Skip to content

Fix Guard cloud approval snapshot sync#1308

Merged
kantorcodes merged 2 commits into
mainfrom
hgcff-local-sync-20260704
Jul 5, 2026
Merged

Fix Guard cloud approval snapshot sync#1308
kantorcodes merged 2 commits into
mainfrom
hgcff-local-sync-20260704

Conversation

@kantorcodes

Copy link
Copy Markdown
Member

Summary

  • send pending local approval requests without stale cursors so Cloud sees fresh blocked requests
  • retry Guard command heartbeat/result uploads once after OAuth repair on HTTP 401
  • preserve DPoP nonce retry handling for non-JSON command requests

Verification

  • python3 -m py_compile src/codex_plugin_scanner/guard/runtime/local_request_snapshots.py src/codex_plugin_scanner/guard/runtime/command_queue.py src/codex_plugin_scanner/guard/runtime/runner.py
  • python3 -m pytest tests/test_guard_command_snapshot_paging.py -v
  • python3 -m pytest tests/test_guard_command_queue.py::test_poll_once_repairs_oauth_storage_and_retries_before_leasing tests/test_guard_command_queue.py::test_poll_once_keeps_auth_expired_state_when_auth_refresh_fails -v

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@greptile-apps

greptile-apps Bot commented Jul 4, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates Guard Cloud command sync behavior. The main changes are:

  • Sends pending local approval snapshots without stored cursors.
  • Retries command heartbeat and result uploads once after OAuth repair on 401 responses.
  • Preserves pending-result storage for non-401 result upload failures.
  • Restores DPoP nonce retry handling for non-JSON command requests.
  • Adds tests for pending snapshot freshness and command queue retry behavior.

Confidence Score: 5/5

Safe to merge with low risk.

The changes are scoped to command queue retry behavior, pending snapshot cursor handling, and matching tests. No remaining runtime bugs were identified in the changed paths.

No files require special attention.

T-Rex T-Rex Logs

What T-Rex did

  • Verified the compile proof completed with EXIT_CODE: 0 according to the compile log.
  • Confirmed the snapshot paging proof shows all three focused tests passed with EXIT_CODE: 0.
  • Validated the OAuth retry proof shows both targeted command queue tests passed with EXIT_CODE: 0.

View all artifacts

T-Rex Ran code and verified through T-Rex

Important Files Changed

Filename Overview
src/codex_plugin_scanner/guard/runtime/command_queue.py Adds OAuth repair retries for command heartbeat/result 401 responses and preserves pending results for non-401 upload errors.
src/codex_plugin_scanner/guard/runtime/local_request_snapshots.py Makes pending local request snapshots cursorless while preserving cursor behavior for other statuses.
src/codex_plugin_scanner/guard/runtime/runner.py Restores DPoP nonce retry handling for non-JSON upload requests on 401 responses.
tests/test_guard_command_queue.py Adds and updates tests for command queue result persistence and OAuth repair retry behavior.
tests/test_guard_command_snapshot_paging.py Updates snapshot paging tests to cover cursorless pending snapshots and newly inserted pending requests.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
  participant Guard as Guard daemon
  participant Store as Local GuardStore
  participant Cloud as Guard Cloud

  Guard->>Store: Build lease payload
  Store-->>Guard: Pending approval snapshot without pending cursor
  Guard->>Cloud: POST /lease with snapshot
  Cloud-->>Guard: Command item or empty
  alt Command leased
      Guard->>Cloud: "POST /{job}/heartbeat"
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry heartbeat once
      end
      Guard->>Guard: Execute command
      Guard->>Cloud: "POST /{job}/heartbeat and /result"
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry heartbeat and result once
      else Non-401 upload failure
          Guard->>Store: Persist pending_result for next poll
      end
  else Pending result exists
      Guard->>Cloud: Retry saved result before leasing
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry saved result once
      end
  end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
  participant Guard as Guard daemon
  participant Store as Local GuardStore
  participant Cloud as Guard Cloud

  Guard->>Store: Build lease payload
  Store-->>Guard: Pending approval snapshot without pending cursor
  Guard->>Cloud: POST /lease with snapshot
  Cloud-->>Guard: Command item or empty
  alt Command leased
      Guard->>Cloud: "POST /{job}/heartbeat"
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry heartbeat once
      end
      Guard->>Guard: Execute command
      Guard->>Cloud: "POST /{job}/heartbeat and /result"
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry heartbeat and result once
      else Non-401 upload failure
          Guard->>Store: Persist pending_result for next poll
      end
  else Pending result exists
      Guard->>Cloud: Retry saved result before leasing
      alt 401 response
          Guard->>Store: Force OAuth refresh or repair
          Store-->>Guard: Refreshed auth context
          Guard->>Cloud: Retry saved result once
      end
  end
Loading

Reviews (9): Last reviewed commit: "Merge remote-tracking branch 'origin/mai..." | Re-trigger Greptile

Comment thread src/codex_plugin_scanner/guard/runtime/command_queue.py
@kantorcodes kantorcodes force-pushed the hgcff-local-sync-20260704 branch 2 times, most recently from 0b5e4dd to 5e48e52 Compare July 4, 2026 22:26
Comment thread src/codex_plugin_scanner/guard/runtime/command_queue.py Outdated
@kantorcodes kantorcodes force-pushed the hgcff-local-sync-20260704 branch 2 times, most recently from 3692b6d to 93880f2 Compare July 4, 2026 23:07
Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>
@kantorcodes kantorcodes force-pushed the hgcff-local-sync-20260704 branch from 93880f2 to 564e7c2 Compare July 4, 2026 23:18
@kilo-code-bot

kilo-code-bot Bot commented Jul 4, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
src/codex_plugin_scanner/guard/runtime/command_queue.py 388 Missing error handling after OAuth refresh retry in _retry_pending_result - if the retry _post_result fails, the exception propagates without state cleanup, leaving pending_result potentially in an inconsistent state.
src/codex_plugin_scanner/guard/runtime/command_queue.py 404-413 _resolve_command_queue_auth_context only catches GuardSyncNotConfiguredError but not GuardSyncAuthorizationExpiredError, unlike the original _resolve_guard_sync_auth_context_with_repair which handles both. This could cause OAuth repair to be skipped when a token is expired but OAuth is configured.
Files Reviewed (3 files)
  • src/codex_plugin_scanner/guard/runtime/command_queue.py - 2 issues
  • src/codex_plugin_scanner/guard/runtime/local_request_snapshots.py - 0 issues
  • src/codex_plugin_scanner/guard/runtime/runner.py - 0 issues

Fix these issues in Kilo Cloud


Reviewed by laguna-m.1-20260312:free · Input: 259.1K · Output: 16.9K · Cached: 2.1M

Comment thread src/codex_plugin_scanner/guard/runtime/command_queue.py
Comment thread src/codex_plugin_scanner/guard/runtime/command_queue.py Outdated
Comment thread src/codex_plugin_scanner/guard/runtime/command_queue.py
@kantorcodes kantorcodes force-pushed the hgcff-local-sync-20260704 branch from bed49c9 to 8fbd531 Compare July 4, 2026 23:50
…0704

# Conflicts:
#	tests/test_guard_receipt_redaction_cursor.py
#	tests/test_guard_supply_chain_daemon.py

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>
@kantorcodes kantorcodes force-pushed the hgcff-local-sync-20260704 branch from 8fbd531 to 182d708 Compare July 5, 2026 00:11
@kantorcodes kantorcodes enabled auto-merge (squash) July 5, 2026 00:27
@kantorcodes kantorcodes merged commit d0c585d into main Jul 5, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant