[codex] Add Reliability Governor runtime#27
Conversation
61b459f to
0a0813f
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0a0813f856
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if pointer is not None: | ||
| active_lhp = lhp_config or LhpClientConfig.from_env() | ||
| if active_lhp.configured: | ||
| lhp_payload = fetch_lhp_payload(pointer, active_lhp, requester=lhp_requester) |
There was a problem hiding this comment.
Catch LHP fetch failures per issue
When an issue contains an LHP pointer and CaseService is configured but returns a non-200 response, schema mismatch, or transient network error, fetch_lhp_payload raises here; governor_once and the CLI do not catch it, so the entire timer pass exits before routing this issue to loop:needs-context or processing later eligible issues. A single stale/broken NOC handoff can therefore starve unrelated candidates until it is manually fixed.
Useful? React with 👍 / 👎.
| if labels & terminal: | ||
| return False | ||
| loop_labels = {label for label in labels if label.startswith("loop:")} | ||
| return not loop_labels or INTAKE_LABEL in labels or CANDIDATE_LABEL in labels |
There was a problem hiding this comment.
Stop reprocessing unchanged candidate decisions
For decisions that resolve to allow_candidate (for example Tier 2 without strong history or no matching capability), the label transition leaves loop:candidate on the issue, and this predicate keeps every such issue eligible on every 15-minute timer pass. Because record_id includes a fresh timestamp and the code always posts a new CDR before labels, unchanged candidates will accumulate duplicate Reliability Governor comments indefinitely until a human changes the label.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e520106dec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
/review |
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2267ef26b8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
0809d7a to
8a079dd
Compare
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8a079dd9c4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if APPROVED_LABEL in labels: | ||
| return False |
There was a problem hiding this comment.
Reconcile approved issues before the daemon consumes them
When an issue already has loop:approved, this skips the Governor entirely even if the issue title/body/labels changed after the CDR was written. In the daemon path, daemon_once later lists loop:approved issues and renders the current issue body into request.md, so an edit after approval (for example from a docs request to a secret/BGP request) can bypass Governor policy under the old label. Re-review approved issues or bind approval to an immutable issue revision before the daemon can consume it.
Useful? React with 👍 / 👎.
| "classification": classification.model_dump(mode="json"), | ||
| "knowledge": knowledge.model_dump(mode="json"), | ||
| "decision": decision, | ||
| "capability": capability.id if capability is not None else None, |
There was a problem hiding this comment.
Include the capability envelope in the CDR id
The CDR identity only hashes the capability id, not the safety envelope fields that are copied into the record such as allowed_paths, forbidden_paths, and required_checks. If the registry tightens or widens a capability without renaming it, governor_once will find the old path, see converged labels, and skip posting/writing a new CDR, leaving stale audit data for the envelope that authorized the label.
Useful? React with 👍 / 👎.
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cd22f1852f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2983e870d1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
/review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2a55b0cc96
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| def _authority_text(issue: IssueSnapshot, lhp_payload: dict[str, Any] | None) -> str: | ||
| if lhp_payload is None: | ||
| return safe_text(f"{issue.title}\n{issue.body}", limit=5000) |
There was a problem hiding this comment.
Preserve secret keywords before classification
When an issue body expresses credentials as assignments such as token=... or password: ..., _authority_text returns safe_text(...), whose redaction removes both the keyword and value before classify_issue_intent checks for token/credential/secret. A docs/runbook request containing that pattern can therefore be classified as Tier 0 and receive loop:approved instead of hitting the Tier 4 secret gate; classify on unsanitized text (or preserve redaction markers that still identify the sensitive domain) and only sanitize for storage/display.
Useful? React with 👍 / 👎.
| decision_comments = [ | ||
| comment | ||
| for comment in comments | ||
| if any(marker in str(comment.get("body", "")) for marker in RELIABILITY_DECISION_MARKERS) | ||
| ] |
There was a problem hiding this comment.
Authenticate Reliability Decision comments
With --require-reliability-decision, this treats any issue comment containing the marker as a valid Reliability Decision Record. Because the JSON payload is unsigned and no comment author/bot identity is checked, a user who can comment can post a later forged allow_approved record matching the current title/body; if the issue has or later gets loop:approved, the daemon will accept it and run within the intersected allowlist. Verify the trusted author or a signature before accepting the comment payload.
Useful? React with 👍 / 👎.
Summary
Adds the Reliability Governor as the Staff SRE control plane for autonomous operations. The implementation keeps production v1 timer-driven and deterministic, with GitHub labels as enforcement and the Engineering daemon consuming only
loop:approved.What changed
reliability-governor --onceCLI command, keepinggovernoras a compatibility alias.ReliabilityGovernorWakeEventcontract for future callback-driven wake/reconcile behavior without choosing a durable transport yet.loop:approvedmeans Reliability-Governor-or-human-approved work.Validation
uv run pytest tests/test_phase29_governor.py -q-> 9 passeduv run mypy --strict src-> passedgit diff --cached --check-> passeduv run pytest -q-> 205 passedRollout notes
Production rollout should start with a
--dry-runpass on the dedicatedloopVM using the real capability registry, Knowledge MCP, and NOC CaseService environment. Enable the timer only after the dry-run output is reviewed.