Stabilize Symphony Elixir orchestration and policy handling#43
Merged
frantic-openai merged 8 commits intomainfrom Mar 10, 2026
Merged
Stabilize Symphony Elixir orchestration and policy handling#43frantic-openai merged 8 commits intomainfrom
frantic-openai merged 8 commits intomainfrom
Conversation
Summary: - Tokenized scheduled retry messages so retries are applied only when the delivered timeout matches the current retry entry. - Ignore legacy or stale retry timeout deliveries instead of letting them consume newer retry metadata. - Added a regression test covering stale retry messages. Rationale: - Retry cancellation alone does not prevent already-delivered timeout messages from racing with newer retry state. - Matching on a per-retry token keeps retry backoff sequencing deterministic under mailbox races. Tests: - mix test test/symphony_elixir/core_test.exs test/symphony_elixir/orchestrator_status_test.exs Co-authored-by: Codex <codex@openai.com>
Summary: - Tracked the active poll timer and delivery token in orchestrator state. - Replaced fire-and-forget poll scheduling with cancellable, tokenized tick scheduling for startup, periodic polls, and manual refreshes. - Added a regression test covering repeated refresh requests and ignored stale tick deliveries. Rationale: - Manual refreshes should replace a pending poll instead of racing it and enqueueing duplicate poll cycles. - Tokenized tick messages keep the scheduler deterministic even when a cancelled timer still delivers later. Tests: - mix test test/symphony_elixir/core_test.exs test/symphony_elixir/orchestrator_status_test.exs Co-authored-by: Codex <codex@openai.com>
Summary: - Added canonical path resolution for workspace and Codex cwd checks so symlinked roots and child paths resolve to their real locations. - Hardened runtime turn sandbox policy resolution to reject unsafe types, external writable roots, relative writable roots, and network-enabled policies. - Added regression coverage for symlinked workspace roots, symlink cwd escapes, and unsafe custom sandbox policies. Rationale: - Lexical prefix checks are not sufficient on macOS and other systems where workspace paths can traverse symlinks. - Codex turn policies must stay bounded to the active issue workspace instead of accepting broader writable roots at runtime. Tests: - mix test test/symphony_elixir/workspace_and_config_test.exs test/symphony_elixir/app_server_test.exs Co-authored-by: Codex <codex@openai.com>
Summary: - Reconciled running workers against the IDs actually returned by the tracker refresh and stop workers whose issues disappear. - Logged the missing-issue shutdown path and released claims without deleting the workspace. - Added regression coverage for the missing-issue case and updated app-server startup expectations for canonical workspace paths. Rationale: - A running worker should not continue until stall timeout when the tracker no longer returns its issue. - The runtime now canonicalizes workspace paths, so startup payload assertions must match the real bounded workspace and sandbox roots. Tests: - mix test test/symphony_elixir/core_test.exs test/symphony_elixir/orchestrator_status_test.exs Co-authored-by: Codex <codex@openai.com>
Summary: - Updated the Elixir README to distinguish startup failures from runtime workflow reload failures. - Documented that reload errors keep the last known good workflow in service until the file is fixed. - Included the formatter-only cleanup required by the final validation pass. Rationale: - The runtime intentionally keeps operating on the last known good workflow after a bad reload. - The docs should match the implemented and tested behavior rather than describing a full scheduling halt on reload errors. Tests: - mix test - mix format --check-formatted - mix specs.check Co-authored-by: Codex <codex@openai.com>
Summary: - refactor writable root validation into smaller helpers that satisfy Credo without changing runtime behavior - remove the unreachable empty-path branch from PathSafety - add runtime sandbox and path safety tests to cover the remaining validation and error branches Rationale: - make all enforces formatting, lint, and 100 percent coverage - the sandbox hardening changes introduced new branches that were not exercised by the existing suite Tests: - make all Co-authored-by: Codex <codex@openai.com>
Summary: - allow custom workspaceWrite writableRoots outside the issue workspace while still requiring absolute canonicalized paths - keep runtime rejection for relative writable roots and networkAccess-enabled policies - update tests and docs to reflect the Model B contract for trusted operator policy Rationale: - Symphony is operating in a trusted local automation model rather than a strict isolation harness - the old boundary check added complexity and rejected legitimate shared caches or other explicit host paths Tests: - make all Co-authored-by: Codex <codex@openai.com>
Summary: - pass explicit codex turn sandbox policies through unchanged and keep local policy synthesis only for the default workspaceWrite case - add integration coverage asserting AppServer forwards explicit sandbox policies without local rewriting - paginate Linear issue-state refreshes by id in 50-item batches and preserve requested issue ordering across merged results Rationale: - Symphony should not impose local semantics on explicit Codex sandbox policy maps beyond generating its own default when omitted - issue-state reconciliation depends on seeing the full running-id set, so single-page by-id fetches could wrongly stop healthy workers Tests: - make all Co-authored-by: Codex <codex@openai.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Symphony Elixir had a few correctness gaps around retry scheduling, refresh coalescing,
workspace path handling, Codex turn policy forwarding, and running-issue refreshes.
TL;DR
Stabilize Symphony Elixir orchestration, workspace safety, and Codex policy passthrough.
Summary
Alternatives
Codex semantics and broke documented policy types.
healthy workers during reconciliation.
Test Plan
make -C elixir all