@kbediako/codex-orchestrator 0.2.0 → 0.2.1

package/dist/orchestrator/src/cli/rlm/alignment.js

@@ -46,9 +46,9 @@ export const DEFAULT_ALIGNMENT_POLICY = {
         mandatory_turn_window: 20
     },
     route: {
-        sentinel_model: 'gpt-5.4',
-        high_reasoning_model: 'gpt-5.4',
-        arbitration_model: 'gpt-5.4',
+        sentinel_model: 'gpt-5.5',
+        high_reasoning_model: 'gpt-5.5',
+        arbitration_model: 'gpt-5.5',
         high_reasoning_available: true
     }
 };

package/dist/orchestrator/src/cli/services/commandRunner.js

@@ -354,6 +354,8 @@ export async function runCommandStage(context, hooks = {}) {
                 providerLinearWorkerProof = null;
                 providerLinearWorkerProofRecord = null;
             }
+            manifest.provider_linear_worker_tokens =
+                buildProviderLinearWorkerManifestTokenUsage(providerLinearWorkerProof?.tokens) ?? null;
             if (result.status === 'succeeded' && providerLinearWorkerProofRecord === null) {
                 providerLinearWorkerFailureReason = 'provider_linear_worker_proof_missing_or_unreadable';
                 effectiveSummary = buildProviderLinearWorkerTerminalSummary({
@@ -773,6 +775,35 @@ async function loadProviderLinearWorkerProof(proofPath) {
         return null;
     }
 }
+function buildProviderLinearWorkerManifestTokenUsage(tokens) {
+    if (!tokens || typeof tokens !== 'object') {
+        return null;
+    }
+    const inputTokens = normalizeManifestTokenCount(tokens.input_tokens);
+    const outputTokens = normalizeManifestTokenCount(tokens.output_tokens);
+    const totalTokens = normalizeManifestTokenCount(tokens.total_tokens);
+    const reasoningOutputTokens = normalizeManifestTokenCount(tokens.reasoning_output_tokens);
+    if (inputTokens === null &&
+        outputTokens === null &&
+        totalTokens === null &&
+        reasoningOutputTokens === null) {
+        return null;
+    }
+    const usage = {
+        input_tokens: inputTokens,
+        output_tokens: outputTokens,
+        total_tokens: totalTokens
+    };
+    if (reasoningOutputTokens !== null) {
+        usage.reasoning_output_tokens = reasoningOutputTokens;
+    }
+    return usage;
+}
+function normalizeManifestTokenCount(value) {
+    return typeof value === 'number' && Number.isFinite(value)
+        ? Math.max(0, Math.trunc(value))
+        : null;
+}
 function coerceTelemetryString(value) {
     if (typeof value !== 'string') {
         return null;

package/dist/orchestrator/src/cli/utils/cloudPreflight.js

@@ -2,14 +2,32 @@ import process from 'node:process';
 import { spawn } from 'node:child_process';
 import { fingerprintAuthProvenanceValue } from './authProvenanceFingerprint.js';
 import { resolveCodexCliBin } from './codexCli.js';
+function formatCommandSpawnError(error) {
+    if (error instanceof Error) {
+        const errno = error;
+        const code = typeof errno.code === 'string' ? errno.code : null;
+        if (code && !error.message.includes(code)) {
+            return `${code}: ${error.message}`;
+        }
+        return error.message;
+    }
+    return String(error);
+}
 function runCommand(command, args, options) {
     const timeoutMs = options.timeoutMs ?? 10_000;
     return new Promise((resolve) => {
-        const child = spawn(command, args, {
-            cwd: options.cwd,
-            env: options.env,
-            stdio: ['ignore', 'pipe', 'pipe']
-        });
+        let child;
+        try {
+            child = spawn(command, args, {
+                cwd: options.cwd,
+                env: options.env,
+                stdio: ['ignore', 'pipe', 'pipe']
+            });
+        }
+        catch (error) {
+            resolve({ exitCode: 1, stdout: '', stderr: formatCommandSpawnError(error) });
+            return;
+        }
         let stdout = '';
         let stderr = '';
         let settled = false;
@@ -39,7 +57,7 @@ function runCommand(command, args, options) {
             }
             settled = true;
             clearTimeout(timer);
-            resolve({ exitCode: 1, stdout, stderr: `${stderr}\n${error.message}`.trim() });
+            resolve({ exitCode: 1, stdout, stderr: `${stderr}\n${formatCommandSpawnError(error)}`.trim() });
         });
         child.once('close', (code) => {
             if (settled) {
@@ -62,6 +80,169 @@ function normalizeCloudPreflightRequestValue(raw) {
     const trimmed = String(raw ?? '').trim();
     return trimmed.length > 0 ? trimmed : null;
 }
+function readCloudPreflightCommandOutput(result) {
+    const output = [result.stderr, result.stdout]
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0)
+        .join(' ')
+        .replace(/\s+/gu, ' ')
+        .trim();
+    return output || 'no output';
+}
+function readCloudPreflightErrorOutput(result) {
+    const output = result.stderr.trim().replace(/\s+/gu, ' ');
+    return output || 'no output';
+}
+function compactCloudPreflightOutput(output) {
+    return output.length > 500 ? `${output.slice(0, 497)}...` : output;
+}
+function redactCloudPreflightOutput(output) {
+    return output
+        .replace(/\b(?:authorization|bearer)\s*[:=]\s*bearer\s+[^\s,;]+/giu, 'authorization: Bearer <redacted>')
+        .replace(/\bbearer\s+[A-Za-z0-9._~+/-]{10,}/giu, 'Bearer <redacted>')
+        .replace(/\b(?:sk|sess|eyJ)[A-Za-z0-9._~+/-]{12,}/gu, '<redacted-token>')
+        .replace(/\b(?:CODEX|OPENAI|CHATGPT|GITHUB|GH)_[A-Z0-9_]*(?:API_KEY|AUTH_TOKEN|ACCESS_TOKEN|REFRESH_TOKEN|TOKEN|SECRET|PASSWORD)\s*=\s*[^\s,;]+/gu, (match) => `${match.split('=')[0] ?? 'secret'}=<redacted>`)
+        .replace(/\b(?:api[_ -]?key|auth[_ -]?token|access[_ -]?token|refresh[_ -]?token|bearer[_ -]?token|password|secret|credential)\s*[:=]\s*[^\s,;]+/giu, (match) => `${match.split(/[:=]/u)[0]?.trim() ?? 'secret'}=<redacted>`)
+        .replace(/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/giu, '<redacted-email>');
+}
+function compactCloudPreflightCommandOutput(result) {
+    return compactCloudPreflightOutput(redactCloudPreflightOutput(readCloudPreflightCommandOutput(result)));
+}
+function escapeRegExpLiteral(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/gu, '\\$&');
+}
+function isEnvironmentNotFoundSignal(signal, environmentId) {
+    const normalized = signal.toLowerCase();
+    const normalizedEnvironmentId = environmentId.toLowerCase();
+    if (normalized.includes('environment_not_found')) {
+        return true;
+    }
+    const escapedEnvironmentId = escapeRegExpLiteral(normalizedEnvironmentId);
+    return new RegExp(`\\benvironment\\s+(?:(["'])${escapedEnvironmentId}\\1|${escapedEnvironmentId})\\s+not\\s+found\\b`, 'u').test(normalized);
+}
+function maskCloudPreflightEnvironmentIdentifierValues(signal) {
+    return signal
+        .toLowerCase()
+        .replace(/\benvironment\s+(?:['"][^'"]+['"]|[^\s'"]+)\s+not\s+found\b/gu, 'environment <env-id> not found')
+        .replace(/\bcodex_cloud_env_id\s+(?:['"][^'"]+['"]|[^\s'"]+)/gu, 'codex_cloud_env_id <env-id>')
+        .replace(/\bcodex cloud env id\s+(?:['"][^'"]+['"]|[^\s'"]+)/gu, 'codex cloud env id <env-id>');
+}
+function hasWrappedEnvironmentProbeUnavailableSignal(signal) {
+    const normalized = maskCloudPreflightEnvironmentIdentifierValues(signal);
+    return (/\b(?:missing[_ -]github[_ -]connector[_ -]link|github connection not found|github connector not found)\b/u.test(normalized) ||
+        /\b(?:cloud denial|cloud-denial|cloud_denial|cloud denied|not allowed in cloud|cloud access denied|cloud execution denied)\b/u.test(normalized) ||
+        /\b(?:forbidden|unauthorized|not logged in|login required|active account|active profile|account mismatch|profile mismatch|invalid token|expired token|token expired|missing token|token missing|api key|auth token|access token|refresh token|bearer token)\b/u.test(normalized) ||
+        /\b(?:rate limit|rate-limit|rate_limited|rate_limit_exceeded|quota|too many requests|usage limit|usage_limit_reached)\b/u.test(normalized) ||
+        /\b(?:enotfound|econn|network|timed out|timeout|502|503|504|bad gateway|service unavailable|gateway timeout)\b/u.test(normalized));
+}
+function buildEnvironmentProbeIssue(environmentId, result) {
+    const fullDetail = readCloudPreflightCommandOutput(result);
+    const detail = compactCloudPreflightCommandOutput(result);
+    if (isEnvironmentNotFoundSignal(fullDetail, environmentId) &&
+        !hasWrappedEnvironmentProbeUnavailableSignal(fullDetail)) {
+        return {
+            code: 'environment_not_found',
+            message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' is not visible to codex cloud before codex cloud exec: ${detail}`
+        };
+    }
+    return {
+        code: 'environment_unavailable',
+        message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' could not be verified by codex cloud before codex cloud exec: ${detail}`
+    };
+}
+function tryParseCloudListJson(stdout) {
+    const trimmed = stdout.trim();
+    if (!trimmed) {
+        return null;
+    }
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        return null;
+    }
+}
+function readCloudListTasks(payload) {
+    if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+        return null;
+    }
+    const record = payload;
+    return Array.isArray(record.tasks) ? record.tasks : null;
+}
+function readCloudListTaskEnvironmentIdentities(task) {
+    if (!task || typeof task !== 'object') {
+        return [];
+    }
+    const record = task;
+    const identities = [];
+    for (const key of ['environment_id', 'environmentId', 'cloud_environment_id', 'cloudEnvId']) {
+        const value = normalizeCloudPreflightRequestValue(record[key]);
+        if (value) {
+            identities.push(value);
+        }
+    }
+    for (const key of ['environment_label', 'environmentLabel']) {
+        const value = normalizeCloudPreflightRequestValue(record[key]);
+        if (value) {
+            identities.push(value);
+        }
+    }
+    const environment = record.environment;
+    if (environment && typeof environment === 'object') {
+        const environmentRecord = environment;
+        for (const key of ['id', 'environment_id', 'environmentId', 'cloud_environment_id', 'cloudEnvId']) {
+            const value = normalizeCloudPreflightRequestValue(environmentRecord[key]);
+            if (value) {
+                identities.push(value);
+            }
+        }
+        for (const key of ['label', 'environment_label', 'environmentLabel']) {
+            const value = normalizeCloudPreflightRequestValue(environmentRecord[key]);
+            if (value) {
+                identities.push(value);
+            }
+        }
+    }
+    return [...new Set(identities)];
+}
+function normalizeCloudEnvironmentIdentity(value) {
+    return value.trim().toLowerCase();
+}
+function buildEnvironmentProbePayloadIssue(environmentId, detail) {
+    const safeDetail = compactCloudPreflightOutput(redactCloudPreflightOutput(detail));
+    return {
+        code: 'environment_unavailable',
+        message: `Configured CODEX_CLOUD_ENV_ID '${environmentId}' could not be verified by codex cloud before codex cloud exec: ${safeDetail}`
+    };
+}
+function inspectSuccessfulEnvironmentProbe(environmentId, result) {
+    const stderrDetail = readCloudPreflightErrorOutput(result);
+    if (isEnvironmentNotFoundSignal(stderrDetail, environmentId)) {
+        return buildEnvironmentProbeIssue(environmentId, {
+            ...result,
+            stdout: ''
+        });
+    }
+    const payload = tryParseCloudListJson(result.stdout);
+    const tasks = readCloudListTasks(payload);
+    if (!tasks) {
+        return buildEnvironmentProbePayloadIssue(environmentId, `unexpected codex cloud list JSON payload: ${compactCloudPreflightOutput(result.stdout.trim() || 'no output')}`);
+    }
+    const taskEnvironmentIdentities = tasks.map((task) => readCloudListTaskEnvironmentIdentities(task));
+    const normalizedEnvironmentId = normalizeCloudEnvironmentIdentity(environmentId);
+    if (taskEnvironmentIdentities.some((identities) => identities.length === 0)) {
+        return buildEnvironmentProbePayloadIssue(environmentId, 'codex cloud list returned task rows without an environment identity');
+    }
+    const mismatchedEnvironmentIds = taskEnvironmentIdentities
+        .filter((identities) => !identities.some((identity) => normalizeCloudEnvironmentIdentity(identity) === normalizedEnvironmentId))
+        .flat();
+    if (mismatchedEnvironmentIds.length > 0) {
+        return buildEnvironmentProbePayloadIssue(environmentId, `codex cloud list returned task rows for a different environment identity: ${[
+            ...new Set(mismatchedEnvironmentIds)
+        ].join(', ')}`);
+    }
+    return null;
+}
 function readFirstCloudPreflightEnvValue(env, keys) {
     if (!env) {
         return null;
@@ -151,6 +332,21 @@ export async function runCloudPreflight(params) {
             message: `Codex CLI is unavailable (${params.codexBin} --version failed).`
         });
     }
+    if (params.environmentId && codexCheck.exitCode === 0) {
+        const environmentCheck = await runCommand(params.codexBin, ['cloud', 'list', '--env', params.environmentId, '--limit', '1', '--json'], {
+            cwd: params.repoRoot,
+            env: params.env
+        });
+        if (environmentCheck.exitCode !== 0) {
+            issues.push(buildEnvironmentProbeIssue(params.environmentId, environmentCheck));
+        }
+        else {
+            const environmentProbeIssue = inspectSuccessfulEnvironmentProbe(params.environmentId, environmentCheck);
+            if (environmentProbeIssue) {
+                issues.push(environmentProbeIssue);
+            }
+        }
+    }
     if (branch) {
         const gitCheck = await runCommand('git', ['--version'], { cwd: params.repoRoot, env: params.env });
         if (gitCheck.exitCode !== 0) {

package/dist/orchestrator/src/cli/utils/codexFeatures.js

@@ -0,0 +1,60 @@
+import { spawnSync } from 'node:child_process';
+export function readCodexFeatureProbe(codexBin, env = process.env) {
+    const result = spawnSync(codexBin, ['features', 'list'], {
+        encoding: 'utf8',
+        env,
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 5000
+    });
+    const stderr = String(result.stderr ?? '');
+    if (result.error || result.status !== 0) {
+        return {
+            flags: null,
+            stderr,
+            error: result.error
+                ? result.error.message
+                : `codex features list exited with status ${result.status ?? '<unknown>'}`,
+            status: result.status
+        };
+    }
+    const stdout = String(result.stdout ?? '');
+    return {
+        flags: parseFeatureFlagsFromText(stdout),
+        stderr,
+        error: null,
+        status: result.status
+    };
+}
+export function codexFeatureProbeRejectsAgentMaxThreads(probe) {
+    const text = `${probe.error ?? ''}\n${probe.stderr}`.toLowerCase();
+    const mentionsMaxThreads = /\bagents\.max_threads\b/u.test(text) || /\bmax[_\s-]?threads\b/u.test(text);
+    return mentionsMaxThreads && /\bmulti_agent_v2\b/u.test(text);
+}
+export function codexFeatureProbeDisablesMultiAgentV2(probe) {
+    return probe.flags?.multi_agent_v2 === false;
+}
+function parseFeatureFlagsFromText(stdout) {
+    const flags = {};
+    for (const line of stdout.split(/\r?\n/u)) {
+        const trimmed = line.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const tokens = trimmed.split(/\s+/u);
+        if (tokens.length < 2) {
+            continue;
+        }
+        const name = tokens[0] ?? '';
+        const enabledToken = tokens[tokens.length - 1] ?? '';
+        if (!name) {
+            continue;
+        }
+        if (enabledToken === 'true') {
+            flags[name] = true;
+        }
+        else if (enabledToken === 'false') {
+            flags[name] = false;
+        }
+    }
+    return flags;
+}

package/dist/orchestrator/src/manager.js

@@ -160,7 +160,7 @@ export class TaskManager {
         const build = await this.executeBuilder(task, plan, target, mode, runId);
         if (!build.success) {
             const skippedTest = this.createSkippedTestResult(build, runId);
-            const skippedReview = this.createSkippedReviewResult('build-failed');
+            const skippedReview = this.createSkippedReviewResult('build-failed', build);
             const summary = this.createRunSummary(task, mode, plan, build, skippedTest, skippedReview, runId);
             return { target, mode, build, test: skippedTest, review: skippedReview, summary };
         }
@@ -239,13 +239,27 @@ export class TaskManager {
             runId
         };
     }
-    createSkippedReviewResult(reason) {
+    createSkippedReviewResult(reason, build) {
         if (reason === 'build-failed') {
+            const prerequisiteStage = this.extractFailedPrerequisiteStage(build);
+            if (prerequisiteStage) {
+                const artifactPath = this.findFailedStageArtifactPath(build);
+                const artifactFeedback = artifactPath ? ` Error artifact: ${artifactPath}.` : '';
+                return {
+                    summary: `Review skipped: prerequisite stage \`${prerequisiteStage}\` failed.`,
+                    decision: {
+                        approved: false,
+                        feedback: `Prerequisite stage \`${prerequisiteStage}\` failed; review skipped.${artifactFeedback}`
+                    }
+                };
+            }
+            const artifactPath = this.findFailedStageArtifactPath(build);
+            const artifactFeedback = artifactPath ? ` Error artifact: ${artifactPath}.` : '';
             return {
                 summary: 'Review skipped: build stage failed.',
                 decision: {
                     approved: false,
-                    feedback: 'Build stage failed; review skipped.'
+                    feedback: `Build stage failed; review skipped.${artifactFeedback}`
                 }
             };
         }
@@ -257,6 +271,62 @@ export class TaskManager {
             }
         };
     }
+    extractFailedPrerequisiteStage(build) {
+        const stage = build?.failureStage?.trim();
+        const canonicalStage = stage?.toLowerCase();
+        if (!stage || (canonicalStage != null && ['build', 'test', 'review'].includes(canonicalStage))) {
+            return null;
+        }
+        return stage;
+    }
+    findFailedStageArtifactPath(build) {
+        if (build?.failureArtifactPath) {
+            return build.failureArtifactPath;
+        }
+        const failureStage = build?.failureStage?.trim().toLowerCase();
+        if (!failureStage) {
+            return null;
+        }
+        if (['build', 'test', 'review'].includes(failureStage)) {
+            return null;
+        }
+        const stagePathToken = failureStage.replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+        const stageArtifact = build?.artifacts.find((candidate) => {
+            const normalizedPath = candidate.path.replace(/\\/g, '/').toLowerCase();
+            const isErrorArtifact = normalizedPath.startsWith('errors/') ||
+                normalizedPath.includes('/errors/') ||
+                /\berror\b/i.test(candidate.description);
+            if (!isErrorArtifact) {
+                return false;
+            }
+            return this.artifactMatchesFailedStage(candidate, failureStage, stagePathToken);
+        });
+        return stageArtifact?.path ?? null;
+    }
+    artifactMatchesFailedStage(candidate, failureStage, stagePathToken) {
+        const normalizedDescription = candidate.description.toLowerCase();
+        const parentheticalStages = [...normalizedDescription.matchAll(/\(([^)]+)\)/g)]
+            .map((match) => match[1]?.trim() ?? '')
+            .filter(Boolean);
+        if (parentheticalStages.some((stage) => this.stageTokenMatches(stage, failureStage, stagePathToken))) {
+            return true;
+        }
+        const normalizedPath = candidate.path.replace(/\\/g, '/').toLowerCase();
+        return normalizedPath
+            .split('/')
+            .map((segment) => segment.replace(/\.[^.]+$/, '').replace(/^\d+-/, ''))
+            .some((segment) => this.stageTokenMatches(segment, failureStage, stagePathToken));
+    }
+    stageTokenMatches(candidate, failureStage, stagePathToken) {
+        if (candidate === failureStage) {
+            return true;
+        }
+        if (!stagePathToken) {
+            return false;
+        }
+        const candidatePathToken = candidate.replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+        return candidatePathToken === stagePathToken;
+    }
     async executePlanner(task, runId) {
         try {
             const plan = await this.options.planner.plan(task);
@@ -335,7 +405,7 @@ export class TaskManager {
         const cause = error ?? new Error('Planner stage failed without an error payload');
         const build = this.createBuilderErrorResult('planner-unavailable', mode, runId, cause);
         const skippedTest = this.createSkippedTestResult(build, runId);
-        const skippedReview = this.createSkippedReviewResult('build-failed');
+        const skippedReview = this.createSkippedReviewResult('build-failed', build);
         const summary = this.createRunSummary(task, mode, plan, build, skippedTest, skippedReview, runId);
         this.eventBus.emit({ type: 'run:completed', payload: summary });
         return summary;

package/dist/scripts/lib/docs-catalog.js

@@ -266,6 +266,7 @@ export async function readCurrentCodexPosture(repoRoot, policy = {}) {
         return {
             source_path: '',
             cli_version: null,
+            cli_compatibility_versions: [],
             model: null,
             default_runtime: null,
             explorer_fast_model: null,
@@ -278,15 +279,48 @@ export async function readCurrentCodexPosture(repoRoot, policy = {}) {
         /delegated subagent and review surfaces on [^;\n]*; `([^`]+)` is currently unsupported there/i.exec(content)?.[1] ??
         /delegated(?: subagent)?(?: and|\/) review surfaces on [^\n]* validates `([^`]+)`/i.exec(content)?.[1] ??
         null;
+    const cliVersion = /Codex CLI\s+\(?`?([0-9]+\.[0-9]+\.[0-9]+)`?\)?/.exec(content)?.[1] ?? null;
     return {
         source_path: sourcePath,
-        cli_version: /Codex CLI\s+\(?`?([0-9]+\.[0-9]+\.[0-9]+)`?\)?/.exec(content)?.[1] ?? null,
+        cli_version: cliVersion,
+        cli_compatibility_versions: extractAllowedCliCompatibilityVersions(content, cliVersion),
         model: /Current model posture(?: is|:)\s*`([^`]+)`/i.exec(content)?.[1] ?? null,
         default_runtime: /Local ([A-Za-z0-9_-]+) remains the expected default runtime path/.exec(content)?.[1] ?? null,
         explorer_fast_model: /explorer_fast[^\n]*`(gpt-[^`]+)`/i.exec(content)?.[1] ?? null,
         unsupported_review_model: unsupportedReviewModel
     };
 }
+function extractAllowedCliCompatibilityVersions(content, currentCliVersion) {
+    const versions = new Set();
+    const scanContent = extractCurrentPostureContent(content);
+    for (const line of scanContent.split(/\r?\n/)) {
+        if (!/compatibility/i.test(line) ||
+            !/(separately\s+rebaselined|downstream-smoke|release-facing)/i.test(line)) {
+            continue;
+        }
+        for (const version of extractCodexCliVersionMentions(line)) {
+            if (version !== currentCliVersion) {
+                versions.add(version);
+            }
+        }
+    }
+    return [...versions].sort();
+}
+function extractCurrentPostureContent(content) {
+    const lines = content.split(/\r?\n/);
+    const startIndex = lines.findIndex((line) => /^##\s+Current Posture\b/i.test(line.trim()));
+    if (startIndex === -1) {
+        return '';
+    }
+    const sectionLines = [];
+    for (const line of lines.slice(startIndex + 1)) {
+        if (/^##\s+/.test(line.trim())) {
+            break;
+        }
+        sectionLines.push(line);
+    }
+    return sectionLines.join('\n');
+}
 export function extractCodexCliVersionMentions(content) {
     const results = new Set();
     const patterns = [