Skip to content

Make adaptive refresh agent-aware with explicit local activity consent#2111

Open
hhh2210 wants to merge 4 commits into
steipete:mainfrom
hhh2210:codex/agent-aware-adaptive-refresh
Open

Make adaptive refresh agent-aware with explicit local activity consent#2111
hhh2210 wants to merge 4 commits into
steipete:mainfrom
hhh2210:codex/agent-aware-adaptive-refresh

Conversation

@hhh2210

@hhh2210 hhh2210 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Problem

#2029 found that the replay-only activity candidate did not improve global p95 menu staleness, so that result did not support a broad production claim. Main now has the local Agent Sessions scanner from #1968, which provides an attributable Codex/Claude activity signal without adding another detector.

This PR has a narrower target: while local coding is active, an unconstrained Adaptive decision should not wait longer than the old 5-minute default. Global p95 remains unchanged.

Consent and upgrade boundary

Adaptive cadence is not permission to inspect local process or session metadata.

  • CodexBar persists a separate undecided, allowed, or declined choice. Only allowed enables Adaptive-only scanning.
  • Fresh installs default to Adaptive, then show a one-time local-activity prompt before the first scan. Declining leaves Adaptive selected and uses menu activity only.
  • Existing Adaptive users also start as undecided after upgrade and perform no Adaptive-only scan until they allow it.
  • The prompt discloses the actual scanner scope: the running-process list, including command lines, plus known Codex/Claude session metadata every 30 seconds. It also states that Adaptive-only mode keeps one latest-activity timestamp in memory, discards paths and identities, sends no activity data, and does not enable remote discovery or SSH.
  • The choice is editable in General settings. Turning it off stops monitoring and clears the in-memory activity timestamp.
  • Agent Sessions remains a separate explicit setting. When enabled, its existing local scan path continues to work independently; remote discovery and SSH still require that setting.
  • Existing installs with no stored cadence retain the 5-minute fallback. Invalid cadence values recover to 5 minutes, and every valid Manual, fixed, or Adaptive choice remains unchanged.

The historical edge case is unchanged: a completely untouched, configless v0.1-v0.3 install left no durable state that can distinguish it from a new install, so that cohort follows the fresh-install default.

Consent UI

Adaptive refresh local activity consent

Use Menu Activity Only also responds to Escape. The same six consent/settings strings are present in all supported app language catalogs.

Packaged runtime proof

Redacted exact-head proof report

The proof bundle came from clean commit 2c0a41479602a8aa804139cbf50bef358e32d3da. Its embedded CodexGitCommit is 2c0a4147; the debug executable SHA-256 is eb3361e2a96e9cae269ce4490e96ed555da09ce9f802268e33af24dfc4712499.

The bundle ran with network access denied, Keychain access disabled, and synthetic HOME / CODEX_HOME data containing one recent fixture rollout. It did not read a real Codex or Claude transcript.

Scenario Initial state Packaged result
Fresh install no config, marker, cadence, or consent persisted adaptive + undecided; showed the prompt; 0 local session scans before a decision
Existing Adaptive config + marker + stored adaptive, consent missing repaired consent to undecided; showed the prompt; 0 local session scans
Legacy unset config + marker, cadence and consent missing persisted fiveMinutes; no prompt; 0 local session scans
Allowed branch same bundle, persisted allowed replayed 3 scanner starts across 65.6 seconds; timer moved from longIdle 1800s to codingActivity 300s; 0 Tailscale/SSH events
Declined branch existing Adaptive config, persisted declined replayed no repeated prompt and 0 scans after crossing a full 30-second interval

The persisted allowed and declined states were replayed on relaunch to isolate the two runtime branches. Focused tests cover setter persistence, reload, invalid-value repair, existing-Adaptive behavior, and the Agent Sessions bypass.

Sustained scan profile

The allowed process produced scanner starts at t+0.000s, t+31.350s, and t+63.336s. The first scan pulled the pending Adaptive timer from 30 minutes to 5 minutes eight milliseconds later. No remote discovery, remote fetch, or SSH subprocess label appeared.

A 65.646-second Time Profiler recording covered the next two scans:

  • 170 running samples at 1.00 ms weight, about 170 ms of sampled CPU time for the whole app, or 0.26% of one core over the window;
  • scanner frames in AgentSessionsStore.refreshLocal, LocalAgentSessionScanner.scan, LocalAgentSessionScanner.processOutput, and SubprocessRunner.run;
  • 0 potential hangs at the template's 250 ms threshold.

The raw trace SHA-256 is be7943ea0588bdb6f60d60d3ddaa3ef65453f65dea5cc505f14cd1badae786a2. The trace stays local because Instruments embeds local paths and environment values. These are sampled runtime figures, not an energy claim.

Policy replay

Agent-aware Adaptive replay

Frozen trace: 1,780 JSONL records, SHA-256 b1e4aa33180b7c177293eb9ed16b45e24e026d259600fba2b1b67b931b904f0b.

Policy Simulated refreshes Per observed 24h Active coding over 5m Menu p50 / p95 Constraints
Agent-aware Adaptive 696 143.88 0 / 145 139s / 1093s pass
Menu-only Adaptive 694 143.47 4 / 145 142s / 1093s pass
Fixed 5m 1383 285.90 0 / 99 150s / 281s 157 violations

Compared with menu-only Adaptive, the activity signal adds 2 simulated refreshes (+0.29%) and removes all 4 observed active-coding delays above 5 minutes. Compared with fixed 5 minutes, it schedules 49.7% fewer simulated refreshes. These are policy-clock results, not observed provider requests.

The trace comes from one machine. Activity covers 462 of 733 decision records, and p95 remains 1093 seconds. It samples activity at reconstructed decision points rather than replaying the 30-second scanner callback; the packaged profile above covers that callback.

Validation

  • make check: pass; SwiftFormat clean and SwiftLint reported 0 violations
  • 67 focused tests passed across settings rollout/consent, Agent Sessions projection, Adaptive timer behavior, and localization
  • The settings suite covers fresh persistence, both prior-launch markers, existing config, String and non-String invalid values, all 7 valid cadence values, consent persistence, and existing-Adaptive opt-in

The released adaptive-activity replay CLI spelling remains a deprecated alias for adaptive, while adaptive-menu-only names the historical baseline.

Copilot AI review requested due to automatic review settings July 13, 2026 02:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes Adaptive refresh agent-aware by default by feeding recent local Codex/Claude activity into the adaptive cadence decision, while keeping the Agent Sessions UI (and all remote discovery/SSH behavior) explicitly opt-in.

Changes:

  • Extend the shared AdaptiveRefreshPolicyCore decision table with an optional lastCodingActivityAt signal that caps otherwise-slower unconstrained delays at 5 minutes.
  • Make missing/unrecognized refreshFrequency resolve to .adaptive, and enable bounded local session monitoring when Adaptive is effective—without enabling the Agent Sessions UI.
  • Update replay tooling to treat activity-aware Adaptive as production (adaptive), preserve the historical baseline as adaptive-menu-only, and keep adaptive-activity as a CLI alias.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
Tests/CodexBarTests/SettingsStoreTests.swift Update default/fallback expectations for refresh frequency; add explicit 5m preservation test.
Tests/CodexBarTests/CodexSessionRolloutTests.swift Add bounded-rollout parsing coverage for local scanner limits.
Tests/CodexBarTests/ClaudeSessionMappingTests.swift Add transcript list limiting coverage.
Tests/CodexBarTests/AgentSessionMenuDescriptorTests.swift Cover Adaptive-only monitoring enablement, projection, and constraint pausing.
Tests/CodexBarTests/AdaptiveRefreshTimerTests.swift Add timer pull-forward behavior tests for coding activity; ensure fixed-mode behavior stays in-memory only.
Tests/CodexBarTests/AdaptiveRefreshPolicyTests.swift Verify app adapter forwards coding activity into policy decisions.
Tests/AdaptiveReplayKitTests/MenuOnlyAdaptivePolicyTests.swift Reframe replay tests around production adaptive and the historical menu-only baseline.
Tests/AdaptiveReplayKitTests/AdaptiveRefreshPolicyCoreTests.swift Add core policy tests for coding-activity cap, boundaries, and constraints.
Tests/AdaptiveReplayCLITests/CLIArgumentsTests.swift Ensure adaptive-activity remains accepted and maps to production adaptive.
Sources/CodexBarCore/LocalAgentSessionScanner.swift Bound process/rollout/transcript candidate handling to configured limits.
Sources/CodexBarCore/AgentSession.swift Extend scan config with bounds; add transcript limiting support.
Sources/CodexBar/UsageStore+AdaptiveRefresh.swift Wire lastCodingActivityAt through adaptive decisions and timer advancement behavior.
Sources/CodexBar/UsageStore.swift Track lastCodingActivityAt in-memory; refactor timer restart helper.
Sources/CodexBar/StatusItemController+AgentSessions.swift Forward activity timestamp into adaptive refresh; centralize agent session settings sync.
Sources/CodexBar/StatusItemController.swift Track refresh-frequency changes alongside agent-session settings; use new wiring helpers.
Sources/CodexBar/SettingsStore.swift Change missing/unrecognized refresh-frequency fallback to .adaptive.
Sources/CodexBar/AgentSessionsStore.swift Enable local monitoring under Adaptive without enabling UI; project activity timestamp-only when UI is off.
Sources/CodexBar/AdaptiveRefreshPolicy.swift Thread coding activity input through the production policy adapter into the shared core.
Sources/AdaptiveReplayKit/README.md Update replay docs to reflect production activity-aware Adaptive and historical baseline.
Sources/AdaptiveReplayKit/HistoricalPolicies.swift Add historical menu-only Adaptive baseline policy (adaptive-menu-only).
Sources/AdaptiveReplayKit/CandidatePolicies.swift Remove replay-only activity candidate (now folded into production policy).
Sources/AdaptiveReplayKit/BaselinePolicies.swift Feed coding activity into production replay policy; add helper for omitting the signal.
Sources/AdaptiveReplayCLI/main.swift Update CLI help text and document alias behavior.
Sources/AdaptiveReplayCLI/CLIArguments.swift Replace candidate policy with historical baseline; implement adaptive-activity alias parsing.
Sources/AdaptiveRefreshCore/AdaptiveRefreshPolicyCore.swift Add coding-activity signal, reason, thresholds, and cap behavior to shared decision table.
README.md Update high-level feature description and privacy note for adaptive local scan behavior.
docs/refresh-loop.md Document new default fallback, activity signal, scanner bounds, and pause conditions.
docs/predictive-refresh-policy.md Update decision record to reflect agent-aware adaptive default extension and constraints.
CHANGELOG.md Document default/fallback change, activity cap behavior, and bounded/local-only scan implications.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 162 to +166
self.localRefreshInFlight = true
let sessions = await self.localScanner.scan()
self.localRefreshInFlight = false
guard !Task.isCancelled, self.settings.agentSessionsEnabled else { return }
self.localSessions = sessions
self.lastUpdatedAt = Date()
guard !Task.isCancelled, self.localMonitoringEnabled else { return }
self.applyLocalScanResult(sessions)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 04df269. LocalAgentSessionScanner.scan is now @concurrent, so the synchronous ps/lsof work and transcript parsing do not inherit a MainActor caller. I kept structured concurrency instead of using a detached task, which preserves cancellation, priority, and task-local values. The 37 repair-focused tests pass and make check is clean.

@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jul 13, 2026
@clawsweeper

clawsweeper Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codex review: found issues before merge. Reviewed July 13, 2026, 2:11 AM ET / 06:11 UTC.

Summary
The PR makes Adaptive the fresh-install refresh default and adds consent-gated local Codex/Claude activity scanning to cap slower Adaptive refresh decisions at five minutes.

Reproducibility: not applicable. This PR proposes a new refresh default, consent preference, and activity-aware mode rather than fixing a defined current-main failure. Its runtime branches are nevertheless demonstrated with exact-head packaged proof.

Review metrics: 3 noteworthy metrics.

  • Patch scope: 62 files; +1,242 / -195. The change spans policy, settings migration, runtime scanning, UI, documentation, tests, and every localization catalog.
  • Localization surface: 23 catalogs changed. Six new consent/settings strings must remain accurate about command-line inspection, retention, and remote behavior across all supported languages.
  • Reported validation: 67 focused tests; 5 packaged scenarios. The contributor supplied unusually strong exact-head validation, although it does not resolve the product and upgrade decision.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Obtain the maintainer decision on the fresh-default and ambiguous legacy cohort, then implement that contract.
  • Request notification authorization after the consent modal during the same launch.
  • Remove the CHANGELOG.md edit.

Risk before merge

  • [P1] Untouched configless v0.1-v0.3 installations are indistinguishable from fresh installs and would silently change from the established five-minute cadence to Adaptive.
  • [P1] Fresh users shown the consent modal may never receive notification authorization while the app remains running because the request is deferred to a future launch.
  • [P1] After consent, Adaptive invokes a scanner that inspects running command lines and known session metadata every 30 seconds; the boundary is disclosed and locally proven, but maintainers must explicitly accept this broader use outside Agent Sessions.

Maintainer options:

  1. Preserve the existing default (recommended)
    Keep unset and ambiguous installations at five minutes, retain explicit consent for activity-aware Adaptive, request notifications in the same launch, and remove the changelog edit before merge.
  2. Approve the documented upgrade break
    A maintainer can explicitly accept the configless historical cohort changing cadence, after which the notification and changelog findings still need correction.
  3. Pause the production promotion
    Close or defer the branch if the single-machine replay and broader local-inspection scope do not justify changing the default now.

Next step before merge

  • [P2] A maintainer must choose the refresh-default and ambiguous-upgrade contract; once chosen, the contributor should update that behavior, restore same-launch notification onboarding, and remove the changelog edit.

Maintainer decision needed

  • Question: Should CodexBar make Adaptive the default despite the indistinguishable configless v0.1-v0.3 cohort, or should this PR preserve the five-minute default and only add consent-gated activity awareness for explicitly selected Adaptive mode?
  • Rationale: Source and proof can validate either implementation, but they cannot decide whether silently changing cadence for an existing historical cohort and broadening local scanner use is an acceptable product and upgrade contract.
  • Likely owner: steipete — They introduced the reused Agent Sessions scanner and are the best-supported owner for the repository-level default, privacy, and upgrade decision.
  • Options:
    • Narrow to explicit Adaptive (recommended): Preserve the five-minute default for unset installations and land the consent-gated activity cap only when users explicitly select Adaptive.
    • Accept the historical cohort change: Approve Adaptive as the fresh-install default while explicitly accepting that indistinguishable untouched v0.1-v0.3 installations will also change cadence.
    • Pause the default change: Defer the production default and scanner expansion until stronger multi-machine policy evidence or a reliable install-state discriminator exists.

Security
Cleared: No dependency, workflow, secret-access, or exfiltration regression was found; the sensitive local scan is separately consent-gated, projects only a timestamp for Adaptive, and exact-head proof observed no pre-consent, remote, or SSH activity.

Review findings

  • [P1] Preserve ambiguous legacy installs before changing the default — Sources/CodexBar/SettingsStore.swift:278
  • [P2] Request notification authorization during the same launch — Sources/CodexBar/CodexbarApp.swift:394
  • [P3] Remove the release-owned changelog entry — CHANGELOG.md:8-9
Review details

Best possible solution:

Keep the consent-gated activity signal for users who explicitly choose Adaptive, preserve the five-minute behavior for all ambiguous existing installations unless a reliable fresh-install marker is available, request notification authorization after the consent modal in the same launch, and remove the changelog edit.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR proposes a new refresh default, consent preference, and activity-aware mode rather than fixing a defined current-main failure. Its runtime branches are nevertheless demonstrated with exact-head packaged proof.

Is this the best way to solve the issue?

No, not in its current breadth: reusing the existing scanner behind separate consent is maintainable, but coupling that feature to an ambiguous fresh-install default and delaying notification authorization creates avoidable upgrade and onboarding regressions.

Full review comments:

  • [P1] Preserve ambiguous legacy installs before changing the default — Sources/CodexBar/SettingsStore.swift:278
    The absence of config and launch markers does not prove a fresh install: the PR explicitly identifies untouched configless v0.1-v0.3 installations with the same state. This branch therefore silently moves those existing users from the established five-minute cadence to Adaptive. Preserve five minutes for this ambiguous state, narrow the PR to explicitly selected Adaptive, or obtain explicit maintainer approval for the upgrade break.
    Confidence: 0.99
  • [P2] Request notification authorization during the same launch — Sources/CodexBar/CodexbarApp.swift:394
    When the consent alert is shown, this condition suppresses the existing startup notification request entirely until a later app launch. A fresh user who leaves the menu-bar app running may never receive quota notifications. Queue the notification request after the modal is dismissed instead of deferring it to another launch.
    Confidence: 0.99
  • [P3] Remove the release-owned changelog entry — CHANGELOG.md:8-9
    Repository policy states that CHANGELOG.md is release-owned and normal PRs must not edit it. Remove this entry and keep the release-note context in the PR body or commit message.
    Confidence: 1

Overall correctness: patch is incorrect
Overall confidence: 0.99

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against c852c135e10c.

Label changes

Label justifications:

  • P2: This is a substantial but not yet shipped refresh/default improvement with bounded compatibility and privacy implications requiring normal-priority maintainer review.
  • merge-risk: 🚨 compatibility: Merging can silently change cadence for indistinguishable configless legacy installations and delay notification onboarding until another launch.
  • merge-risk: 🚨 security-boundary: Merging allows Adaptive, after explicit consent, to inspect local process command lines and session metadata outside the existing Agent Sessions feature boundary.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (linked_artifact): The PR provides a consent screenshot and an exact-head packaged report showing fresh, upgrade, allowed, and declined behavior with synthetic data, network denied, Keychain disabled, recurring scans, timer pull-forward, and no remote/SSH activity.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR provides a consent screenshot and an exact-head packaged report showing fresh, upgrade, allowed, and declined behavior with synthetic data, network denied, Keychain disabled, recurring scans, timer pull-forward, and no remote/SSH activity.
Evidence reviewed

What I checked:

  • Re-review continuity: The current head remains 2c0a414, the same SHA reviewed in the latest completed ClawSweeper cycle, so the three prior findings must be re-raised where unchanged. (2c0a41479602)
  • Legacy-upgrade ambiguity: Freshness is inferred from the absence of config and prior-launch markers, while the PR body acknowledges that untouched configless v0.1-v0.3 installs have the same state; those existing users therefore move from the established five-minute default to Adaptive. (Sources/CodexBar/SettingsStore.swift:278, 2c0a41479602)
  • Notification onboarding regression: When the Adaptive consent alert is presented, startup notification authorization is skipped rather than queued after the modal, so a fresh user receives no notification permission request until another app launch. (Sources/CodexBar/CodexbarApp.swift:394, 2c0a41479602)
  • Repository release-note policy: The branch still adds a user-facing entry to CHANGELOG.md even though the fully read repository AGENTS.md states that normal PRs must leave the release-owned changelog unchanged. (CHANGELOG.md:8, 2c0a41479602)
  • Exact-head runtime proof: The linked packaged report identifies head 2c0a414 and exercises fresh, existing-Adaptive, legacy-unset, allowed, and declined branches; it reports zero scans before consent, recurring local scans after allow, timer pull-forward to five minutes, and no remote or SSH events. (2c0a41479602)
  • Agent Sessions provenance: Merged PR Agent Sessions: track live Codex and Claude sessions across Macs #1968 introduced the local process/session scanner reused by this branch, with merge commit 8106e7d. (Sources/CodexBarCore/LocalAgentSessionScanner.swift:19, 8106e7d3cc31)

Likely related people:

  • steipete: Introduced the Agent Sessions scanner reused by this PR and owns the repository where the refresh-default and local-inspection policy must be accepted. (role: introduced behavior and likely product decision owner; confidence: high; commits: 8106e7d3cc31; files: Sources/CodexBar/AgentSessionsStore.swift, Sources/CodexBarCore/LocalAgentSessionScanner.swift)
  • hhh2210: Previously landed the shared Adaptive replay/core work in merged PR feat: add offline adaptive-refresh replay tooling #2029, so they have relevant merged history beyond proposing this branch. (role: recent adaptive-refresh area contributor; confidence: high; commits: fe75394076f3; files: Sources/AdaptiveRefreshCore/AdaptiveRefreshPolicyCore.swift, Sources/AdaptiveReplayKit/BaselinePolicies.swift, Sources/AdaptiveReplayCLI/CLIArguments.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (5 earlier review cycles)
  • reviewed 2026-07-13T03:01:14.993Z sha e393deb :: needs real behavior proof before merge. :: [P1] Preserve unset users or add a fresh-install migration
  • reviewed 2026-07-13T04:18:55.172Z sha 04df269 :: needs real behavior proof before merge. :: [P1] Preserve the scan boundary for existing Adaptive users
  • reviewed 2026-07-13T04:25:16.211Z sha 04df269 :: needs real behavior proof before merge. :: [P1] Preserve the scan boundary for existing Adaptive users
  • reviewed 2026-07-13T05:50:21.369Z sha 2c0a414 :: needs real behavior proof before merge. :: [P3] Remove the release-owned changelog edit
  • reviewed 2026-07-13T06:00:07.930Z sha 2c0a414 :: found issues before merge. :: [P1] Preserve ambiguous legacy installs before changing the default | [P2] Request notification authorization during the same launch | [P3] Remove the release-owned changelog entry

@hhh2210 hhh2210 changed the title Make adaptive refresh agent-aware by default Make adaptive refresh agent-aware on fresh installs Jul 13, 2026
@hhh2210

hhh2210 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

The two current-head blockers are fixed in 04df269a:

  • Adaptive is now the fresh-install default. Existing config or either prior-launch marker keeps an unset cadence at 5 minutes; invalid values also recover to 5 minutes. All valid stored choices remain unchanged. The resolved value is persisted immediately.
  • LocalAgentSessionScanner.scan is @concurrent, so process and transcript parsing cannot inherit MainActor execution.

The new settings suite covers fresh persistence, both launch markers, existing config, String and non-String invalid values, and all 7 valid cadence values across fresh and marked states. The PR body now states the only historical ambiguity: a completely untouched, configless v0.1-v0.3 install left no durable signal that differs from a new install.

make check is clean, and 37 repair-focused tests pass on this head. The replay screenshot, frozen-trace hash, coverage limits, and scanner cost measurements remain in the PR body.

@clawsweeper

clawsweeper Bot commented Jul 13, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@hhh2210 hhh2210 changed the title Make adaptive refresh agent-aware on fresh installs Make adaptive refresh agent-aware with explicit local activity consent Jul 13, 2026
@hhh2210

hhh2210 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

Head 2c0a4147 addresses the authorization finding and adds the requested packaged-app proof.

  • Adaptive cadence no longer authorizes local scanning. A separate persisted undecided / allowed / declined preference gates the Adaptive-only scanner. Fresh and existing Adaptive installs both stay at 0 scans until the user chooses Allow Local Activity.
  • The consent screenshot discloses the running-process/command-line and session-metadata scope, 30-second cadence, in-memory retention, no activity-data upload, no remote/SSH work, and the menu-only decline path.
  • The redacted exact-head report covers fresh install, existing Adaptive, legacy unset, allowed, declined, timer pull-forward, and sustained scanning from one clean packaged bundle. It used synthetic HOME / CODEX_HOME, disabled Keychain access, and denied network access.
  • The 65.646-second Time Profiler run covered two recurring scans after the immediate scan. The allowed process started scans at 0.000s, 31.350s, and 63.336s, logged codingActivity delay=300s, emitted no remote/SSH event, and had 0 potential hangs at the 250 ms threshold.
  • make check passes, along with 67 focused consent/settings/timer/localization tests.

The PR body now puts this blocker-resolution matrix before the older policy replay and states the proof limits explicitly.

@clawsweeper

clawsweeper Bot commented Jul 13, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants