@open-agent-toolkit/cli 0.1.48 → 0.1.51
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/assets/agents/oat-phase-implementer.md +16 -5
- package/assets/docs/cli-utilities/configuration.md +41 -0
- package/assets/docs/cli-utilities/workflow-gates.md +18 -1
- package/assets/docs/provider-sync/commands.md +29 -1
- package/assets/docs/provider-sync/providers.md +18 -5
- package/assets/docs/provider-sync/scope-and-surface.md +13 -0
- package/assets/docs/workflows/projects/dispatch-ceiling.md +59 -7
- package/assets/docs/workflows/projects/implementation-execution.md +63 -3
- package/assets/docs/workflows/projects/reviews.md +18 -1
- package/assets/public-package-versions.json +4 -4
- package/assets/skills/oat-agent-instructions-analyze/references/docs/provider-reference.md +8 -2
- package/assets/skills/oat-agent-instructions-apply/references/docs/provider-reference.md +8 -2
- package/assets/skills/oat-project-implement/SKILL.md +141 -59
- package/assets/skills/oat-project-review-provide/SKILL.md +44 -10
- package/assets/skills/oat-project-review-provide-remote/SKILL.md +28 -1
- package/dist/commands/config/index.d.ts +3 -0
- package/dist/commands/config/index.d.ts.map +1 -1
- package/dist/commands/config/index.js +70 -128
- package/dist/commands/doctor/index.d.ts +3 -0
- package/dist/commands/doctor/index.d.ts.map +1 -1
- package/dist/commands/doctor/index.js +205 -195
- package/dist/commands/gate/index.d.ts.map +1 -1
- package/dist/commands/gate/index.js +72 -1
- package/dist/commands/project/dispatch-ceiling/index.d.ts.map +1 -1
- package/dist/commands/project/dispatch-ceiling/index.js +224 -112
- package/dist/commands/providers/codex/materialize.d.ts.map +1 -1
- package/dist/commands/providers/codex/materialize.js +31 -15
- package/dist/config/dispatch-matrix.d.ts +59 -0
- package/dist/config/dispatch-matrix.d.ts.map +1 -0
- package/dist/config/dispatch-matrix.js +264 -0
- package/dist/config/oat-config.d.ts +2 -28
- package/dist/config/oat-config.d.ts.map +1 -1
- package/dist/config/oat-config.js +8 -144
- package/dist/config/resolve.d.ts.map +1 -1
- package/dist/config/resolve.js +2 -1
- package/dist/providers/codex/codec/config-merge.d.ts +8 -2
- package/dist/providers/codex/codec/config-merge.d.ts.map +1 -1
- package/dist/providers/codex/codec/config-merge.js +17 -2
- package/dist/providers/codex/codec/sync-extension.d.ts.map +1 -1
- package/dist/providers/codex/codec/sync-extension.js +14 -4
- package/dist/providers/identity/availability.d.ts +12 -0
- package/dist/providers/identity/availability.d.ts.map +1 -1
- package/dist/providers/identity/availability.js +72 -29
- package/dist/providers/identity/dispatch-report.d.ts +124 -0
- package/dist/providers/identity/dispatch-report.d.ts.map +1 -0
- package/dist/providers/identity/dispatch-report.js +285 -0
- package/dist/providers/identity/dispatch-validation.d.ts +28 -0
- package/dist/providers/identity/dispatch-validation.d.ts.map +1 -0
- package/dist/providers/identity/dispatch-validation.js +149 -0
- package/dist/providers/identity/stamp.d.ts +2 -0
- package/dist/providers/identity/stamp.d.ts.map +1 -1
- package/dist/providers/identity/stamp.js +3 -1
- package/package.json +2 -2
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: oat-phase-implementer
|
|
3
|
-
version: 1.0.
|
|
3
|
+
version: 1.0.5
|
|
4
4
|
description: Acts as a phase coordinator that dispatches one exact target-pinned task worker at a time, or executes exactly one bounded Task Scope when dispatched as a worker. Used by oat-project-implement.
|
|
5
5
|
tools: Read, Write, Edit, Bash, Grep, Glob, Task
|
|
6
6
|
color: cyan
|
|
@@ -148,10 +148,12 @@ downgrade for a managed task.
|
|
|
148
148
|
|
|
149
149
|
#### 4. Build the Exact Invocation Before Logging
|
|
150
150
|
|
|
151
|
-
- Codex: use `providers.codex.dispatchArgs.variant` as the actual `agent_type
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
151
|
+
- Codex: use `providers.codex.dispatchArgs.variant` as the actual `agent_type`
|
|
152
|
+
and attempt the exact materialized `agent_type` first. Only explicit
|
|
153
|
+
pre-start native role-selection rejection of that exact `agent_type`, before
|
|
154
|
+
any child starts, permits a fresh pinned fallback: launch a fresh Codex child
|
|
155
|
+
pinned to `selection.target.model` and `selection.target.effort` with these
|
|
156
|
+
canonical instructions and the Task Scope. If neither exact route is
|
|
155
157
|
available, block.
|
|
156
158
|
- Claude: pass `providers.claude.dispatchArgs.model` as the actual Task `model`.
|
|
157
159
|
- Cursor: pass `providers.cursor.dispatchArgs.model` byte-for-byte as the actual
|
|
@@ -163,6 +165,15 @@ transient retry must reuse the same exact role/model/effort payload. A
|
|
|
163
165
|
substantive escalation must re-resolve another configured candidate without
|
|
164
166
|
exceeding the same named maximum.
|
|
165
167
|
|
|
168
|
+
The launcher-owned `target`, `model_axis`, and `effort_axis` come only from the
|
|
169
|
+
resolver output and constructed invocation payload. They are immutable and
|
|
170
|
+
must not be populated, replaced, or contradicted by worker self-report. Spawn
|
|
171
|
+
acceptance confirms that configured invocation; worker output is only task
|
|
172
|
+
outcome data. Missing telemetry, missing self-report, and accepted terminal
|
|
173
|
+
results including `BLOCKED` never trigger fallback. Once a child starts, every
|
|
174
|
+
terminal result is authoritative for that attempt and is not native
|
|
175
|
+
role-selection rejection.
|
|
176
|
+
|
|
166
177
|
#### 5. Dispatch and Verify Serially
|
|
167
178
|
|
|
168
179
|
Run one exact task worker at a time, serially in the same worktree:
|
|
@@ -381,6 +381,47 @@ has verified equivalent current-host controls for explicit inherit,
|
|
|
381
381
|
managed-uncapped, or base-role behavior. Capped managed reviews still require
|
|
382
382
|
the exact registered role, pinned child, or resolver-returned model argument.
|
|
383
383
|
|
|
384
|
+
### Cursor validation pass and live evidence
|
|
385
|
+
|
|
386
|
+
Config adoption and doctor validate Cursor candidates with one command-scoped
|
|
387
|
+
pass context. Duplicate references to the same byte-for-byte candidate share
|
|
388
|
+
one Task/subagent probe. If a decisive probe is unavailable, the pass resolves
|
|
389
|
+
the broad catalog once, with at most one `--list-models` fallback. The cache
|
|
390
|
+
ends with that adopt or doctor command; it is not process-global and has no
|
|
391
|
+
TTL.
|
|
392
|
+
|
|
393
|
+
A correlated Task start/completion pair that preserves the exact model argument
|
|
394
|
+
and returns the sentinel establishes that the argument is eligible for that
|
|
395
|
+
account and client. A structured rejection or exact allow-list exclusion can
|
|
396
|
+
establish `unknown-value`. Neither result identifies the backend runtime model:
|
|
397
|
+
`runtimeIdentity` remains `not-reported` unless trusted Cursor telemetry or
|
|
398
|
+
Cursor support confirms it. Parent prose and broad catalog presence are
|
|
399
|
+
diagnostic-only, so OAT preserves `unvalidated` when launcher evidence is
|
|
400
|
+
absent instead of inferring capability from candidate spelling.
|
|
401
|
+
|
|
402
|
+
The [dated GPT-5.6 Cursor verification evidence](https://github.com/voxmedia/open-agent-toolkit/blob/main/.oat/repo/reference/project-summaries/20260711-cursor-gpt-5-6-subagent-verification.md)
|
|
403
|
+
preserves the original text-mode pass and a versioned stream-JSON second pass.
|
|
404
|
+
The second pass ran a dynamic positive control and deliberate invalid control
|
|
405
|
+
before candidates. Both parent runs completed without a Task event, making the
|
|
406
|
+
controls inconclusive; the stop rule therefore executed zero of the 13
|
|
407
|
+
recommended candidates and did not execute exploratory
|
|
408
|
+
`gpt-5.6-sol-high-fast`. The recommendation remains unchanged and candidate
|
|
409
|
+
eligibility remains unresolved.
|
|
410
|
+
|
|
411
|
+
The tracked artifact's structured second-pass block contains only allowlisted
|
|
412
|
+
event structure, derived outcomes, sanitized auth-presence context, and
|
|
413
|
+
non-reversible identifier hashes. Exact request/session/tool-call IDs and
|
|
414
|
+
credential-redacted unprojected streams from that pass stay under gitignored
|
|
415
|
+
`.oat/projects/local/` storage for possible Cursor support diagnosis.
|
|
416
|
+
|
|
417
|
+
The same public artifact intentionally retains the sanitized historical v1
|
|
418
|
+
text-mode record for provenance. That older section includes command arguments
|
|
419
|
+
and prompts, stdout and stderr, exit and duration data, and capture-environment
|
|
420
|
+
details such as user-specific binary paths; it is not limited to the structured
|
|
421
|
+
second-pass allowlist. Re-run after a Cursor client rollout exposes Task in
|
|
422
|
+
headless mode or Cursor support confirms the private requests; review the open
|
|
423
|
+
verification item by 2026-08-08.
|
|
424
|
+
|
|
384
425
|
### Legacy compatibility
|
|
385
426
|
|
|
386
427
|
The command and docs path retain `dispatch-ceiling` for compatibility. Legacy
|
|
@@ -94,6 +94,23 @@ model that ran, and the reviewer must not replace them with self-identification.
|
|
|
94
94
|
The CLI compares the copied values with its gate-owned record before it applies
|
|
95
95
|
the severity threshold.
|
|
96
96
|
|
|
97
|
+
### Gate dispatch report semantics
|
|
98
|
+
|
|
99
|
+
When gate dispatch is represented in a `DispatchReportV1`, consumers require
|
|
100
|
+
`schemaVersion: 1` and keep three facts independent:
|
|
101
|
+
|
|
102
|
+
- `gateInvocation` is the immutable configured run ID, target, runtime, model,
|
|
103
|
+
reasoning effort, and source.
|
|
104
|
+
- `runtimeIdentity` is observed or otherwise supported producer identity; it is
|
|
105
|
+
`not-reported` when no runtime evidence exists.
|
|
106
|
+
- gate `diversity` describes producer/reviewer routing and achieved separation;
|
|
107
|
+
it does not overwrite either configured invocation or runtime identity.
|
|
108
|
+
|
|
109
|
+
Configured target values, requested controls, producer stamps, and reviewer
|
|
110
|
+
self-report are not interchangeable. The human report is rendered from the
|
|
111
|
+
versioned object, and any parseable `Dispatch:` compatibility line is derived
|
|
112
|
+
from that same report rather than rebuilt from target IDs or model names.
|
|
113
|
+
|
|
97
114
|
### Review project resolution and corroboration
|
|
98
115
|
|
|
99
116
|
`--project <path-or-name>` is a declaration. OAT normalizes the declared path
|
|
@@ -501,7 +518,7 @@ Gate failure behavior is owned by the gate-aware skill:
|
|
|
501
518
|
available target. Once a target actually runs, its exit code is the gate result;
|
|
502
519
|
OAT does not try another target after a failed review.
|
|
503
520
|
|
|
504
|
-
Gate target execution has a child-process timeout (default
|
|
521
|
+
Gate target execution has a child-process timeout (default 15 minutes, override
|
|
505
522
|
with `OAT_GATE_EXEC_TIMEOUT_MS`). When a review target times out, JSON output
|
|
506
523
|
reports `status: review_failed`, `outcome: review_did_not_complete`,
|
|
507
524
|
`timedOut: true`, and the timeout value so automation can distinguish a hung
|
|
@@ -21,7 +21,7 @@ These command definitions inherit the cross-cutting CLI conventions in:
|
|
|
21
21
|
|
|
22
22
|
- What it does: defines the day-to-day provider-sync command surface for inspecting state, reconciling provider views, and changing provider enablement.
|
|
23
23
|
- When to use it: after you have canonical assets in place and need to check sync state, write provider views, or change provider config.
|
|
24
|
-
- Primary commands: `oat status`, `oat sync`, `oat providers list`, `oat providers inspect`, `oat providers set`
|
|
24
|
+
- Primary commands: `oat status`, `oat sync`, `oat providers list`, `oat providers inspect`, `oat providers set`, `oat providers codex materialize`
|
|
25
25
|
|
|
26
26
|
## `oat status`
|
|
27
27
|
|
|
@@ -71,6 +71,34 @@ Key behavior:
|
|
|
71
71
|
- Options: `--enabled <providers>`, `--disabled <providers>` (comma-separated)
|
|
72
72
|
- Changes take effect on next `oat sync`
|
|
73
73
|
|
|
74
|
+
## `oat providers codex materialize`
|
|
75
|
+
|
|
76
|
+
Purpose:
|
|
77
|
+
|
|
78
|
+
- Materialize one canonical Markdown agent as a Codex TOML role and register it
|
|
79
|
+
in Codex configuration
|
|
80
|
+
|
|
81
|
+
Required operands:
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
oat providers codex materialize <agent-name> \
|
|
85
|
+
--model <model-id> \
|
|
86
|
+
--effort <reasoning-effort>
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
Key behavior:
|
|
90
|
+
|
|
91
|
+
- Project scope is the default and writes only `.codex/config.toml` plus the
|
|
92
|
+
project role file; `--scope user` writes only under `~/.codex`
|
|
93
|
+
- `--agent-path` selects a specific canonical agent and `--role-name` overrides
|
|
94
|
+
the generated role name
|
|
95
|
+
- Managed role registration enables multi-agent support and merges an
|
|
96
|
+
`agents.max_depth` floor of `2`
|
|
97
|
+
- Project writes preserve a higher existing project depth or inherited user
|
|
98
|
+
depth without mutating user configuration; user writes do not inspect or
|
|
99
|
+
mutate project configuration
|
|
100
|
+
- Existing unrelated Codex configuration and custom roles are preserved
|
|
101
|
+
|
|
74
102
|
## Notes
|
|
75
103
|
|
|
76
104
|
- `oat init --scope project` is commonly used before provider-interop commands because it initializes `.oat/sync/config.json`.
|
|
@@ -21,7 +21,11 @@ description: 'Provider-specific path mappings for Claude, Cursor, Copilot, Gemin
|
|
|
21
21
|
- Subagent invocation in Cursor is prompt-driven (`/name` or natural mention), not `subagent_type`
|
|
22
22
|
- OAT-controlled Cursor dispatch uses the generic `.cursor/agents/<name>.md` file plus the exact `providers.cursor.dispatchArgs.model` value selected from the candidate ladder. OAT passes it byte-for-byte as the actual Task-level `model`; a `model` frontmatter value is only a default/fallback mechanism.
|
|
23
23
|
- Cursor model strings are opaque. OAT does not infer family, effort, cost, or capability from their spelling; the configured candidate position owns the named tier meaning.
|
|
24
|
-
- Cursor model validation checks whether the selected model is eligible for subagent Task dispatch
|
|
24
|
+
- Cursor model validation checks whether the selected model is eligible for subagent Task dispatch. Each adopt/doctor command probes each distinct exact candidate once and shares one lazy broad-catalog lookup across that pass; the cache ends with the command.
|
|
25
|
+
- A correlated accepted Task carrying the exact model argument plus the child sentinel proves argument eligibility for that account/client. It does not prove backend runtime identity; that remains `not-reported` without trusted Cursor telemetry or support confirmation. Structured rejection can establish `unknown-value`, while parent prose and broad `cursor-agent models` catalog presence remain diagnostic-only.
|
|
26
|
+
- The [dated GPT-5.6 verification artifact](https://github.com/voxmedia/open-agent-toolkit/blob/main/.oat/repo/reference/project-summaries/20260711-cursor-gpt-5-6-subagent-verification.md) preserves the original probe and a stream-JSON control pass. The controls observed no Task events, so the stop rule ran zero recommendation or exploratory candidates and retained the recommendation unchanged.
|
|
27
|
+
- The artifact's structured second-pass block contains only allowlisted event fields, derived outcomes, sanitized auth presence, and identifier hashes. Exact request/session/tool-call IDs and credential-redacted unprojected streams from that pass remain in gitignored local project storage for support escalation.
|
|
28
|
+
- The same public artifact retains the sanitized historical v1 text-mode record for provenance. That older section includes command arguments and prompts, stdout and stderr, exit and duration data, and capture-environment details such as user-specific binary paths; it is not limited to the structured second-pass allowlist.
|
|
25
29
|
- Rule files render as `.cursor/rules/*.mdc`
|
|
26
30
|
|
|
27
31
|
=== "Copilot"
|
|
@@ -57,6 +61,9 @@ description: 'Provider-specific path mappings for Claude, Cursor, Copilot, Gemin
|
|
|
57
61
|
- Codex `max` is a first-class dispatch effort. It is present only for the Sol family in the committed supported catalogue, for both implementer and reviewer roles.
|
|
58
62
|
- Codex multi-agent dispatch uses config-defined roles (`[agents.<name>]`) and `agent_type`
|
|
59
63
|
- Codex subagent workflows require `[features] multi_agent = true` in active Codex config layers
|
|
64
|
+
- Managed Codex roles require `agents.max_depth >= 2` for the native topology: root (depth 0) → phase coordinator (depth 1) → task worker (depth 2). Sync and direct materialization merge that floor without lowering a higher target value; project writes also preserve a higher inherited user value.
|
|
65
|
+
- Project sync or materialization writes only the project's `.codex/config.toml`; explicit user-scope materialization writes only `~/.codex/config.toml`. Project scope may read the lower-precedence user depth, but never mutates user configuration.
|
|
66
|
+
- When managed roles exist and effective depth is missing, invalid, or below `2`, `oat doctor` and managed implementation preflight explain the topology and recommend `oat sync --scope project` or `oat sync --scope user` for the affected scope. Direct materialization with the same scope is the single-role repair path.
|
|
60
67
|
- `oat-phase-implementer` is dual-mode: Phase Scope makes it a phase coordinator, while Task Scope makes the exact materialized variant a one-task worker. The coordinator does not implement ordinary tasks itself.
|
|
61
68
|
|
|
62
69
|
## Managed dispatch views
|
|
@@ -80,10 +87,16 @@ that repository change.
|
|
|
80
87
|
|
|
81
88
|
At implementation time, the phase coordinator passes the recorded named
|
|
82
89
|
maximum through invocation-only `--ceiling-tier`, resolves one exact candidate
|
|
83
|
-
per bounded task, and dispatches one task worker at a time. Codex
|
|
84
|
-
resolver-returned materialized role
|
|
85
|
-
|
|
86
|
-
|
|
90
|
+
per bounded task, and dispatches one task worker at a time. Codex first
|
|
91
|
+
attempts the resolver-returned materialized role as the native `agent_type`.
|
|
92
|
+
The launcher records the target, model axis, and effort axis from that resolved
|
|
93
|
+
payload; worker self-report is not provenance and cannot replace those values.
|
|
94
|
+
Only an explicit pre-start native role-selection rejection permits a fresh
|
|
95
|
+
pinned-child fallback. An accepted child, including one that later returns
|
|
96
|
+
`BLOCKED` or lacks telemetry, is a task outcome rather than a fallback signal.
|
|
97
|
+
Claude and Cursor bind the exact model arguments described above. A missing or
|
|
98
|
+
unselectable managed target blocks rather than falling back to the coordinator
|
|
99
|
+
or a base role.
|
|
87
100
|
|
|
88
101
|
## Scope rules
|
|
89
102
|
|
|
@@ -48,9 +48,22 @@ Rules are currently project-scoped canonical content. Unlike skills and agents,
|
|
|
48
48
|
- `oat init --scope project` (interactive) prompts for supported providers and persists explicit true/false values.
|
|
49
49
|
- `oat sync --scope project` uses config-aware provider activation and can prompt to remediate detected mismatches.
|
|
50
50
|
- Codex project-scope subagent sync writes `.codex/config.toml` and `.codex/agents/*.toml` at command layer after path-mapping sync. Every generated project Codex variant and registration is repository-owned, version-controlled provider output. OAT provides no automatic ignore mechanism for this project output; collaborators review and commit it like other project configuration.
|
|
51
|
+
- Managed Codex roles require an effective `agents.max_depth` of at least `2` for `root (0) → phase coordinator (1) → task worker (2)`. Sync and direct materialization apply that floor without lowering a higher target value. A project write may read a higher lower-precedence user value and preserves it in the project configuration; it writes only project `.codex/config.toml`. User scope writes only `~/.codex/config.toml` and does not read or change project configuration.
|
|
52
|
+
- If a managed role has missing, invalid, or insufficient effective depth, `oat doctor` and managed implementation preflight report the topology and give a scope-specific repair: `oat sync --scope project` for project scope or `oat sync --scope user` for user scope. For a single role, use `oat providers codex materialize` with the same explicit scope.
|
|
51
53
|
- Codex aggregate config drift is reported via sync/status extension metadata (`aggregateConfigHash`); it is not persisted as a separate manifest schema entry.
|
|
52
54
|
- Codex user-config materialization writes user-owned implementer and reviewer roles under the user provider directory, `~/.codex`; it does not write those roles into the repository.
|
|
53
55
|
|
|
56
|
+
## Codex managed dispatch
|
|
57
|
+
|
|
58
|
+
For managed Codex work, the resolver-returned materialized role is attempted as
|
|
59
|
+
the native `agent_type` first. The launcher owns the resulting target, model,
|
|
60
|
+
and reasoning-effort provenance, derived from the resolved candidate and
|
|
61
|
+
compiled invocation payload; worker output cannot populate or overwrite it.
|
|
62
|
+
A fresh pinned child is allowed only after explicit pre-start native
|
|
63
|
+
role-selection rejection. Missing runtime telemetry, missing self-report, or a
|
|
64
|
+
child accepted by the native route that later returns `BLOCKED` are not
|
|
65
|
+
role-selection rejection and do not permit fallback.
|
|
66
|
+
|
|
54
67
|
## Non-interop namespaces in the same CLI
|
|
55
68
|
|
|
56
69
|
- `oat project new <name>` (workflow/project scaffolding)
|
|
@@ -263,6 +263,33 @@ Reviewers use the final candidate at the configured review ceiling. Managed
|
|
|
263
263
|
reviewer behavior. A timeout retry preserves the same exact role or complete
|
|
264
264
|
Claude/Cursor model payload.
|
|
265
265
|
|
|
266
|
+
### Cursor evidence authority
|
|
267
|
+
|
|
268
|
+
Cursor resolution and runtime evidence answer different questions. Resolution
|
|
269
|
+
proves which opaque candidate OAT requested. A stream-JSON Task start and
|
|
270
|
+
correlated completion prove launcher behavior only when the model argument is
|
|
271
|
+
preserved byte-for-byte. An accepted Task plus the child sentinel establishes
|
|
272
|
+
argument eligibility for that account and client; a structured rejection can
|
|
273
|
+
establish `unknown-value`. Runtime producer identity remains `not-reported`
|
|
274
|
+
unless trusted Cursor telemetry or Cursor support independently confirms it.
|
|
275
|
+
|
|
276
|
+
The [2026-07-11 GPT-5.6 evidence record](https://github.com/voxmedia/open-agent-toolkit/blob/main/.oat/repo/reference/project-summaries/20260711-cursor-gpt-5-6-subagent-verification.md)
|
|
277
|
+
ran positive and negative controls before candidate probes. Neither control
|
|
278
|
+
emitted a Task event, so the harness stopped without probing the 13 recommended
|
|
279
|
+
arguments or exploratory `gpt-5.6-sol-high-fast`. This is a harness/account
|
|
280
|
+
boundary, not model rejection, and it supports no recommendation change.
|
|
281
|
+
|
|
282
|
+
The tracked artifact's structured second-pass block exposes only an allowlisted
|
|
283
|
+
event projection and non-reversible identifier hashes. Exact
|
|
284
|
+
request/session/tool-call IDs and credential-redacted unprojected streams from
|
|
285
|
+
that pass stay in gitignored local project storage for support diagnosis.
|
|
286
|
+
|
|
287
|
+
The same public artifact intentionally preserves the sanitized historical v1
|
|
288
|
+
text-mode record for provenance. That older section includes command arguments
|
|
289
|
+
and prompts, stdout and stderr, exit and duration data, and capture-environment
|
|
290
|
+
details such as user-specific binary paths; it is not limited to the structured
|
|
291
|
+
second-pass projection.
|
|
292
|
+
|
|
266
293
|
## Coordinator and Worker Layers
|
|
267
294
|
|
|
268
295
|
`oat-phase-implementer` has two explicit modes:
|
|
@@ -279,19 +306,44 @@ Workers run serially in the same worktree. Parallelism remains limited to
|
|
|
279
306
|
plan-declared phase worktrees. See
|
|
280
307
|
[Implementation Execution](implementation-execution.md) for the full loop.
|
|
281
308
|
|
|
282
|
-
## Producer Provenance
|
|
309
|
+
## Dispatch Report V1 and Producer Provenance
|
|
310
|
+
|
|
311
|
+
Resolver calls that pass `--report-scope` and `--report-action` include a
|
|
312
|
+
`dispatchReport` object in JSON output. Consumers must require
|
|
313
|
+
`dispatchReport.schemaVersion: 1` before dispatch. The report keeps four
|
|
314
|
+
different decisions separate:
|
|
315
|
+
|
|
316
|
+
| Report area | What it means |
|
|
317
|
+
| ------------------------------------------------------------------- | -------------------------------------------------------------------- |
|
|
318
|
+
| `policy` | The resolved managed/inherit policy, its status, name, and source |
|
|
319
|
+
| `selection.ceilingTier` / `selection.ceilingTarget` | The maximum allowed tier and its boundary target |
|
|
320
|
+
| `selection.requestedCandidate` / `candidateTier` / `candidateIndex` | The exact candidate requested for this bounded task and its position |
|
|
321
|
+
| `selection.exactSelectedTarget` / `route.target` | The compiled provider target and actual invocation route |
|
|
322
|
+
|
|
323
|
+
A named policy or ceiling is never a substitute for the requested candidate or
|
|
324
|
+
exact selected target. `requestedControls` records what OAT put into the host
|
|
325
|
+
payload. `configuredDefaults` records fallback configuration and is explicitly
|
|
326
|
+
not a runtime observation.
|
|
327
|
+
|
|
328
|
+
`gateInvocation` is an immutable copy of configured gate controls.
|
|
329
|
+
`runtimeIdentity` is separate and stays `not-reported` until independently
|
|
330
|
+
observed or otherwise supported runtime evidence exists. Requested controls,
|
|
331
|
+
configured defaults, role-name parsing, and reviewer self-identification do not
|
|
332
|
+
become observed runtime identity.
|
|
283
333
|
|
|
284
|
-
|
|
334
|
+
Human output comes from `formatDispatchReport(dispatchReport)`. Dispatch notes
|
|
335
|
+
also retain a parseable compatibility stamp for later review gates:
|
|
285
336
|
|
|
286
337
|
```text
|
|
287
338
|
Dispatch: scope=p06-t03 action=implementation role=implementer producer=gpt-5.6-sol provenance=declared model_axis=selected:gpt-5.6-sol effort_axis=selected:high dispatch_policy=high dispatch_ceiling=high target=oat-phase-implementer-gpt-5-6-sol-high
|
|
288
339
|
```
|
|
289
340
|
|
|
290
|
-
|
|
291
|
-
`
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
341
|
+
The stamp must be derived through `toDispatchStampRecord(dispatchReport)` and
|
|
342
|
+
`formatDispatchStamp`; callers must not reconstruct it from policy labels, role
|
|
343
|
+
names, candidate strings, or target names. `producer` is the runtime model slug
|
|
344
|
+
when OAT can establish it; otherwise it is `unknown`. `provenance` is
|
|
345
|
+
`declared`, `observed`, `inferred`, or `unknown`. Selected model and effort axes
|
|
346
|
+
can remain exact even when runtime producer identity is not reported.
|
|
295
347
|
|
|
296
348
|
## Legacy Compatibility
|
|
297
349
|
|
|
@@ -88,6 +88,18 @@ import performs the same readiness setup:
|
|
|
88
88
|
|
|
89
89
|
See [Dispatch Policy](dispatch-ceiling.md) for ladder shapes and ownership.
|
|
90
90
|
|
|
91
|
+
### Validating plan metadata
|
|
92
|
+
|
|
93
|
+
Before building the phase schedule, implementation validates plan parallelism:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
oat project validate-plan --project-path .oat/projects/shared/example
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
The command rejects malformed groups, unknown phase IDs, duplicate membership,
|
|
100
|
+
and singleton groups. Invalid metadata blocks execution rather than silently
|
|
101
|
+
falling back to a different schedule.
|
|
102
|
+
|
|
91
103
|
Before phase work, implementation runs provider preflight:
|
|
92
104
|
|
|
93
105
|
```bash
|
|
@@ -101,6 +113,19 @@ An unresolved non-interactive preflight blocks. Managed `Uncapped` and
|
|
|
101
113
|
`Inherit Host Defaults` are explicit modes; omitted policy state is not an
|
|
102
114
|
implicit fallback.
|
|
103
115
|
|
|
116
|
+
For a managed Codex implementer, preflight also resolves the effective
|
|
117
|
+
`agents.max_depth`. Native `root (0) → phase coordinator (1) → task worker (2)`
|
|
118
|
+
execution requires a depth of at least `2`. Missing, invalid, or lower values
|
|
119
|
+
block before dispatch and identify the owning scope:
|
|
120
|
+
|
|
121
|
+
- Project scope: run `oat sync --scope project`
|
|
122
|
+
- User scope: run `oat sync --scope user`
|
|
123
|
+
- Single-role repair: rerun `oat providers codex materialize` with the required
|
|
124
|
+
agent name, model, effort, and matching scope
|
|
125
|
+
|
|
126
|
+
Project preflight may inherit a valid higher user depth, but remediation never
|
|
127
|
+
writes across the project/user boundary.
|
|
128
|
+
|
|
104
129
|
## Resolve the Effective Named Maximum
|
|
105
130
|
|
|
106
131
|
For each phase, the orchestrator determines the task maximum:
|
|
@@ -190,9 +215,14 @@ candidate above the maximum or absent from the configured ladder blocks.
|
|
|
190
215
|
Build the complete host payload before writing dispatch logs:
|
|
191
216
|
|
|
192
217
|
- **Codex:** use `providers.codex.dispatchArgs.variant` as the actual
|
|
193
|
-
`agent_type`.
|
|
194
|
-
|
|
195
|
-
|
|
218
|
+
`agent_type`. An accepted launch with that exact materialized role is
|
|
219
|
+
authoritative evidence of the configured invocation for coordinators and
|
|
220
|
+
task workers. A fresh Codex child pinned to `selection.target.model` and
|
|
221
|
+
`selection.target.effort` is permitted only after an actual native
|
|
222
|
+
role-selection rejection; missing self-reporting or model/effort telemetry
|
|
223
|
+
does not justify the fallback. An accepted child, including one that later
|
|
224
|
+
returns `BLOCKED`, is a task outcome and never triggers another pinned-child
|
|
225
|
+
fallback.
|
|
196
226
|
- **Claude:** pass `providers.claude.dispatchArgs.model` as the actual Task
|
|
197
227
|
`model`. Its separate effort axis is `not-applicable`.
|
|
198
228
|
- **Cursor:** pass `providers.cursor.dispatchArgs.model` byte-for-byte as the
|
|
@@ -204,6 +234,36 @@ If exact controls cannot be applied, fail closed. A transient retry reuses the
|
|
|
204
234
|
same complete provider payload. Substantive escalation re-resolves another
|
|
205
235
|
configured candidate within the same named maximum and bounded retry budget.
|
|
206
236
|
|
|
237
|
+
## Dispatch Reports During Execution
|
|
238
|
+
|
|
239
|
+
Every implementation, fix, and review resolver call supplies explicit report
|
|
240
|
+
context:
|
|
241
|
+
|
|
242
|
+
```text
|
|
243
|
+
--report-scope <phase-or-task> --report-action <implementation|fix|review>
|
|
244
|
+
```
|
|
245
|
+
|
|
246
|
+
The completed JSON must contain `dispatchReport.schemaVersion: 1` before the
|
|
247
|
+
provider invocation begins. The coordinator reads the requested candidate,
|
|
248
|
+
candidate tier, ceiling, exact selected target, requested controls, configured
|
|
249
|
+
defaults, and runtime identity from that report as distinct fields. It does not
|
|
250
|
+
infer any of them from a materialized role name or opaque Cursor string.
|
|
251
|
+
|
|
252
|
+
The human dispatch block is rendered from the report. The formal `Dispatch:`
|
|
253
|
+
line is a compatibility view derived from the same report through the dispatch
|
|
254
|
+
stamp adapter. It is not a second schema and must not be assembled by hand.
|
|
255
|
+
Configured defaults and configured gate invocation remain distinct from runtime
|
|
256
|
+
identity; when runtime identity is not observed, the report says so without
|
|
257
|
+
weakening exact requested model or effort controls.
|
|
258
|
+
|
|
259
|
+
After constructing the complete payload, the launcher records the selected
|
|
260
|
+
target and requested model/effort controls in the report. Those configured
|
|
261
|
+
invocation fields are launcher-owned and derive from resolver output plus the
|
|
262
|
+
actual payload; worker output cannot populate or overwrite them. Optional
|
|
263
|
+
coordinator or worker self-report remains non-authoritative runtime evidence.
|
|
264
|
+
Runtime attestation, when available, is separate host-generated metadata rather
|
|
265
|
+
than an agent claim.
|
|
266
|
+
|
|
207
267
|
## Task Scope and Commit Verification
|
|
208
268
|
|
|
209
269
|
Each worker receives only one task:
|
|
@@ -207,7 +207,24 @@ Final review `passed` gate requires:
|
|
|
207
207
|
- Project-scope Codex role files are generated from canonical `.agents/agents/*.md` during `oat sync --scope project`.
|
|
208
208
|
- User-config Codex roles materialize under `~/.codex`; project-config and supported-catalogue roles remain in the project-scoped, version-controlled `.codex` view.
|
|
209
209
|
- Some Codex hosts require explicit user authorization before the skill may call `spawn_agent`. In those hosts, `oat-project-review-provide` should ask whether to delegate to `oat-reviewer` instead of reporting the reviewer as unresolved.
|
|
210
|
-
-
|
|
210
|
+
- An accepted launch using the exact materialized `agent_type` is authoritative
|
|
211
|
+
configured-invocation evidence for a reviewer. After the complete payload
|
|
212
|
+
is built, the launcher records its `target`, `model_axis`, and
|
|
213
|
+
`effort_axis`; reviewer self-report cannot supply or overwrite those
|
|
214
|
+
fields. Optional self-report is non-authoritative, while runtime
|
|
215
|
+
attestation is host-generated metadata.
|
|
216
|
+
- A fresh pinned CLI child is a fallback only for an actual native
|
|
217
|
+
role-selection rejection, never for absent self-reporting or model/effort
|
|
218
|
+
telemetry. A child accepted by the native host, including one that later
|
|
219
|
+
returns `BLOCKED`, has produced a review outcome and cannot trigger the
|
|
220
|
+
fallback.
|
|
221
|
+
- An accepted reviewer that returns `BLOCKED` blocks the relevant review. It
|
|
222
|
+
cannot trigger the pinned fallback, and absent findings in that blocked
|
|
223
|
+
outcome cannot be interpreted as a pass.
|
|
224
|
+
- For unmanaged review dispatch, if subagent dispatch is unavailable, follow
|
|
225
|
+
the existing fallback path (fresh session preferred, inline reset as
|
|
226
|
+
fallback). This generic fallback does not override managed exact-target
|
|
227
|
+
rules: a managed reviewer that cannot be launched exactly blocks the review.
|
|
211
228
|
|
|
212
229
|
## Reference artifacts
|
|
213
230
|
|
|
@@ -220,6 +220,8 @@ The package manager for the agent skills ecosystem. Installs skills across 27+ a
|
|
|
220
220
|
- Enable feature flag in config:
|
|
221
221
|
- `[features]`
|
|
222
222
|
- `multi_agent = true`
|
|
223
|
+
- For OAT's nested root → coordinator → worker topology, configure
|
|
224
|
+
`[agents] max_depth = 2` or higher.
|
|
223
225
|
- Define role(s) in config:
|
|
224
226
|
- `[agents.oat-reviewer]` (or role names your workflow dispatches)
|
|
225
227
|
- Dispatch by role name using `agent_type` (not `subagent_type`).
|
|
@@ -228,8 +230,12 @@ The package manager for the agent skills ecosystem. Installs skills across 27+ a
|
|
|
228
230
|
**Note on OAT provider sync:**
|
|
229
231
|
|
|
230
232
|
- Codex runtime dispatch is config-role based (`[agents.<name>]`) and TOML-backed.
|
|
231
|
-
- OAT
|
|
232
|
-
|
|
233
|
+
- OAT sync exports canonical Markdown agents as `.codex/agents/*.toml` role
|
|
234
|
+
configs and registers them in `.codex/config.toml`.
|
|
235
|
+
- Project-scoped output is repository-owned and version controlled. Explicit
|
|
236
|
+
user-scope materialization writes under `~/.codex` instead.
|
|
237
|
+
- Sync and direct materialization merge an `agents.max_depth` floor of `2`
|
|
238
|
+
without lowering a higher project or inherited user value.
|
|
233
239
|
|
|
234
240
|
### Other Codex Resources
|
|
235
241
|
|
|
@@ -220,6 +220,8 @@ The package manager for the agent skills ecosystem. Installs skills across 27+ a
|
|
|
220
220
|
- Enable feature flag in config:
|
|
221
221
|
- `[features]`
|
|
222
222
|
- `multi_agent = true`
|
|
223
|
+
- For OAT's nested root → coordinator → worker topology, configure
|
|
224
|
+
`[agents] max_depth = 2` or higher.
|
|
223
225
|
- Define role(s) in config:
|
|
224
226
|
- `[agents.oat-reviewer]` (or role names your workflow dispatches)
|
|
225
227
|
- Dispatch by role name using `agent_type` (not `subagent_type`).
|
|
@@ -228,8 +230,12 @@ The package manager for the agent skills ecosystem. Installs skills across 27+ a
|
|
|
228
230
|
**Note on OAT provider sync:**
|
|
229
231
|
|
|
230
232
|
- Codex runtime dispatch is config-role based (`[agents.<name>]`) and TOML-backed.
|
|
231
|
-
- OAT
|
|
232
|
-
|
|
233
|
+
- OAT sync exports canonical Markdown agents as `.codex/agents/*.toml` role
|
|
234
|
+
configs and registers them in `.codex/config.toml`.
|
|
235
|
+
- Project-scoped output is repository-owned and version controlled. Explicit
|
|
236
|
+
user-scope materialization writes under `~/.codex` instead.
|
|
237
|
+
- Sync and direct materialization merge an `agents.max_depth` floor of `2`
|
|
238
|
+
without lowering a higher project or inherited user value.
|
|
233
239
|
|
|
234
240
|
### Other Codex Resources
|
|
235
241
|
|