[codex] Add Reliability Governor runtime#27
Conversation
Svaag
force-pushed
the
codex/reliability-governor-runtime
branch
from
61b459f to
0a0813f
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0a0813f856
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if pointer is not None: | ||
| active_lhp = lhp_config or LhpClientConfig.from_env() | ||
| if active_lhp.configured: | ||
| lhp_payload = fetch_lhp_payload(pointer, active_lhp, requester=lhp_requester) |
There was a problem hiding this comment.
When an issue contains an LHP pointer and CaseService is configured but returns a non-200 response, schema mismatch, or transient network error, fetch_lhp_payload raises here; governor_once and the CLI do not catch it, so the entire timer pass exits before routing this issue to loop:needs-context or processing later eligible issues. A single stale/broken NOC handoff can therefore starve unrelated candidates until it is manually fixed.
Useful? React with 👍 / 👎.
| if labels & terminal: | ||
| return False | ||
| loop_labels = {label for label in labels if label.startswith("loop:")} | ||
| return not loop_labels or INTAKE_LABEL in labels or CANDIDATE_LABEL in labels |
There was a problem hiding this comment.
For decisions that resolve to allow_candidate (for example Tier 2 without strong history or no matching capability), the label transition leaves loop:candidate on the issue, and this predicate keeps every such issue eligible on every 15-minute timer pass. Because record_id includes a fresh timestamp and the code always posts a new CDR before labels, unchanged candidates will accumulate duplicate Reliability Governor comments indefinitely until a human changes the label.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e520106dec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
/review |
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2267ef26b8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Svaag
force-pushed
the
codex/reliability-governor-runtime
branch
from
0809d7a to
8a079dd
Compare
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8a079dd9c4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if APPROVED_LABEL in labels: | ||
| return False |
There was a problem hiding this comment.
When an issue already has loop:approved, this skips the Governor entirely even if the issue title/body/labels changed after the CDR was written. In the daemon path, daemon_once later lists loop:approved issues and renders the current issue body into request.md, so an edit after approval (for example from a docs request to a secret/BGP request) can bypass Governor policy under the old label. Re-review approved issues or bind approval to an immutable issue revision before the daemon can consume it.
Useful? React with 👍 / 👎.
| "classification": classification.model_dump(mode="json"), | ||
| "knowledge": knowledge.model_dump(mode="json"), | ||
| "decision": decision, | ||
| "capability": capability.id if capability is not None else None, |
There was a problem hiding this comment.
The CDR identity only hashes the capability id, not the safety envelope fields that are copied into the record such as allowed_paths, forbidden_paths, and required_checks. If the registry tightens or widens a capability without renaming it, governor_once will find the old path, see converged labels, and skip posting/writing a new CDR, leaving stale audit data for the envelope that authorized the label.
Useful? React with 👍 / 👎.
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cd22f1852f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2983e870d1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2a55b0cc96
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| def _authority_text(issue: IssueSnapshot, lhp_payload: dict[str, Any] | None) -> str: | ||
| if lhp_payload is None: | ||
| return safe_text(f"{issue.title}\n{issue.body}", limit=5000) |
There was a problem hiding this comment.
When an issue body expresses credentials as assignments such as token=... or password: ..., _authority_text returns safe_text(...), whose redaction removes both the keyword and value before classify_issue_intent checks for token/credential/secret. A docs/runbook request containing that pattern can therefore be classified as Tier 0 and receive loop:approved instead of hitting the Tier 4 secret gate; classify on unsanitized text (or preserve redaction markers that still identify the sensitive domain) and only sanitize for storage/display.
Useful? React with 👍 / 👎.
| decision_comments = [ | ||
| comment | ||
| for comment in comments | ||
| if any(marker in str(comment.get("body", "")) for marker in RELIABILITY_DECISION_MARKERS) | ||
| ] |
There was a problem hiding this comment.
With --require-reliability-decision, this treats any issue comment containing the marker as a valid Reliability Decision Record. Because the JSON payload is unsigned and no comment author/bot identity is checked, a user who can comment can post a later forged allow_approved record matching the current title/body; if the issue has or later gets loop:approved, the daemon will accept it and run within the intersected allowlist. Verify the trusted author or a signature before accepting the comment payload.
Useful? React with 👍 / 👎.
1 participant
Summary
Adds the Reliability Governor as the Staff SRE control plane for autonomous operations. The implementation keeps production v1 timer-driven and deterministic, with GitHub labels as enforcement and the Engineering daemon consuming only
loop:approved.What changed
reliability-governor --onceCLI command, keepinggovernoras a compatibility alias.ReliabilityGovernorWakeEventcontract for future callback-driven wake/reconcile behavior without choosing a durable transport yet.loop:approvedmeans Reliability-Governor-or-human-approved work.Validation
uv run pytest tests/test_phase29_governor.py -q-> 9 passeduv run mypy --strict src-> passedgit diff --cached --check-> passeduv run pytest -q-> 205 passedRollout notes
Production rollout should start with a
--dry-runpass on the dedicatedloopVM using the real capability registry, Knowledge MCP, and NOC CaseService environment. Enable the timer only after the dry-run output is reviewed.