feat(reborn): wire built-in obligations and handoffs#3080
Merged
serrrfirat merged 6 commits intoMay 1, 2026
Conversation
github-actions
Bot
added
size: XL
serrrfirat
added
reborn
34 tasks
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a modular architecture for the IronClaw Reborn system by defining clear boundaries between service crates and implementing contract tests to enforce these dependencies. It adds several new crates (ironclaw_approvals, ironclaw_authorization, ironclaw_capabilities, ironclaw_dispatcher, ironclaw_events, ironclaw_extensions, ironclaw_filesystem, ironclaw_host_api, ironclaw_host_runtime) and updates the workspace configuration. My feedback highlights that the architectural boundary test in crates/ironclaw_dispatcher/tests/boundary_contract.rs is currently fragile due to string-based parsing of Cargo.toml and should be refactored to use cargo_metadata for more robust dependency inspection, following the pattern established in ironclaw_architecture.
Comment on lines
+1
to
+19
| #[test] | ||
| fn dispatcher_crate_does_not_depend_on_higher_level_workflow_crates() { | ||
| let manifest_path = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("Cargo.toml"); | ||
| let manifest = std::fs::read_to_string(&manifest_path) | ||
| .unwrap_or_else(|error| panic!("failed to read {manifest_path:?}: {error}")); | ||
|
|
||
| for forbidden in [ | ||
| "ironclaw_authorization", | ||
| "ironclaw_capabilities", | ||
| "ironclaw_wasm", | ||
| "ironclaw_scripts", | ||
| "ironclaw_mcp", | ||
| ] { | ||
| assert!( | ||
| !manifest.contains(forbidden), | ||
| "ironclaw_dispatcher examples/tests should exercise the dispatcher boundary directly, not depend on higher-level workflow crate {forbidden}" | ||
| ); | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
The test dispatcher_crate_does_not_depend_on_higher_level_workflow_crates uses a simple string check on the Cargo.toml file content to enforce architectural boundaries. This is fragile and prone to false negatives. Consider using cargo_metadata to programmatically inspect the dependency graph, similar to how crates/ironclaw_architecture/tests/reborn_dependency_boundaries.rs does it. If you do, ensure that the setup (e.g., fetching metadata) uses expect() to fail the test with a clear message if environmental requirements are not met, avoiding silent fallbacks like unwrap_or().
References
- In tests, when setting up a state that depends on environmental factors, prefer expect() to explicitly fail the test with a clear message if the setup is not possible. Avoid fallbacks like unwrap_or() that could cause the test to silently check the wrong logic.
serrrfirat
force-pushed
the
reborn-land-06-obligations-handoff
branch
from
a7a331f to
fd50f2f
Compare
12 tasks
serrrfirat
force-pushed
the
reborn-land-06-obligations-handoff
branch
from
fd50f2f to
98f821e
Compare
github-actions
Bot
added
risk: low
github-actions
Bot
added
risk: medium
…land-06-obligations-handoff-recarve-v2 # Conflicts: # Cargo.lock
github-actions
Bot
added
risk: low
This was referenced May 1, 2026
serrrfirat
added a commit
that referenced
this pull request
May 1, 2026
Refs: #3145, #3080, #3017, #3087. Decisions: host-runtime now wraps process stores with ProcessObligationLifecycleStore so spawn-phase resource reservations are reconciled on success or released on failure/kill, and staged network/secret handoffs are discarded at terminal lifecycle. Process-start failure remains CapabilityHost abort-owned. Files changed: ironclaw_host_runtime lib exports, obligations lifecycle/store cleanup, HostRuntimeServices process graph wiring, host_runtime_services_contract tests. Notes: full host-runtime tests need CARGO_BUILD_JOBS=1 in this environment to avoid linker OOM.
serrrfirat
added a commit
that referenced
this pull request
May 1, 2026
* RALPH: complete issue 3145 background obligation lifecycle Refs: #3145, #3080, #3017, #3087. Decisions: host-runtime now wraps process stores with ProcessObligationLifecycleStore so spawn-phase resource reservations are reconciled on success or released on failure/kill, and staged network/secret handoffs are discarded at terminal lifecycle. Process-start failure remains CapabilityHost abort-owned. Files changed: ironclaw_host_runtime lib exports, obligations lifecycle/store cleanup, HostRuntimeServices process graph wiring, host_runtime_services_contract tests. Notes: full host-runtime tests need CARGO_BUILD_JOBS=1 in this environment to avoid linker OOM. * Fix process obligation cleanup lifecycle * Fix stale reservation lifecycle cleanup * Fix background obligation cleanup failures * fix(reborn): harden process obligation cleanup * fix(host-runtime): preserve cancel side effects on cleanup failure * fix(reborn): enforce single active process handoff * fix: address review findings (iteration 1)
serrrfirat
added a commit
that referenced
this pull request
May 2, 2026
* RALPH: wire EnforceResourceCeiling handoff Task: complete issue #3144; refs obligations PR #3080 and resource authority #3141. Decisions: support invoke/resume ceilings by decomposing them into host-owned estimate checks plus post-dispatch ResourceUsage/output checks; keep spawn and unenforced sandbox CPU/memory/disk quotas fail-closed; preserve EnforceOutputLimit behavior. Files: host-runtime obligation handler/tests/docs, capabilities post-dispatch classification, host-runtime Cargo metadata. Notes: no FEATURE_PARITY.md update needed; Reborn resource-ceiling behavior is tracked in docs/reborn/contracts/host-runtime.md. * fix(host-runtime): fail closed unsupported resource ceilings * fix(host-runtime): enforce resource output ceiling on published bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Draft/snapshot carve-out for PR6 from the existing Reborn obligations branch material.
This branch contains the PR6 contract surface for built-in V1 obligations and runtime handoffs:
Primary contract files in this snapshot include:
Draft / dependency note
This PR is intentionally opened as a draft snapshot so the contracts are visible on a PR now.
It is not yet a clean merge candidate because the source branch is an older integrated Reborn stack snapshot. The PR6 branch needs to be retargeted/narrowed after the prerequisite branches land/rebase, especially:
Until then, this PR should be treated as contract/reference material, not a ready-to-merge diff.
Verification
Not rerun after opening this snapshot PR. The source material is present from the existing Reborn obligations branch; it will need a fresh rebase/narrowing pass and targeted verification before merge readiness.
Refs #2987.