docs(design): plan exact MCP client-tool continuation#5201
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
🤖 The AI agent says: This is a design-only PR. I need review on three boundaries before any implementation starts:
🔸 Decision needed: minimum client timeout
I recommend Option B. If WP0 cannot hold the real Claude MCP request beyond 60 seconds, the plan stops and keeps the current cold path. |
d0c8940 to
9c73333
Compare
9c73333 to
411537d
Compare
|
Verdict: approve with comments. The plan is sound and unusually careful. I spot-checked the load-bearing factual claims against the working tree and every one held: 1. Consistency with #5234: you both edit the same handler, and neither plan declares the order. #5234 slice 1 extracts 2. Design gap: interface.md's neutrality claim does not fully survive the A2 stdio transport that #5234 makes the committed Daytona shape. The delivery port is structurally neutral, but two semantics are HTTP-specific. First, 3. Consistency: nobody owns the Daytona client-tool bridge. This plan scopes Daytona out (correctly). #5234 delivers gateway tools only and says the shim inherits pause semantics "when the continuation work lands," with the relay-side protocol "deliberately not designed here." Net effect after both land: Claude + Daytona + client tool still refuses up front, and no workspace owns the bridge (relay park protocol, a relay implementation of your delivery port, and the race between a held browser wait and the five-minute Daytona auto-stop, which kills the shim and the held call on park-to-stopped). The two fail-loud/local-only positions are mutually consistent; the gap is that the follow-up work is doubly disclaimed. One sentence in plan.md naming it as explicitly unowned future work, needing its own workspace, would prevent the orchestration hole. 4. Nit: context.md will go stale the week #5234 merges. "Non-Pi Daytona runs with Agenta tools are rejected before session creation" becomes true only for client tools and non-Daytona remote providers after #5234 slice 2 narrows the gate. Add a forward reference. Related wording: WP5's "keep Daytona on the cold path" is imprecise for client tools, where Daytona has no cold path, only the up-front refusal; qa.md already words this correctly ("fails or falls back as it does before this project"). 5. Answers to the questions in the PR description, within the settled decisions: the six-package order is right once the #5234 slice-1 dependency above is added; local Claude first is the right scope and matches #5234's fail-loud posture on Daytona; loopback auth as a prerequisite is correct (hold-open extends the endpoint's lifetime, and the bearer fits the existing This is an automated cross-consistency review requested by the owner, run alongside his own review of #5232 (event-driven tool relay). It checks this plan against #5234 (in-sandbox tool MCP) and #5232 for contradictions, shared seams, and sequencing. |
| ceiling, and use cold fallback for longer waits. | ||
| - Option C: ship any measurable hold, even below 60 seconds. | ||
|
|
||
| Recommendation: Option B. It provides a useful fast path without claiming that the runner controls |
There was a problem hiding this comment.
I think it should be the same as the warm path no? it a different env var but per default it should be the same number
| - Option A: allow multiple operations per session and support client-tool JSON-RPC batches. | ||
| - Option B: support one pending operation and reject client-tool batches before execution. | ||
|
|
||
| Recommendation: Option B. The current pause latch and session resume path are single-gate. Multiple |
There was a problem hiding this comment.
same as now we should hvae. which is we block things when we have more nicely for ht euser
…inuation plan State the transport-specific limits of cancel and onClosed in the delivery port, open the transport union, add the future in-sandbox stdio mapping (PR #5234) with its missing prerequisites, pin the WP1 bearer to the HTTP transport wrapper, declare that PR #5234 slice 1 lands before WP1 and WP3, and correct the WP5 Daytona wording. Claude-Session: https://claude.ai/code/session_01Fr4A5zjs5rsufRaWgWiUNC
411537d to
85ae348
Compare
|
Follow-up: the review findings above are now addressed in this workspace (owner request). Addressed in this PR's branch:
Pending, deliberately not in this PR:
|
…surement gates Fold the Codex xhigh review into the client-tool continuation plan. Rescope v1 to WP0 (expanded with cold-path baseline metrics: first-reissue match rate, argument drift, added model calls/latency/cost, wrong-replica rate, wait percentiles) plus WP1 loopback hardening (auth from headers before body parsing, timing-safe comparison, per-environment token and rotation test, result-size cap separated from auth). Defer WP2 through WP5 behind two concrete unlock gates: Claude holds the request past the 60-second idle TTL, and cold replay demonstrably harms users. Slim the delivery port to deliver -> accepted|unavailable plus dispose; cut cancel and onClosed (they modeled an HTTP response handle); correctness rests on lease expiry and teardown. Replace the standalone registry with pool-owned placement (ParkedClientTool beside ParkedApproval, awaiting_client_tool in session-pool.ts, McpHttpResultDelivery under tools/). Rename harnessToolCallId to toolCallId with its provenance as a registration invariant. Restrict any future warm mode to owner-routed deployments and define the delivery commit point. Drop the dependency on #5234's handler extraction (cut from that project's v1). The deferral is the top review question for the owner; it reverses part of a plan he LGTM'd and is flagged as such in status.md and open-questions.md. Claude-Session: https://claude.ai/code/session_0127AM79khCdvD2b8BG2joZL
|
Folded the Codex xhigh review into this workspace (commit 3fdac7c). The headline decision, awaiting the owner: the warm hold-open path is deferred. He LGTM'd the fuller plan before this review; the deferral is a deliberate conservative rescope adopted while he slept, under his standing simplify-aggressively instruction, and it is reversible from git history. It is the top item in open-questions.md. Per finding:
status.md and open-questions.md flag the deferral provenance explicitly. The orchestration file in |
Context
When Claude calls an Agenta client tool such as
request_connection, the runner currently destroys the internal MCP response to pause the turn. The browser result arrives on a new/run, Claude reissues the tool with a new id, and the runner matches the result by tool name and arguments. PR #5197 improves native session recovery after that teardown, but it does not preserve the original MCP call.This design adds a progressive local exact path. The runner holds the original MCP response and prompt, returns the browser result to that same JSON-RPC request, and keeps the current cold path for every unsupported or failed case.
Changes
This PR adds a design-only workspace for the change:
Before, a browser result can only reach a new model-issued client-tool call through cold matching. After the proposed local path, the same live MCP request receives the result and the original prompt continues without another model decision.
Scope / risk
This PR changes documentation only. It does not implement the hold-open path or change runner behavior.
A real MCP gateway, Daytona exact delivery, cross-replica forwarding, public wire changes, MCP client-tool batches, and multiple pending client tools per session remain out of scope. The design keeps those boundaries explicit and defines an interface that a future gateway can implement.
The main implementation risks are Claude's unmeasured MCP client timeout, unauthenticated loopback access, duplicate result races, held-socket cleanup, and output loss during fallback. Each has an earlier work package or a default-off exit gate before rollout.
Tests / notes
big-agentsatcb63991eaa7d757c98d7c02a54382403fbe348ff.343d7146935a8eb3ed41a203cd9a3db6ee954eefwhile drafting.How to review
context.mdfor the warm, cold, and PR [feat] Resume agent sessions across the sandbox lifecycle #5197 boundaries.research.mdfor the current code findings and the old-versus-new risk split.interface.mdfor identity, scope, routing, protocol, lifecycle, and future-gateway separation.plan.mdfor work-package order and rollback gates.qa.mdandopen-questions.mdto challenge the enablement bar and the remaining decisions.