feat: signed maintain history + per-role model picker + recall explorer (dashboard)#96
Merged
Merged
Conversation
…er in the dashboard
Three roadmap items, all small and orthogonal:
1. SIGNED MAINTAIN HISTORY (enterprise): maintain-export --sign embeds an audit block in the
snapshot — the hash-chain head over the runs + HMAC-SHA256 signature (QODEX_AUDIT_KEY env,
never stored; non-secret keyId recorded). Unsigned exports still carry the integrity head.
maintain-import verifies BEFORE reporting/merging: a tampered or wrongly-signed snapshot is
refused with exit 1; the report shows "Audit: ✓ integrity intact · 🔏 signature valid".
PURE: historyHead / verifyHistoryAudit reuse the maintain-audit chain primitives.
2. DASHBOARD — MODELS PER ROLE: the single default-model select becomes a "Models — per role"
panel: main / sub-agent / vision selects plus "one model for everything". model.set gains a
role param (main|subagent|vision|all; default main → backward compatible) writing
defaults.model / roles.<role>.{model,provider} (provider inferred). Vision awareness via
looksVisionCapable: a vision-capable main model gets a 👁 badge and the vision row says
"optional — main already sees images"; picking a non-vision model FOR the vision role warns.
3. DASHBOARD — RECALL EXPLORER: ask "how did we do X before?" in the dashboard. recall.query
action runs the same rankApproaches → renderApproachDiffs pipeline as the recall_approach
tool (best match + how other attempts differed + stable core), rendered in-place in a <pre>
without a page reload.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The remaining three roadmap items — small, orthogonal, shipped together.
1. Signed maintain history (enterprise)
qodex maintain-export --signembeds an audit block in the portable snapshot: the tamper-evident hash-chain head over the runs plus an HMAC-SHA256 signature (key fromQODEX_AUDIT_KEYenv — never stored; only a non-secretkeyIdis recorded). Unsigned exports still carry the integrity head.maintain-importnow verifies before reporting or merging: a snapshot whose runs don't match the head, or whose signature fails, is refused (exit 1). A clean one reportsAudit: ✓ integrity intact · 🔏 signature valid (authentic).PURE core (
historyHead/verifyHistoryAudit) reuses themaintain-auditchain primitives — one hashing implementation, two artifacts.2. Dashboard: models per role — with vision awareness
The single default-model select becomes "Models — per role": main / sub-agent / vision selects, plus "one model for everything".
model.setgainsrole: main|subagent|vision|all(defaultmain→ fully backward compatible), writingdefaults.model/roles.<role>.{model,provider}(provider inferred from the model id).Vision logic as requested: a vision-capable main model gets a 👁 has vision badge and the vision row reads "optional — main already sees images" — no separate vision model needed. Choosing a non-vision model for the vision role warns instead of failing.
3. Dashboard: recall explorer
Type "how did we add auth?" in the dashboard → the same
rankApproaches → renderApproachDiffspipeline as therecall_approachtool (best match + how other attempts differed + stable core), rendered in place without a reload.+2 signed-history tests, +8 dashboard assertions. Full suite 1516 green, tsc clean.