) for recovery from missed webhooks.
Open PRs are surfaced in the left sidebar alongside tasks via a unified workspace interest topic, with lazy task/sandbox creation when a user clicks on a PR.
Open PRs are surfaced in the left sidebar alongside tasks via a unified organization subscription topic, with lazy task/sandbox creation when a user clicks on a PR.
## Reference Implementation
@ -18,7 +18,7 @@ Use `git show 0aca2c7:<path>` to read the reference files. Adapt (don't copy bli
## Constraints
1. **No polling.** Delete `ProjectPrSyncActor` (`actors/project-pr-sync/`), all references to it in handles/keys/index, and the `prCache` table in `ProjectActor`'s DB schema. Remove `prSyncStatus`/`prSyncAt` from `getRepoOverview`.
1. **No polling.** Delete `ProjectPrSyncActor` (`actors/repository-pr-sync/`), all references to it in handles/keys/index, and the `prCache` table in `RepositoryActor`'s DB schema. Remove `prSyncStatus`/`prSyncAt` from `getRepoOverview`.
2. **Keep `ProjectBranchSyncActor`.** This polls the local git clone (not GitHub API) and is the sandbox git status mechanism. It stays.
3. **Webhooks are the sole live update path.** The only GitHub API calls happen during:
- Initial full sync on org connection/installation
@ -72,16 +72,16 @@ Replace the current TODO at `app-shell.ts:1521` with dispatch logic adapted from
When `github-state` receives a PR update (webhook or manual reload), it should:
1. Update its own `github_pull_requests` table
2. Call `notifyOrganizationUpdated()` → which broadcasts `workspaceUpdated` to connected clients
3. If the PR branch matches an existing task's branch, update that task's `pullRequest` summary in the workspace actor
2. Call `notifyOrganizationUpdated()` → which broadcasts `organizationUpdated` to connected clients
3. If the PR branch matches an existing task's branch, update that task's `pullRequest` summary in the organization actor
### Workspace Summary Changes
### Organization Summary Changes
Extend `WorkspaceSummarySnapshot` to include open PRs:
Extend `OrganizationSummarySnapshot` to include open PRs:
```typescript
export interface WorkspaceSummarySnapshot {
workspaceId: string;
export interface OrganizationSummarySnapshot {
organizationId: string;
repos: WorkbenchRepoSummary[];
taskSummaries: WorkbenchTaskSummary[];
openPullRequests: WorkbenchOpenPrSummary[]; // NEW
@ -103,13 +103,13 @@ export interface WorkbenchOpenPrSummary {
}
```
The workspace actor fetches open PRs from the `github-state` actor when building the summary snapshot. PRs that already have an associated task (matched by branch name) should be excluded from `openPullRequests` (they already appear in `taskSummaries` with their `pullRequest` field populated).
The organization actor fetches open PRs from the `github-state` actor when building the summary snapshot. PRs that already have an associated task (matched by branch name) should be excluded from `openPullRequests` (they already appear in `taskSummaries` with their `pullRequest` field populated).
### Interest Manager
The `workspace` interest topic already returns `WorkspaceSummarySnapshot`. Adding `openPullRequests` to that type means the sidebar automatically gets PR data without a new topic.
The `organization` subscription topic already returns `OrganizationSummarySnapshot`. Adding `openPullRequests` to that type means the sidebar automatically gets PR data without a new topic.
`workspaceUpdated` events should include a new variant for PR changes:
`organizationUpdated` events should include a new variant for PR changes:
```typescript
{ type: "pullRequestUpdated", pullRequest: WorkbenchOpenPrSummary }
{ type: "pullRequestRemoved", prId: string }
@ -117,7 +117,7 @@ The `workspace` interest topic already returns `WorkspaceSummarySnapshot`. Addin
### Sidebar Changes
The left sidebar currently renders `projects: ProjectSection[]` where each project has `tasks: Task[]`. Extend this to include open PRs as lightweight entries within each project section:
The left sidebar currently renders `repositories: RepositorySection[]` where each repository has `tasks: Task[]`. Extend this to include open PRs as lightweight entries within each repository section:
- Open PRs appear in the same list as tasks, sorted by `updatedAtMs`
- PRs should be visually distinct: show PR icon instead of task indicator, display `#number` and author
@ -134,7 +134,7 @@ Add a "three dots" menu button in the top-right of the sidebar header. Dropdown
- **Reload all PRs** — calls `githubState.fullSync({ force: true })` (convenience shortcut)
For per-repo and per-PR reload, add context menu options:
- Right-click a project header → "Reload repository"
- Right-click a repository header → "Reload repository"
- Right-click a PR entry → "Reload pull request"
These call the corresponding `reloadRepository`/`reloadPullRequest` actions on the `github-state` actor.
@ -143,27 +143,27 @@ These call the corresponding `reloadRepository`/`reloadPullRequest` actions on t
Files/code to remove:
1. `foundry/packages/backend/src/actors/project-pr-sync/` — entire directory
2. `foundry/packages/backend/src/actors/project/db/schema.ts` — `prCache` table
3. `foundry/packages/backend/src/actors/project/actions.ts` — `applyPrSyncResultMutation`, `getPullRequestForBranch` (moves to github-state), `prSyncStatus`/`prSyncAt` from `getRepoOverview`
1. `foundry/packages/backend/src/actors/repository-pr-sync/` — entire directory
2. `foundry/packages/backend/src/actors/repository/db/schema.ts` — `prCache` table
3. `foundry/packages/backend/src/actors/repository/actions.ts` — `applyPrSyncResultMutation`, `getPullRequestForBranch` (moves to github-state), `prSyncStatus`/`prSyncAt` from `getRepoOverview`
4. `foundry/packages/backend/src/actors/handles.ts``getOrCreateProjectPrSync`, `selfProjectPrSync`
5. `foundry/packages/backend/src/actors/keys.ts` — any PR sync key helper
6. `foundry/packages/backend/src/actors/index.ts``projectPrSync` import and registration
7. All call sites in `ProjectActor` that spawn or call the PR sync actor (`initProject`, `refreshProject`)
6. `foundry/packages/backend/src/actors/index.ts``repositoryPrSync` import and registration
7. All call sites in `RepositoryActor` that spawn or call the PR sync actor (`initProject`, `refreshProject`)
## Migration Path
The `prCache` table in `ProjectActor`'s DB can simply be dropped — no data migration needed since the `github-state` actor will re-fetch everything on its first `fullSync`. Existing task `pullRequest` fields are populated from the github-state actor going forward.
The `prCache` table in `RepositoryActor`'s DB can simply be dropped — no data migration needed since the `github-state` actor will re-fetch everything on its first `fullSync`. Existing task `pullRequest` fields are populated from the github-state actor going forward.
## Implementation Order
1. Create `github-state` actor (adapt from checkpoint `0aca2c7`)
2. Wire up actor in registry, handles, keys
3. Implement webhook dispatch in app-shell (replace TODO)
4. Delete `ProjectPrSyncActor` and `prCache` from project actor
4. Delete `ProjectPrSyncActor` and `prCache` from repository actor
5. Add manual reload actions to github-state
6. Extend `WorkspaceSummarySnapshot` with `openPullRequests`
7. Wire through interest manager + workspace events
6. Extend `OrganizationSummarySnapshot` with `openPullRequests`
7. Wire through subscription manager + organization events
8. Update sidebar to render open PRs
9. Add three-dots menu with reload options
10. Update task creation flow for lazy PR→task conversion

381
foundry/research/specs/remove-local-git-clone.md Normal file
View file

@ -0,0 +1,381 @@
# Remove Local Git Clone from Backend
## Goal
The Foundry backend stores zero git state. No clones, no refs, no working trees, no git-spice. All git operations execute inside sandboxes. Repo metadata (branches, default branch, PRs) comes from GitHub API/webhooks which we already have.
## Terminology renames
Rename Foundry domain terms across the entire `foundry/` directory. All changes are breaking — no backwards compatibility needed. Execute as separate atomic commits in this order. `pnpm -w typecheck && pnpm -w build && pnpm -w test` must pass between each.
| New name | Old name (current code) |
|---|---|
| **Organization** | Workspace |
| **Repository** | Project |
| **Session** (not "tab") | Tab / Session (mixed) |
| **Subscription** | Interest |
| **SandboxProviderId** | ProviderId |
### Rename 1: `interest``subscription`
The realtime pub/sub system in `client/src/interest/`. Rename the directory, all types (`InterestManager``SubscriptionManager`, `MockInterestManager``MockSubscriptionManager`, `RemoteInterestManager``RemoteSubscriptionManager`, `DebugInterestTopic``DebugSubscriptionTopic`), the `useInterest` hook → `useSubscription`, and all imports in client + frontend. Rename `frontend/src/lib/interest.ts``subscription.ts`. Rename test file `client/test/interest-manager.test.ts``subscription-manager.test.ts`.
### Rename 2: `tab``session`
The UI "tab" concept is really a session. Rename `TabStrip``SessionStrip`, `tabId``sessionId`, `closeTab``closeSession`, `addTab``addSession`, `WorkbenchAgentTab``WorkbenchAgentSession`, `TaskWorkbenchTabInput``TaskWorkbenchSessionInput`, `TaskWorkbenchAddTabResponse``TaskWorkbenchAddSessionResponse`, and all related props/DOM attrs (`activeTabId``activeSessionId`, `onSwitchTab``onSwitchSession`, `onCloseTab``onCloseSession`, `data-tab``data-session`, `editingSessionTabId``editingSessionId`). Rename file `tab-strip.tsx``session-strip.tsx`. **Leave "diff tabs" alone** (`isDiffTab`, `diffTabId`) — those are file viewer panes, a different concept.
### Rename 3: `ProviderId``SandboxProviderId`
The `ProviderId` type (`"e2b" | "local"`) is specifically a sandbox provider. Rename the type (`ProviderId``SandboxProviderId`), schema (`ProviderIdSchema``SandboxProviderIdSchema`), and all `providerId` fields that refer to sandbox hosting (`CreateTaskInput`, `TaskRecord`, `SwitchResult`, `WorkbenchSandboxSummary`, task DB schema `task.provider_id``sandbox_provider_id`, `task_sandboxes.provider_id``sandbox_provider_id`, topic params). Rename config key `providers``sandboxProviders`. DB column renames need Drizzle migrations.
**Do NOT rename**: `model.provider` (AI model provider), `auth_account_index.provider_id` (auth provider), `providerAgent()` (model→agent mapping), `WorkbenchModelGroup.provider`.
Also **delete the `providerProfiles` table entirely** — it's written but never read (dead code). Remove the table definition from the organization actor DB schema, all writes in organization actions, and the `refreshProviderProfiles` queue command/handler/interface.
### Rename 4: `project``repository`
The "project" actor/entity is a git repository. Rename:
- Actor directory `actors/project/``actors/repository/`
- Actor directory `actors/project-branch-sync/``actors/repository-branch-sync/`
- Actor registry keys `project``repository`, `projectBranchSync``repositoryBranchSync`
- Actor name string `"Project"``"Repository"`
- All functions: `projectKey``repositoryKey`, `getOrCreateProject``getOrCreateRepository`, `getProject``getRepository`, `selfProject``selfRepository`, `projectBranchSyncKey``repositoryBranchSyncKey`, `projectPrSyncKey``repositoryPrSyncKey`, `projectWorkflowQueueName``repositoryWorkflowQueueName`
- Types: `ProjectInput``RepositoryInput`, `WorkbenchProjectSection``WorkbenchRepositorySection`, `PROJECT_QUEUE_NAMES``REPOSITORY_QUEUE_NAMES`
- Queue names: `"project.command.*"``"repository.command.*"`
- Actor key strings: change `"project"` to `"repository"` in key arrays (e.g. `["ws", id, "project", repoId]``["org", id, "repository", repoId]`)
- Frontend: `projects``repositories`, `collapsedProjects``collapsedRepositories`, `hoveredProjectId``hoveredRepositoryId`, `PROJECT_COLORS``REPOSITORY_COLORS`, `data-project-*``data-repository-*`, `groupWorkbenchProjects``groupWorkbenchRepositories`
- Client keys: `projectKey()``repositoryKey()`, `projectBranchSyncKey()``repositoryBranchSyncKey()`, `projectPrSyncKey()``repositoryPrSyncKey()`
### Rename 5: `workspace``organization`
The "workspace" is really an organization. Rename:
- Actor directory `actors/workspace/``actors/organization/`
- Actor registry key `workspace``organization`
- Actor name string `"Workspace"``"Organization"`
- All types: `WorkspaceIdSchema``OrganizationIdSchema`, `WorkspaceId``OrganizationId`, `WorkspaceEvent``OrganizationEvent`, `WorkspaceSummarySnapshot``OrganizationSummarySnapshot`, `WorkspaceUseInputSchema``OrganizationUseInputSchema`, `WorkspaceHandle``OrganizationHandle`, `WorkspaceTopicParams``OrganizationTopicParams`
- All `workspaceId` fields/params → `organizationId` (~20+ schemas in contracts.ts, plus topic params, task snapshot, etc.)
- `FoundryOrganization.workspaceId``FoundryOrganization.organizationId` (or just `id`)
- All functions: `workspaceKey``organizationKey`, `getOrCreateWorkspace``getOrCreateOrganization`, `selfWorkspace``selfOrganization`, `resolveWorkspaceId``resolveOrganizationId`, `defaultWorkspace``defaultOrganization`, `workspaceWorkflowQueueName``organizationWorkflowQueueName`, `WORKSPACE_QUEUE_NAMES``ORGANIZATION_QUEUE_NAMES`
- Actor key strings: change `"ws"` to `"org"` in key arrays (e.g. `["ws", id]``["org", id]`)
- Queue names: `"workspace.command.*"``"organization.command.*"`
- Topic keys: `"workspace:${id}"``"organization:${id}"`, event `"workspaceUpdated"``"organizationUpdated"`
- Methods: `connectWorkspace``connectOrganization`, `getWorkspaceSummary``getOrganizationSummary`, `useWorkspace``useOrganization`
- Files: `shared/src/workspace.ts``organization.ts`, `backend/src/config/workspace.ts``organization.ts`
- Config keys: `config.workspace.default``config.organization.default`
- URL paths: `/workspaces/$workspaceId``/organizations/$organizationId`
- UI strings: `"Loading workspace..."``"Loading organization..."`
- Tests: rename `workspace-*.test.ts` files, update `workspaceSnapshot()``organizationSnapshot()`, `workspaceId: "ws-1"``organizationId: "org-1"`
### After all renames: update CLAUDE.md files
Update `foundry/CLAUDE.md` and `foundry/packages/backend/CLAUDE.md` to use new terminology throughout (organization instead of workspace, repository instead of project, etc.). The rest of this spec already uses the new names.
## What gets deleted
### Entire directories/files
| Path (relative to `packages/backend/src/`) | Reason |
|---|---|
| `integrations/git/index.ts` | All local git operations |
| `integrations/git-spice/index.ts` | Stack management via git-spice |
| `actors/repository-branch-sync/` (currently `project-branch-sync/`) | Polling actor that fetches + reads local clone every 5s |
| `actors/project-pr-sync/` | Empty directory, already dead |
| `actors/repository/stack-model.ts` (currently `project/stack-model.ts`) | Stack parent/sort model (git-spice dependent) |
| `test/git-spice.test.ts` | Tests for deleted git-spice integration |
| `test/git-validate-remote.test.ts` | Tests for deleted git validation |
| `test/stack-model.test.ts` | Tests for deleted stack model |
### Driver interfaces removed from `driver.ts`
- `GitDriver` — entire interface deleted
- `StackDriver` — entire interface deleted
- `BackendDriver.git` — removed
- `BackendDriver.stack` — removed
- All imports from `integrations/git/` and `integrations/git-spice/`
`BackendDriver` keeps only `github` and `tmux`.
### Test driver cleanup (`test/helpers/test-driver.ts`)
- Delete `createTestGitDriver()`
- Delete `createTestStackDriver()`
- Remove `git` and `stack` from `createTestDriver()`
### Docker volume removed (`compose.dev.yaml`, `compose.preview.yaml`)
- Remove `foundry_git_repos` volume and its mount at `/root/.local/share/foundry/repos`
- Remove the CLAUDE.md note about the repos volume
### Actor registry cleanup (`actors/index.ts`, `actors/keys.ts`, `actors/handles.ts`)
- Remove `RepositoryBranchSyncActor` (currently `ProjectBranchSyncActor`) registration
- Remove `repositoryBranchSyncKey` (currently `projectBranchSyncKey`)
- Remove branch sync handle helpers
### Client key cleanup (`packages/client/src/keys.ts`, `packages/client/test/keys.test.ts`)
- Remove `repositoryBranchSyncKey` (currently `projectBranchSyncKey`) if exported
### Dead code removal: `providerProfiles` table
The `providerProfiles` table in the organization actor (currently workspace actor) DB is written but never read. Delete:
- Table definition in `actors/organization/db/schema.ts` (currently `workspace/db/schema.ts`)
- All writes in `actors/organization/actions.ts` (currently `workspace/actions.ts`)
- The `refreshProviderProfiles` queue command and handler
- The `RefreshProviderProfilesCommand` interface
- Add a DB migration to drop the `provider_profiles` table
### Ensure pattern cleanup (`actors/repository/actions.ts`, currently `project/actions.ts`)
Delete all `ensure*` functions that block action handlers on external I/O or cross-actor fan-out:
- **`ensureLocalClone()`** — Delete (git clone removal).
- **`ensureProjectReady()`** / **`ensureRepositoryReady()`** — Delete (wrapper around `ensureLocalClone` + sync actors).
- **`ensureProjectReadyForRead()`** / **`ensureRepositoryReadyForRead()`** — Delete (dispatches ensure with 10s wait on read path).
- **`ensureProjectSyncActors()`** / **`ensureRepositorySyncActors()`** — Delete (spawns branch sync actor which is being removed).
- **`forceProjectSync()`** / **`forceRepositorySync()`** — Delete (triggers branch sync actor).
- **`ensureTaskIndexHydrated()`** — Delete. This is the migration path from `HistoryActor``task_index` table. Since we assume fresh repositories, no migration needed. The task index is populated on write (`createTask` inserts the row).
- **`ensureTaskIndexHydratedForRead()`** — Delete (wrapper that dispatches `hydrateTaskIndex`).
- **`taskIndexHydrated` state flag** — Delete from repository actor state.
The `ensureAskpassScript()` is fine — it's a fast local operation.
### Dead schema tables and helpers (`actors/repository/db/schema.ts`, `actors/repository/actions.ts`)
With the branch sync actor and git-spice stack operations deleted, these tables have no writer and should be removed:
- **`branches` table** — populated by `RepositoryBranchSyncActor` from the local clone. Delete the table, its schema definition, and all reads from it (including `enrichTaskRecord` which reads `diffStat`, `hasUnpushed`, `conflictsWithMain`, `parentBranch` from this table).
- **`repoActionJobs` table** — populated by `runRepoStackAction()` for git-spice stack operations. Delete the table, its schema definition, and all helpers: `ensureRepoActionJobsTable()`, `writeRepoActionJob()`, `listRepoActionJobRows()`.
## What gets modified
### `actors/repository/actions.ts` (currently `project/actions.ts`)
This is the biggest change. Current git operations in this file:
1. **`createTaskMutation()`** — Currently calls `listLocalRemoteRefs` to check branch name conflicts against remote branches. Replace: branch conflict checking uses only the repository actor's `task_index` table (which branches are already taken by tasks). We don't need to check against remote branches — if the branch already exists on the remote, `git push` in the sandbox will handle it.
2. **`registerTaskBranch()`** — Currently does `fetch` + `remoteDefaultBaseRef` + `revParse` + git-spice stack tracking. Replace: default base branch comes from GitHub repo metadata (already stored from webhook/API at repo add time). SHA resolution is not needed at task creation — the sandbox handles it. Delete all git-spice stack tracking.
3. **`getRepoOverview()`** — Currently calls `listLocalRemoteRefs` + `remoteDefaultBaseRef` + `stack.available` + `stack.listStack`. Replace: branch data comes from GitHub API data we already store from webhooks (push/create/delete events feed branch state). Stack data is deleted. The overview returns branches from stored GitHub webhook data.
4. **`runRepoStackAction()`** — Delete entirely (all git-spice stack operations).
5. **All `normalizeBaseBranchName` imports from git-spice** — Inline or move to a simple utility if still needed.
6. **All `ensureTaskIndexHydrated*` / `ensureRepositoryReady*` call sites** — Remove. Read actions query the `task_index` table directly; if it's empty, it's empty. Write actions populate it on create.
### `actors/repository/index.ts` (currently `project/index.ts`)
- Remove local clone path from state/initialization
- Remove branch sync actor spawning
- Remove any `ensureLocalClone` calls in lifecycle
### `actors/task/workbench.ts`
- **`ensureSandboxRepo()` line 405**: Currently calls `driver.git.remoteDefaultBaseRef()` on the local clone. Replace: read default branch from repository actor state (which gets it from GitHub API/webhook data at repo add time).
### `actors/organization/actions.ts` (currently `workspace/actions.ts`)
- **`addRemote()` line 320**: Currently calls `driver.git.validateRemote()` which runs `git ls-remote`. Replace: validate via GitHub API — `GET /repos/{owner}/{repo}` returns 404 for invalid repos. We already parse the remote URL into owner/repo for GitHub operations.
### `actors/keys.ts` / `actors/handles.ts`
- Remove `repositoryBranchSyncKey` (currently `projectBranchSyncKey`) export
- Remove branch sync handle creation
## What stays the same
- `driver.github.*` — already uses GitHub API, no changes
- `driver.tmux.*` — unrelated, no changes
- `integrations/github/index.ts` — already GitHub API based, keeps working
- All sandbox execution (`executeInSandbox()`) — already correct pattern
- Webhook handlers for push/create/delete events — already feed GitHub data into backend
## CLAUDE.md updates
### `foundry/packages/backend/CLAUDE.md`
Remove `RepositoryBranchSyncActor` (currently `ProjectBranchSyncActor`) from the actor hierarchy tree:
```text
OrganizationActor
├─ HistoryActor(organization-scoped global feed)
├─ GithubDataActor
├─ RepositoryActor(repo)
│ └─ TaskActor(task)
│ ├─ TaskSessionActor(session) x N
│ │ └─ SessionStatusSyncActor(session) x 0..1
│ └─ Task-local workbench state
└─ SandboxInstanceActor(sandboxProviderId, sandboxId) x N
```
Add to Ownership Rules:
> - The backend stores no local git state. No clones, no refs, no working trees, no git-spice. Repo metadata (branches, default branch) comes from GitHub API and webhook events. All git operations that require a working tree execute inside sandboxes via `executeInSandbox()`.
### `foundry/CLAUDE.md`
Add a new section:
```markdown
## Git State Policy
- The backend stores **zero git state**. No local clones, no refs, no working trees, no git-spice.
- Repo metadata (branches, default branch, PRs) comes from GitHub API and webhook events already flowing into the system.
- All git operations that require a working tree (diff, push, conflict check, rev-parse) execute inside the task's sandbox via `executeInSandbox()`.
- Do not add local git clone paths, `git fetch`, `git for-each-ref`, or any direct git CLI calls to the backend. If you need git data, either read it from stored GitHub webhook/API data or run it in a sandbox.
- The `BackendDriver` has no `GitDriver` or `StackDriver`. Only `GithubDriver` and `TmuxDriver` remain.
- git-spice is not used anywhere in the system.
```
Remove from CLAUDE.md:
> - Docker dev: `compose.dev.yaml` mounts a named volume at `/root/.local/share/foundry/repos` to persist backend-managed git clones across restarts. Code must still work if this volume is not present (create directories as needed).
## Concerns
1. **Concurrent agent work**: Another agent is currently modifying `workspace/actions.ts`, `project/actions.ts`, `task/workbench.ts`, `task/workflow/init.ts`, `task/workflow/queue.ts`, `driver.ts`, and `project-branch-sync/index.ts`. Those changes are adding `listLocalRemoteRefs` to the driver and removing polling loops/timeouts. The git clone removal work will **delete** the code the other agent is modifying. Coordinate: let the other agent's changes land first, then this spec deletes the git integration entirely.
2. **Rename ordering**: The rename spec (workspace→organization, project→repository, etc.) should ideally land **before** this spec is executed, so the file paths and identifiers match. If not, the implementing agent should map old names → new names using the table above.
3. **`project-pr-sync/` directory**: This is already an empty directory. Delete it as part of cleanup.
4. **`ensureRepoActionJobsTable()`**: The current spec mentions this should stay but the `repoActionJobs` table is being deleted. Updating: both the table and the ensure function should be deleted.
## Validation
After implementation, run:
```bash
pnpm -w typecheck
pnpm -w build
pnpm -w test
```
Then restart the dev stack and run the main user flow end-to-end:
```bash
just foundry-dev-down && just foundry-dev
```
Verify:
1. Add a repo to an organization
2. Create a task (should return immediately with taskId)
3. Task appears in sidebar with pending status
4. Task provisions and transitions to ready
5. Session is created and initial message is sent
6. Agent responds in the session transcript
This must work against a real GitHub repo (`rivet-dev/sandbox-agent-testing`) with the dev environment credentials.
### Codebase grep validation
After implementation, verify no local git operations or git-spice references remain in the backend:
```bash
# No local git CLI calls (excludes integrations/github which is GitHub API, not local git)
rg -l 'execFileAsync\("git"' foundry/packages/backend/src/ && echo "FAIL: local git CLI calls found" || echo "PASS"
# No git-spice references
rg -l 'git.spice|gitSpice|git_spice' foundry/packages/backend/src/ && echo "FAIL: git-spice references found" || echo "PASS"
# No GitDriver or StackDriver references
rg -l 'GitDriver|StackDriver' foundry/packages/backend/src/ && echo "FAIL: deleted driver interfaces still referenced" || echo "PASS"
# No local clone path references
rg -l 'localPath|ensureCloned|ensureLocalClone|foundryRepoClonePath' foundry/packages/backend/src/ && echo "FAIL: local clone references found" || echo "PASS"
# No branch sync actor references
rg -l 'BranchSync|branchSync|branch.sync' foundry/packages/backend/src/ && echo "FAIL: branch sync references found" || echo "PASS"
# No deleted ensure patterns
rg -l 'ensureProjectReady|ensureTaskIndexHydrated|taskIndexHydrated' foundry/packages/backend/src/ && echo "FAIL: deleted ensure patterns found" || echo "PASS"
# integrations/git/ and integrations/git-spice/ directories should not exist
ls foundry/packages/backend/src/integrations/git/index.ts 2>/dev/null && echo "FAIL: git integration not deleted" || echo "PASS"
ls foundry/packages/backend/src/integrations/git-spice/index.ts 2>/dev/null && echo "FAIL: git-spice integration not deleted" || echo "PASS"
```
All checks must pass before the change is considered complete.
### Rename verification
After the rename spec has landed, verify no old names remain anywhere in `foundry/`:
```bash
# --- workspace → organization ---
# No "WorkspaceActor", "WorkspaceEvent", "WorkspaceId", "WorkspaceSummary", etc. (exclude pnpm-workspace.yaml, node_modules, .turbo)
rg -l 'WorkspaceActor|WorkspaceEvent|WorkspaceId|WorkspaceSummary|WorkspaceHandle|WorkspaceUseInput|WorkspaceTopicParams' foundry/packages/ && echo "FAIL: workspace type references remain" || echo "PASS"
# No workspaceId in domain code (exclude pnpm-workspace, node_modules, .turbo, this spec file)
rg -l 'workspaceId' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: workspaceId references remain" || echo "PASS"
# No workspace actor directory
ls foundry/packages/backend/src/actors/workspace/ 2>/dev/null && echo "FAIL: workspace actor directory not renamed" || echo "PASS"
# No workspaceKey function
rg 'workspaceKey|selfWorkspace|getOrCreateWorkspace|resolveWorkspaceId|defaultWorkspace' foundry/packages/ --glob '!node_modules' && echo "FAIL: workspace function references remain" || echo "PASS"
# No "ws" actor key string (the old key prefix)
rg '"\\"ws\\""|\["ws"' foundry/packages/ --glob '!node_modules' && echo "FAIL: old 'ws' actor key strings remain" || echo "PASS"
# No workspace queue names
rg 'workspace\.command\.' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: workspace queue names remain" || echo "PASS"
# No /workspaces/ URL paths
rg '/workspaces/' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: /workspaces/ URL paths remain" || echo "PASS"
# No config.workspace
rg 'config\.workspace' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: config.workspace references remain" || echo "PASS"
# --- project → repository ---
# No ProjectActor, ProjectInput, ProjectSection, etc.
rg -l 'ProjectActor|ProjectInput|ProjectSection|PROJECT_QUEUE|PROJECT_COLORS' foundry/packages/ --glob '!node_modules' && echo "FAIL: project type references remain" || echo "PASS"
# No project actor directory
ls foundry/packages/backend/src/actors/project/ 2>/dev/null && echo "FAIL: project actor directory not renamed" || echo "PASS"
# No projectKey, selfProject, getOrCreateProject, etc.
rg 'projectKey|selfProject|getOrCreateProject|getProject\b|projectBranchSync|projectPrSync|projectWorkflow' foundry/packages/ --glob '!node_modules' && echo "FAIL: project function references remain" || echo "PASS"
# No "project" actor key string
rg '"\\"project\\""|\[".*"project"' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: old project actor key strings remain" || echo "PASS"
# No project.command.* queue names
rg 'project\.command\.' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: project queue names remain" || echo "PASS"
# --- tab → session ---
# No WorkbenchAgentTab, TaskWorkbenchTabInput, TabStrip, tabId (in workbench context)
rg -l 'WorkbenchAgentTab|TaskWorkbenchTabInput|TaskWorkbenchAddTabResponse|TabStrip' foundry/packages/ --glob '!node_modules' && echo "FAIL: tab type references remain" || echo "PASS"
# No tabId (should be sessionId now)
rg '\btabId\b' foundry/packages/ --glob '!node_modules' && echo "FAIL: tabId references remain" || echo "PASS"
# No tab-strip.tsx file
ls foundry/packages/frontend/src/components/mock-layout/tab-strip.tsx 2>/dev/null && echo "FAIL: tab-strip.tsx not renamed" || echo "PASS"
# No closeTab/addTab (should be closeSession/addSession)
rg '\bcloseTab\b|\baddTab\b' foundry/packages/ --glob '!node_modules' && echo "FAIL: closeTab/addTab references remain" || echo "PASS"
# --- interest → subscription ---
# No InterestManager, useInterest, etc.
rg -l 'InterestManager|useInterest|DebugInterestTopic' foundry/packages/ --glob '!node_modules' && echo "FAIL: interest type references remain" || echo "PASS"
# No interest/ directory
ls foundry/packages/client/src/interest/ 2>/dev/null && echo "FAIL: interest directory not renamed" || echo "PASS"
# --- ProviderId → SandboxProviderId ---
# No bare ProviderId/ProviderIdSchema (but allow sandboxProviderId, model.provider, auth provider_id)
rg '\bProviderIdSchema\b|\bProviderId\b' foundry/packages/shared/src/contracts.ts && echo "FAIL: bare ProviderId in contracts.ts" || echo "PASS"
# No bare providerId for sandbox context (check task schema)
rg '\bproviderId\b' foundry/packages/backend/src/actors/task/db/schema.ts && echo "FAIL: bare providerId in task schema" || echo "PASS"
# No providerProfiles table (dead code, should be deleted)
rg 'providerProfiles|provider_profiles|refreshProviderProfiles' foundry/packages/ --glob '!node_modules' --glob '!*.md' && echo "FAIL: providerProfiles references remain" || echo "PASS"
# --- Verify new names exist ---
rg -l 'OrganizationActor|OrganizationEvent|OrganizationId' foundry/packages/ --glob '!node_modules' | head -3 || echo "WARN: new organization names not found"
rg -l 'RepositoryActor|RepositoryInput|RepositorySection' foundry/packages/ --glob '!node_modules' | head -3 || echo "WARN: new repository names not found"
rg -l 'SubscriptionManager|useSubscription' foundry/packages/ --glob '!node_modules' | head -3 || echo "WARN: new subscription names not found"
rg -l 'SandboxProviderIdSchema|SandboxProviderId' foundry/packages/ --glob '!node_modules' | head -3 || echo "WARN: new sandbox provider names not found"
```
All checks must pass. False positives from markdown files, comments referencing old names in migration context, or `node_modules` should be excluded via the globs above.

174
foundry/research/specs/rivetkit-opentui-migration-plan.md
View file

@ -6,19 +6,19 @@ Date: 2026-02-08
## Locked Decisions
1. Entire rewrite is TypeScript. All Rust code will be deleted at cutover.
2. Repo stays a single monorepo, managed with `pnpm` workspaces + Turborepo.
2. Repo stays a single monorepo, managed with `pnpm` organizations + Turborepo.
3. `core` package is renamed to `shared`.
4. `integrations` and `providers` live inside the backend package (not top-level packages).
5. Rivet-backed state uses SQLite + Drizzle only.
6. RivetKit dependencies come from local `../rivet` builds only; no published npm packages.
7. Everything is workspace-scoped. Workspace is configurable from CLI.
8. `ControlPlaneActor` is renamed to `WorkspaceActor` (workspace coordinator).
9. Every actor key is prefixed by workspace.
10. `--workspace` is optional; commands resolve workspace via flag -> config default -> `default`.
7. Everything is organization-scoped. Organization is configurable from CLI.
8. `ControlPlaneActor` is renamed to `OrganizationActor` (organization coordinator).
9. Every actor key is prefixed by organization.
10. `--organization` is optional; commands resolve organization via flag -> config default -> `default`.
11. RivetKit local dependency wiring is `link:`-based.
12. Keep the existing config file path (`~/.config/foundry/config.toml`) and evolve keys in place.
13. `.agents` and skill files are in scope for migration updates.
14. Parent orchestration actors (`workspace`, `project`, `task`) use command-only loops with no timeout.
14. Parent orchestration actors (`organization`, `repository`, `task`) use command-only loops with no timeout.
15. Periodic syncing/polling runs in dedicated child actors, each with a single timeout cadence.
16. For each actor, define the main loop and exactly what data it mutates; keep single-writer ownership strict.
@ -38,10 +38,10 @@ The core architecture changes from "worktree-per-task" to "provider-selected san
1. Rust binaries/backend removed.
2. Existing IPC replaced by new TypeScript transport.
3. Configuration schema changes for workspace selection and sandbox provider defaults.
4. Runtime model changes from global control plane to workspace coordinator actor.
5. Database schema migrates to workspace + provider + sandbox identity model.
6. Command options evolve to include workspace and provider selection.
3. Configuration schema changes for organization selection and sandbox provider defaults.
4. Runtime model changes from global control plane to organization coordinator actor.
5. Database schema migrates to organization + provider + sandbox identity model.
6. Command options evolve to include organization and provider selection.
## Monorepo and Build Tooling
@ -49,7 +49,7 @@ Root tooling is standardized:
- `pnpm-workspace.yaml`
- `turbo.json`
- workspace scripts through `pnpm` + `turbo run ...`
- organization scripts through `pnpm` + `turbo run ...`
Target package layout:
@ -59,13 +59,13 @@ packages/
backend/
src/
actors/
workspace.ts
project.ts
organization.ts
repository.ts
task.ts
sandbox-instance.ts
history.ts
project-pr-sync.ts
project-branch-sync.ts
repository-pr-sync.ts
repository-branch-sync.ts
task-status-sync.ts
keys.ts
events.ts
@ -88,13 +88,13 @@ packages/
server.ts
types.ts
config/
workspace.ts
organization.ts
backend.ts
cli/ # hf command surface
src/
commands/
client/ # backend transport client
workspace/ # workspace selection resolver
organization/ # organization selection resolver
tui/ # OpenTUI app
src/
app/
@ -111,13 +111,13 @@ CLI and TUI are separate packages in the same monorepo, not separate repositorie
Backend actor files and responsibilities:
1. `packages/backend/src/actors/workspace.ts`
- `WorkspaceActor` implementation.
- Provider profile resolution and workspace-level coordination.
- Spawns/routes to `ProjectActor` handles.
1. `packages/backend/src/actors/organization.ts`
- `OrganizationActor` implementation.
- Provider profile resolution and organization-level coordination.
- Spawns/routes to `RepositoryActor` handles.
2. `packages/backend/src/actors/project.ts`
- `ProjectActor` implementation.
2. `packages/backend/src/actors/repository.ts`
- `RepositoryActor` implementation.
- Branch snapshot refresh, PR cache orchestration, stream publication.
- Routes task actions to `TaskActor`.
@ -134,7 +134,7 @@ Backend actor files and responsibilities:
- Writes workflow events to SQLite via Drizzle.
6. `packages/backend/src/actors/keys.ts`
- Workspace-prefixed actor key builders/parsers.
- Organization-prefixed actor key builders/parsers.
7. `packages/backend/src/actors/events.ts`
- Internal actor event envelopes and stream payload types.
@ -145,13 +145,13 @@ Backend actor files and responsibilities:
9. `packages/backend/src/actors/index.ts`
- Actor exports and composition wiring.
10. `packages/backend/src/actors/project-pr-sync.ts`
10. `packages/backend/src/actors/repository-pr-sync.ts`
- Read-only PR polling loop (single timeout cadence).
- Sends sync results back to `ProjectActor`.
- Sends sync results back to `RepositoryActor`.
11. `packages/backend/src/actors/project-branch-sync.ts`
11. `packages/backend/src/actors/repository-branch-sync.ts`
- Read-only branch snapshot polling loop (single timeout cadence).
- Sends sync results back to `ProjectActor`.
- Sends sync results back to `RepositoryActor`.
12. `packages/backend/src/actors/task-status-sync.ts`
- Read-only session/sandbox status polling loop (single timeout cadence).
@ -169,17 +169,17 @@ pnpm build -F rivetkit
2. Consume via local `link:` dependencies to built artifacts.
3. Keep dependency wiring deterministic and documented in repo scripts.
## Workspace Model
## Organization Model
Every command executes against a resolved workspace context.
Every command executes against a resolved organization context.
Workspace selection:
Organization selection:
1. CLI flag: `--workspace <name>`
2. Config default workspace
1. CLI flag: `--organization <name>`
2. Config default organization
3. Fallback to `default`
Workspace controls:
Organization controls:
1. provider profile defaults
2. sandbox policy
@ -188,45 +188,45 @@ Workspace controls:
## New Actor Implementation Overview
RivetKit registry actor keys are workspace-prefixed:
RivetKit registry actor keys are organization-prefixed:
1. `WorkspaceActor` (workspace coordinator)
- Key: `["ws", workspaceId]`
- Owns workspace config/runtime coordination, provider registry, workspace health.
- Resolves provider defaults and workspace-level policies.
1. `OrganizationActor` (organization coordinator)
- Key: `["ws", organizationId]`
- Owns organization config/runtime coordination, provider registry, organization health.
- Resolves provider defaults and organization-level policies.
2. `ProjectActor`
- Key: `["ws", workspaceId, "project", repoId]`
2. `RepositoryActor`
- Key: `["ws", organizationId, "repository", repoId]`
- Owns repo snapshot cache and PR cache refresh orchestration.
- Routes branch/task commands to task actors.
- Streams project updates to CLI/TUI subscribers.
- Streams repository updates to CLI/TUI subscribers.
3. `TaskActor`
- Key: `["ws", workspaceId, "project", repoId, "task", taskId]`
- Key: `["ws", organizationId, "repository", repoId, "task", taskId]`
- Owns task metadata/runtime state.
- Creates/resumes sandbox + session through provider adapter.
- Handles attach/push/sync/merge/archive/kill and post-idle automation.
4. `SandboxInstanceActor` (optional but recommended)
- Key: `["ws", workspaceId, "provider", providerId, "sandbox", sandboxId]`
- Key: `["ws", organizationId, "provider", providerId, "sandbox", sandboxId]`
- Owns sandbox lifecycle, heartbeat, endpoint readiness, recovery.
5. `HistoryActor`
- Key: `["ws", workspaceId, "project", repoId, "history"]`
- Key: `["ws", organizationId, "repository", repoId, "history"]`
- Owns `events` writes and workflow timeline completeness.
6. `ProjectPrSyncActor` (child poller)
- Key: `["ws", workspaceId, "project", repoId, "pr-sync"]`
- Polls PR state on interval and emits results to `ProjectActor`.
- Key: `["ws", organizationId, "repository", repoId, "pr-sync"]`
- Polls PR state on interval and emits results to `RepositoryActor`.
- Does not write DB directly.
7. `ProjectBranchSyncActor` (child poller)
- Key: `["ws", workspaceId, "project", repoId, "branch-sync"]`
- Polls branch/worktree state on interval and emits results to `ProjectActor`.
- Key: `["ws", organizationId, "repository", repoId, "branch-sync"]`
- Polls branch/worktree state on interval and emits results to `RepositoryActor`.
- Does not write DB directly.
8. `TaskStatusSyncActor` (child poller)
- Key: `["ws", workspaceId, "project", repoId, "task", taskId, "status-sync"]`
- Key: `["ws", organizationId, "repository", repoId, "task", taskId, "status-sync"]`
- Polls agent/session/sandbox health on interval and emits results to `TaskActor`.
- Does not write DB directly.
@ -236,10 +236,10 @@ Ownership rule: each table/row has one actor writer.
Always define actor run-loop + mutated state together:
1. `WorkspaceActor`
- Mutates: `workspaces`, `workspace_provider_profiles`.
1. `OrganizationActor`
- Mutates: `organizations`, `workspace_provider_profiles`.
2. `ProjectActor`
2. `RepositoryActor`
- Mutates: `repos`, `branches`, `pr_cache` (applies child poller results).
3. `TaskActor`
@ -251,30 +251,30 @@ Always define actor run-loop + mutated state together:
5. `HistoryActor`
- Mutates: `events`.
6. Child sync actors (`project-pr-sync`, `project-branch-sync`, `task-status-sync`)
6. Child sync actors (`repository-pr-sync`, `repository-branch-sync`, `task-status-sync`)
- Mutates: none (read-only pollers; publish result messages only).
## Run Loop Patterns (Required)
Parent orchestration actors: no timeout, command-only queue loops.
### `WorkspaceActor` (no timeout)
### `OrganizationActor` (no timeout)
```ts
run: async (c) => {
while (true) {
const msg = await c.queue.next("workspace.command");
await handleWorkspaceCommand(c, msg); // writes workspace-owned tables only
const msg = await c.queue.next("organization.command");
await handleOrganizationCommand(c, msg); // writes organization-owned tables only
}
};
```
### `ProjectActor` (no timeout)
### `RepositoryActor` (no timeout)
```ts
run: async (c) => {
while (true) {
const msg = await c.queue.next("project.command");
const msg = await c.queue.next("repository.command");
await handleProjectCommand(c, msg); // includes applying sync results to branches/pr_cache
}
};
@ -321,10 +321,10 @@ Child sync actors: one timeout each, one cadence each.
run: async (c) => {
const intervalMs = 30_000;
while (true) {
const msg = await c.queue.next("project.pr_sync.command", { timeout: intervalMs });
const msg = await c.queue.next("repository.pr_sync.command", { timeout: intervalMs });
if (!msg) {
const result = await pollPrState();
await sendToProject({ name: "project.pr_sync.result", result });
await sendToProject({ name: "repository.pr_sync.result", result });
continue;
}
await handlePrSyncControl(c, msg); // force/stop/update-interval
@ -338,10 +338,10 @@ run: async (c) => {
run: async (c) => {
const intervalMs = 5_000;
while (true) {
const msg = await c.queue.next("project.branch_sync.command", { timeout: intervalMs });
const msg = await c.queue.next("repository.branch_sync.command", { timeout: intervalMs });
if (!msg) {
const result = await pollBranchState();
await sendToProject({ name: "project.branch_sync.result", result });
await sendToProject({ name: "repository.branch_sync.result", result });
continue;
}
await handleBranchSyncControl(c, msg);
@ -368,7 +368,7 @@ run: async (c) => {
## Sandbox Provider Interface
Provider contract lives under `packages/backend/src/providers/provider-api` and is consumed by workspace/project/task actors.
Provider contract lives under `packages/backend/src/providers/provider-api` and is consumed by organization/repository/task actors.
```ts
interface SandboxProvider {
@ -398,26 +398,26 @@ Initial providers:
- Boots/ensures Sandbox Agent inside sandbox.
- Returns endpoint/token for session operations.
## Command Surface (Workspace + Provider Aware)
## Command Surface (Organization + Provider Aware)
1. `hf create ... --workspace <ws> --provider <worktree|daytona>`
2. `hf switch --workspace <ws> [target]`
3. `hf attach --workspace <ws> [task]`
4. `hf list --workspace <ws>`
5. `hf kill|archive|merge|push|sync --workspace <ws> ...`
6. `hf workspace use <ws>` to set default workspace
1. `hf create ... --organization <ws> --provider <worktree|daytona>`
2. `hf switch --organization <ws> [target]`
3. `hf attach --organization <ws> [task]`
4. `hf list --organization <ws>`
5. `hf kill|archive|merge|push|sync --organization <ws> ...`
6. `hf organization use <ws>` to set default organization
List/TUI include provider and sandbox health metadata.
`--workspace` remains optional; omitted values use the standard resolution order.
`--organization` remains optional; omitted values use the standard resolution order.
## Data Model v2 (SQLite + Drizzle)
All persistent state is SQLite via Drizzle schema + migrations.
Tables (workspace-scoped):
Tables (organization-scoped):
1. `workspaces`
1. `organizations`
2. `workspace_provider_profiles`
3. `repos` (`workspace_id`, `repo_id`, ...)
4. `branches` (`workspace_id`, `repo_id`, ...)
@ -433,10 +433,10 @@ Migration approach: one-way migration from existing schema during TS backend boo
1. TypeScript backend exposes local control API (socket or localhost HTTP).
2. CLI/TUI are thin clients; all mutations go through backend actors.
3. OpenTUI subscribes to project streams from workspace-scoped project actors.
4. Workspace is required context on all backend mutation requests.
3. OpenTUI subscribes to repository streams from organization-scoped repository actors.
4. Organization is required context on all backend mutation requests.
CLI/TUI are responsible for resolving workspace context before calling backend mutations.
CLI/TUI are responsible for resolving organization context before calling backend mutations.
## CLI + TUI Packaging
@ -451,10 +451,10 @@ The package still calls the same backend API and shares contracts from `packages
## Implementation Phases
## Phase 0: Contracts and Workspace Spec
## Phase 0: Contracts and Organization Spec
1. Freeze workspace model, provider contract, and actor ownership map.
2. Freeze command flags for workspace + provider selection.
1. Freeze organization model, provider contract, and actor ownership map.
2. Freeze command flags for organization + provider selection.
3. Define Drizzle schema draft and migration plan.
Exit criteria:
@ -462,7 +462,7 @@ Exit criteria:
## Phase 1: TypeScript Monorepo Bootstrap
1. Add `pnpm` workspace + Turborepo pipeline.
1. Add `pnpm` organization + Turborepo pipeline.
2. Create `shared`, `backend`, and `cli` packages (with TUI integrated into CLI).
3. Add strict TypeScript config and CI checks.
@ -473,10 +473,10 @@ Exit criteria:
1. Wire local RivetKit dependency from `../rivet`.
2. Add SQLite + Drizzle migrations and query layer.
3. Implement actor registry with workspace-prefixed keys.
3. Implement actor registry with organization-prefixed keys.
Exit criteria:
- Backend boot + workspace actor health checks pass.
- Backend boot + organization actor health checks pass.
## Phase 3: Provider Layer in Backend
@ -487,9 +487,9 @@ Exit criteria:
Exit criteria:
- `create/list/switch/attach/push/sync/kill` pass on worktree provider.
## Phase 4: Workspace/Task Lifecycle
## Phase 4: Organization/Task Lifecycle
1. Implement workspace coordinator flows.
1. Implement organization coordinator flows.
2. Implement TaskActor full lifecycle + post-idle automation.
3. Implement history events and PR/CI/review change tracking.
@ -509,7 +509,7 @@ Exit criteria:
1. Build interactive list/switch UI in OpenTUI.
2. Implement key actions (attach/open PR/archive/merge/sync).
3. Add workspace switcher UX and provider/sandbox indicators.
3. Add organization switcher UX and provider/sandbox indicators.
Exit criteria:
- TUI parity and responsive streaming updates.
@ -534,7 +534,7 @@ Exit criteria:
2. Integration tests
- backend + sqlite + provider fakes
- workspace isolation boundaries
- organization isolation boundaries
- session recovery and restart handling
3. E2E tests