Skip to content

FE-1111: Reconcile executor agent runner#278

Open
kostandinang wants to merge 7 commits into
ka/fe-1109-cook-sandboxfrom
ka/fe-1111-executor-agent-runner
Open

FE-1111: Reconcile executor agent runner#278
kostandinang wants to merge 7 commits into
ka/fe-1109-cook-sandboxfrom
ka/fe-1111-executor-agent-runner

Conversation

@kostandinang

@kostandinang kostandinang commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Stack Context

Part of the orchestrator-cutover stack after FE-1109 executor sandbox.

What

Reconciles execute_agent_result to the executor agent-runner path.

This PR wires AgentRunnerPort, threads Pi model context into the runner, and adds a sealed worker background agent with bounded read + write_worktree_file authority over the sandbox worktree. It proves the default app-composed runner path and adds executor-agent-runner-witness, a portable faux-provider witness probe that exercises the sealed worker tool call and captures request/result/proof artifacts.

Runner failures fail closed without advancing run metadata.

Verification

npm run verify

kostandinang commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@kostandinang kostandinang changed the title FE-1111: Inject AgentRunnerPort into execute_agent_result FE-1111: Real cook agent runner Jul 1, 2026
@kostandinang kostandinang changed the title FE-1111: Real cook agent runner FE-1111: Reconcile to executor agent runner Jul 1, 2026
@kostandinang kostandinang force-pushed the ka/fe-1109-cook-sandbox branch from a825f18 to 6c8c072 Compare July 1, 2026 07:48
@kostandinang kostandinang changed the title FE-1111: Reconcile to executor agent runner FE-1111: Reconcile executor agent runner Jul 1, 2026
@kostandinang kostandinang changed the title FE-1111: Reconcile executor agent runner FE-1111: Reconcile to executor agent runner Jul 1, 2026
@kostandinang kostandinang marked this pull request as ready for review July 1, 2026 08:24
@cursor

cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Introduces the orchestrator-cutover LLM execution layer and write-capable subagent tooling; boundaries are tested and fail-closed, but mistakes in grant or path scoping could widen sandbox write authority.

Overview
execute_agent_result no longer ingests prewritten result.json files. It invokes an injected AgentRunnerPort, passes Pi model context from the tool execution context, and only advances run metadata when the runner completes successfully (runner failure → agent_run_failed, no side effects).

The app layer adds createAgentRunnerPort, which launches a registry-owned sealed worker subagent over the sandbox worktree (not elicit-delegatable). The worker gets a new bounded write_worktree_file tool (path-scoped to the worktree cwd) plus read; shell and nesting stay out of the grant.

Pi composition wires the default runner when subagent deps exist; CODE mode loads subagent definitions for executor runs even without dev subagent tooling. Build ships worker.md; SPEC/PLAN mark FE-1111 done and point executor-promotion as next.

Tests and executor-agent-runner-witness prove the port contract, default composition, and faux-provider worktree writes with portable artifacts.

Reviewed by Cursor Bugbot for commit 2777558. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment thread src/app/pi-extensions.ts
Comment thread src/app/agent-runner-port.ts Outdated
@kostandinang kostandinang changed the title FE-1111: Reconcile to executor agent runner FE-1111: Reconcile executor agent runner Jul 1, 2026
@kostandinang kostandinang force-pushed the ka/fe-1111-executor-agent-runner branch from 060809f to 7407ef9 Compare July 1, 2026 08:47
@kostandinang kostandinang changed the base branch from ka/fe-1109-cook-sandbox to graphite-base/278 July 1, 2026 08:54
@kostandinang kostandinang changed the base branch from graphite-base/278 to main July 1, 2026 08:54
@kostandinang kostandinang changed the base branch from main to ka/fe-1109-cook-sandbox July 1, 2026 08:56

@lunelson lunelson left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sealed worker boundary is clear: bounded worktree tools, no shell, no nested agents, and failure does not advance run metadata.

One follow-up worth tracking: the persisted success result is mostly the worker's final text summary. For later recovery and promotion review, it may help to persist a more inspectable execution record, such as files written or tool-call evidence, alongside the summary. Not blocking this PR, since the authority boundary is already narrow.

@kostandinang kostandinang force-pushed the ka/fe-1109-cook-sandbox branch from 92a6e1d to 3aa05a5 Compare July 1, 2026 16:46
@kostandinang kostandinang force-pushed the ka/fe-1111-executor-agent-runner branch from e929ea4 to 1ec2beb Compare July 1, 2026 16:46
@kostandinang kostandinang force-pushed the ka/fe-1111-executor-agent-runner branch from 1ec2beb to e7de782 Compare July 1, 2026 17:40

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit e7de782. Configure here.

if (target !== root && !target.startsWith(`${root}${sep}`)) {
throw new Error('write_worktree_file path escapes the worktree');
}
return target;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Symlink bypasses worktree write bounds

Medium Severity

write_worktree_file checks paths with lexical resolve only, then writes with writeFile. A relative path under a symlink inside the worktree can still resolve under the worktree root while the write follows the link and lands outside the sandbox.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e7de782. Configure here.

return {
status: 'completed',
summary: result.text,
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Result write failure leaves dirty worktree

Medium Severity

After a successful worker run, a failure while writing result.json throws out of AgentRunnerPort.run. ingestAgentResult then does not advance metadata, but worktree file changes from the worker may already be present, so a retry can re-run the slice on a mutated tree.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit e7de782. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants