Proj/channel protocol (POC)

[ngduyanhece]

brv channel + bridge - multi-agent collaboration over a wire protocol

proj/channel-protocol → main. 204 commits. Lands the entire channel-protocol body of work for internal-test rollout.

Summary

• Problem: Each agentic CLI (Claude Code, codex, kimi, opencode, brv itself) lives in its own working directory with no way to address another agent as an @mention or share context across them. Cross-machine collaboration between teammates' agents is impossible.
• Why it matters: Two failure modes today: (1) Manual copy-paste of agent output between CLIs is the only way to combine them, breaks any agentic flow that wants to fan-out / quorum / second-opinion. (2) Teammates' agents have no shared transcript or way to ask each other questions — every cross-person agent interaction is a human relay.
• What changed: Full brv channel subsystem (Phases 1–5), agent-driven skill connector (Phase 8), cross-machine brv bridge over libp2p with TOFU identity (Phase 9 demo target + post-merge heartbeat hardening), agent quorum Tier 1 + 2 (Phase 10), transcript-storage migration. New brv bridge, brv trust, brv alias CLI surfaces. New bridge-config.json persistence. SDK packages @brv/agent-sdk (TS) + brv-agent (Py). Pi-extension SDK consumer.
• What did NOT change (scope boundary):
  • No web UI for channels — CLI / agent-driven only in this cut. Pi's web-UI design remains compatible if re-introduced later.
  • No native /channel:* slash commands in CLIs other than Pi. Other CLIs use the byterover skill to drive brv channel mention from their shell tool.
  • No libp2p kad-dht backend (Slice 9.6 interface only) — peers manually pinned via brv trust pin --multiaddr ....
  • No HTTP byterover-hosted registry client (Slice 9.7 interface only).
  • No libp2p AutoNAT / DCUtR / Circuit-Relay-v2 wiring (Slice 9.8 reachability classifier only) — Tailscale / same-LAN / public-IP works; raw double-NAT does not.
  • No /brv/parley/delegate/v1 wire handler (Slice 9.9 policy gate + startup warnings only) — cross-bridge agents can answer queries but cannot perform write actions on the dialer's behalf.
  • No browser-channel UI changes.

Type of change

• New feature
• Bug fix (heartbeat keep-alive, env-var persistence, cross-merge typecheck repair)
• Refactor (no behavior change)
• Documentation (INTERNAL_TEST.md, design + PHASES update)
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL (no v1 changes; channels are oclif-only)
• Agent / Tools (skill connector, byterover memory tools, ACP driver pool)
• LLM Providers (no provider-specific changes; provider-agnostic by design)
• Server / Daemon (channel orchestrator, parley server/client, libp2p host, bridge transcript service, auto-provision policy, bridge config store)
• Shared (constants, types, transport events) — new ChannelEvents, BridgeEvents, TrustEvents
• CLI Commands (oclif) — new topics: channel, bridge, trust, alias
• Hub / Connectors — new brv connectors install <agent> --type skill flow
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes: N/A — internal channel-protocol epic, no single tracking issue
• Related: plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, plan/channel-protocol/IMPLEMENTATION_PHASE_9_CLOUD_BRIDGE.md

Root cause

N/A — primarily new-feature work. The handful of bug fixes (heartbeat keep-alive, env-var persistence, channel-events test fixture lag) have their root causes documented in their individual commit messages.

Test plan

• Coverage added:
  • Unit test (9603+ tests passing; new tests under test/unit/server/infra/channel/bridge/ for: bridge-config-store, audit-parley-seal, parley-verifier, parley-server, parley-end-to-end, bridge-reachability, bridge-transcript-service, bridge-driver-pool, delegate-policy, peer-multiaddr-resolver, registry-client + nonce-lru, rate-limit)
  • Integration test (channel-phase{1..10}-* integration tests, cross-bridge end-to-end)
  • Manual verification — live two-daemon cross-bridge test on 2026-05-20: mario-team-v4, ctx-exchange-v2, bobs-side-v2 channels, multiple kimi/codex agents, round-trip queries + context-tree exchange, heartbeat verified across multi-minute idle gaps that previously triggered TRANSCRIPT_TERMINAL_MISSING
• Test file(s): 50+ new test files under test/{unit,integration}/; see commit-by-commit log for which slice each belongs to
• Key scenarios:
  • Single-machine multi-agent channel + fan-out
  • Cross-machine bridge: handshake, TOFU pin, signed parley round-trip, transcript persistence on both sides
  • Auto-provision policy (auto / pinned-only / deny)
  • Cancel mid-stream + permission flow
  • Heartbeat keep-alive during slow agent generators
  • Daemon respawn config persistence (NEW — eliminates the silent mock-echo degradation)

User-visible changes

New CLI surfaces:

• brv channel new|invite|mention|cancel|show|list|members|onboard|doctor|approve|deny|archive|leave (full Phases 1–5 surface)
• brv channel mention --mode sync --suppress-thoughts --json --timeout <ms> for agent-driven invocations (Phase 8)
• brv channel mention --quorum N for fan-out + agreement merging (Phase 10 Tier 1)
• brv bridge listen|whoami|pin|ping|verify for cross-machine peer setup
• brv trust pin|list|verify with --multiaddr + --alias flags
• brv alias add|list|remove for short-name routing
• brv connectors install <agent> --type skill writes byterover skill (.agents/skills/byterover/SKILL.md) into a project so the host LLM can drive brv channel mention from its shell tool

New persisted state:

• <dataDir>/identity/install.{key.enc,cert.json,master.key,peer-id} — L1 identity (auto-generated on first brv bridge whoami)
• <dataDir>/identity/tree-default.{key.enc,cert.json,master.key} — L2 peer-tree identity
• <dataDir>/identity/known-peers.jsonl — TOFU pin store (alias / peer-id / pin-state)
• <dataDir>/identity/aliases.json — local alias map
• <dataDir>/state/bridge-config.json — NEW persistent operator-prefs for BRV_BRIDGE_* env vars (survives daemon respawns)
• <projectRoot>/.brv/channel-history/<channelId>/turns/<turnId>.ndjson — channel transcript (Phase 9 storage migration; was under .brv/context-tree/channel/)

New behavioural defaults:

• BRV_BRIDGE_AUTO_PROVISION defaults to pinned-only (spec §7.3) — first-contact peers must be pinned via brv trust pin before they can dispatch into a channel
• BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=1 per agent; excess inbound parleys reject with signed PARLEY_LOCAL_AGENT_BUSY
• BRV_BRIDGE_DELEGATE_POLICY=prompt default (mutating-tool wire is deferred so this is type-level only)
• Daemon emits heartbeat_ping every 10s during idle bridge streams so libp2p Yamux substreams don't time out on multi-minute LLM calls

Deprecated: none.

Breaking: none on main's existing CLI surface — channels are net-new commands. Internal: WaitForTaskOptions.timeoutMs was removed in main f14047cae; reconciled in the cross-merge against proj/byterover-tool-mode.

Evidence

• Failing test before / passing after: see commit 75b6c58b5 (heartbeat keep-alive) — added unit test that reliably fails on pre-fix code (cross-bridge tool-using turn dies with TRANSCRIPT_TERMINAL_MISSING after ~120s) and passes on post-fix code (heartbeats keep the substream alive indefinitely)
• Live cross-bridge transcript: Bridge-handshake completed in 4.3s, cross-tree exchange completed in 7.7–33.3s round-trip, design+engineering notes successfully exchanged between two daemons (mario-team-v4 + ctx-exchange-v2 + bobs-side-v2 channels) on 2026-05-20
• Daemon respawn persistence test: Live verified — kill daemon, respawn WITHOUT any BRV_BRIDGE_* env vars, daemon reads persisted <dataDir>/state/bridge-config.json and resumes with codex profile + auto provision + cap=3 instead of silently falling back to mock-echo + pinned-only. See INTERNAL_TEST.md §5.1 for the operational story
• Test summary: 9603 unit + integration passing, 26 pending (22 pre-existing + 4 newly-skipped orphans with rationale in each describe.skip comment), 0 failing

Checklist

• Tests added or updated and passing (npm test): 9603 passing, 26 pending, 0 failing
• Lint passes (npm run lint)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated — plan/channel-protocol/DESIGN.md, plan/channel-protocol/PHASES.md, new INTERNAL_TEST.md at repo root
• No breaking changes (or clearly documented above)
• Branch is up to date with main — last main sync c897ee00f (Release 3.15.0 merged)

Risks and mitigations

• Risk: Operators set up the bridge on heterogeneous-NAT laptops and connections silently fail.
  • Mitigation: INTERNAL_TEST.md §3 recommends Tailscale upfront. brv channel doctor surfaces reachability (public / wildcard-unconfirmed / behind-nat-with-relay / loopback-only / unreachable) honestly. The libp2p AutoNAT/DCUtR/Circuit-Relay-v2 wire is explicitly deferred.
• Risk: Cross-bridge agents try to write to dialer's repo and get a confusing rejection.
  • Mitigation: INTERNAL_TEST.md §5 lists this as a known limitation. The delegate_policy startup log makes the unwired state visible. The error path returns a clear CHANNEL_AUTO_PROVISION_DECLINED or PARLEY_REJECTED rather than hanging.
• Risk: Peer's multiaddr rotates (laptop sleep/wake / network change) and the pinned entry breaks.
  • Mitigation: brv trust pin <peer-id> --multiaddr <new-addr> re-pins idempotently. brv channel doctor surfaces stale-cache state. DHT-driven multiaddr refresh ships in a follow-up slice (Phase 9.6 backend).
• Risk: Operator confused by env-var vs. persisted config precedence.
  • Mitigation: New bridge-config.json resolver logs [Daemon] Bridge config persisted to ... whenever env supplies a value that changes the file. Revert path documented in INTERNAL_TEST.md §5.1 (rm <dataDir>/state/bridge-config.json).
• Risk: 4 integration tests are describe.skipped — looks worse than it is on CI.
  • Mitigation: Each skip has a per-file rationale comment. 3 are pre-existing test-only orphans (BRV_FORCE_ORIGIN consumer never implemented; Phase 10 surface change made the multi-mention rejection assertion obsolete; channel-history storage migration made the cancel-ordering integration probe stale). The actual code paths these tested are covered by unit-level tests. None are Phase-9 regressions.

---

How to use it

A. Local multi-agent channel (single machine)

The basic flow. No network setup needed. Two terminals.

# One-time per agent type — probes its ACP install:
brv channel onboard codex -- codex-acp
brv channel onboard kimi -- kimi acp
brv channel onboard opencode -- opencode acp

# Create a channel + invite two local agents:
brv channel new code-review
brv channel invite code-review @codex --profile codex
brv channel invite code-review @kimi --profile kimi

# Address one agent:
brv channel mention code-review "@codex review src/foo.ts for null-safety bugs" \
  --mode sync --suppress-thoughts --json --timeout 300000

# Quorum across both (Phase 10):
brv channel mention code-review "@codex @kimi rate the diff: solid / risky / unsafe" \
  --quorum 2 --json

# Live tail any time:
brv channel watch code-review --from-tail 5
brv channel show code-review <turnId>
brv channel list-turns code-review --tail 10

Inside another agentic CLI (Claude Code, codex, kimi-cli, opencode, Pi) the host LLM calls these commands from its bash tool — install the byterover skill once per project and the LLM picks them up:

brv connectors install Codex --type skill           # or Claude Code / Cursor / Gemini CLI / etc.

After that the host agent reads .agents/skills/byterover/SKILL.md and learns to call brv channel mention --mode sync --suppress-thoughts --json whenever the user says "ask @Kimi to review this" or similar.

B. Cross-machine bridge (two laptops, two agents)

Prerequisite: both peers need a routable path to each other. Internal-test recommendation is Tailscale — install on every team member's laptop, join the same tailnet, every peer gets a stable IP that punches through every NAT. Free for ≤3 users; trivial setup. Bare-internet over heterogeneous NAT will NOT work in this cut (libp2p AutoNAT/DCUtR/Circuit-Relay-v2 are deferred).

# ─── Each peer (Alice + Bob) sets up the bridge ───
# In a shell rc (`~/.zshrc` / `~/.bashrc`), once:
export BRV_BRIDGE_PARLEY_PROFILE=codex     # the agent that answers parley calls; or kimi / opencode
export BRV_BRIDGE_AUTO_PROVISION=auto      # accept first-contact peers; switch to pinned-only after the team is up
export BRV_BRIDGE_MAX_CONCURRENT_PER_PROFILE=2

# Each peer: confirm bridge identity (auto-generates L1 + L2 keys on first run)
brv bridge whoami --format json
# {"data":{"multiaddrs":["/ip4/100.x.x.x/tcp/61234/p2p/12D3KooW..."], "peerId":"12D3KooW...", ...}}
# Share that multiaddr line with the other peer out-of-band (Slack, etc.)

# ─── Alice pins Bob (and Bob pins Alice) ───
brv trust pin <BOB-PEER-ID> --multiaddr <BOB-MULTIADDR> --alias bob
# verify:
brv trust list

# ─── Alice creates a channel and invites Bob as a remote peer ───
brv channel new team-review
brv channel invite team-review @alice --profile codex                                    # local member
brv channel invite team-review @bob --multiaddr <BOB-MULTIADDR> --peer <BOB-PEER-ID> --display-name "Bob"

# ─── Alice addresses Bob's agent across the bridge ───
brv channel mention team-review "@bob what's your team's preferred test runner? \
  Use your byterover skill (brv query) to consult your local context tree." \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Bob's daemon receives the parley call, codex on Bob's side runs `brv query` against
#   Bob's `.brv/context-tree/`, replies inline with text. Alice sees the reply in
#   ~5–30s depending on agent latency.

# ─── Alice ingests Bob's reply into her own context tree ───
brv channel mention alice-local "@alice ingest Bob's reply under shared_from_bob/ using brv curate" \
  --mode sync --suppress-thoughts --json --timeout 300000
# → Alice's codex calls `brv curate` locally to persist the note.

# Verify with a search later:
brv search "test runner" --limit 5 --format json

That's the full cross-bridge loop. Two agents on different laptops exchange context via signed parley envelopes; both daemons persist the transcript; the receiver's context tree gains the shared knowledge.

C. What's the difference between brv channel and brv bridge?

• brv channel is the user-facing surface: create a channel, invite members (local or remote), mention them, see transcripts.
• brv bridge is the low-level libp2p surface: bring up your install's bridge identity, pin remote peers, ping them, verify TOFU promotions.

You almost always interact via brv channel and brv trust. brv bridge is for debugging (e.g. brv bridge whoami to share your multiaddr, brv bridge ping <peer-id> to test reachability).

---

What's left for a full-fledged release

Below is the list of follow-up slices that are NOT in this PR but are designed for and the next obvious work. Internal-test feedback will inform priority.

Within Phase 9 (cross-machine bridge) — 4 follow-up slices

These have interfaces + policy gates in this PR but no live backends:

1. Slice 9.6 — DHT-driven multiaddr resolution. Wire @libp2p/kad-dht into Libp2pHost, implement DhtPeerMultiaddrResolver, daemon publishes signed peer-record every announce interval. Replaces manual brv trust pin --multiaddr re-pinning when IPs rotate. Effort: ~1 week. Worth doing only if internal-test feedback says manual re-pinning hurts.
2. Slice 9.7 — HTTP byterover registry client. Implement HttpRegistryClient against BRV_REGISTRY_BASE_URL, allows handle-based peer discovery. Requires backend deployment (registry endpoint not yet hosted by ByteRover). Effort: ~1 week of CLI + backend infra outside this repo.
3. Slice 9.8 — libp2p NAT-traversal wiring. Enable autoNAT() + dcutr() + circuitRelayClient/Server() libp2p services in Libp2pHost. Ship default ByteRover-hosted relay multiaddrs. Effort: ~3–5 days CLI + ops work to deploy relays. Likely unnecessary if teams adopt Tailscale; track internal-test feedback before committing.
4. Slice 9.9 — /brv/parley/delegate/v1 wire protocol handler. Today: policy gate (delegate_policy: auto / prompt / deny) is enforced at the type level + logged at daemon startup, but the actual cross-bridge permission_request → permission_decision wire is unimplemented. Implementing this enables Alice asking Bob's agent to write to Bob's repo with cross-bridge consent. Effort: ~1 week. High-value if team's flagship use case is cross-machine delegation.

Within Phase 7 (native CLI integrations) — upstream-gated

• 7.1b — kimi-cli upstream PR (native /channel:* slash command). Effort: ~200–500 LOC; merge timeline depends on Moonshot maintainers.
• 7.2 — claude-code native integration. Effort: similar; depends on Anthropic.
• 7.3 — opencode native integration. Same shape; depends on opencode maintainers.

These work without us — the skill connector in this PR (brv connectors install <agent> --type skill) makes every ACP-speaking CLI usable via shell-tool calls. Native slash commands are quality-of-life, not load-bearing.

Within Phase 8 (agent-driven channel) — upstream-async

• 8.3 — upstream skill distribution. Currently the skill ships from this repo; longer-term distribution channels (Anthropic skills registry, etc.) are async.

Pre-existing tech debt outside Phase 9 scope

• 3 integration tests skipped with rationale (channel-phase{2,3}-* reference orphan code paths like BRV_FORCE_ORIGIN that were never implemented, or test against the pre-storage-migration layout). Implement the missing consumer side OR delete the tests in a small follow-up PR.
• No brv channel kick @<handle> / member-remove command. Today a multiaddr/port change forces creating a new channel. Effort: ~half day. Worth doing soon if teams cycle multiaddrs frequently.
• Heartbeat counter metric for prod observability (kimi sign-off note, non-blocking).

Out of scope but tracked for v1.1+

• @everyone / @all semantics in channel mentions
• Per-channel ACLs
• Threaded sub-conversations within a channel
• Account-abstracted cross-channel identity ("same @kimi-cli across all channels")
• Web UI for channels (Pi's design remains compatible)
• Web-UI permission prompts (CLI is the only consent surface in this cut)

Out of scope indefinitely

• Cross-CA federation (v1 trusts one CA root; multi-org bridging is v2)
• End-to-end channel-content encryption at rest
• Strong cross-machine consistency (transcripts are append-only by author; eventual consistency is the contract)
• Group-chat semantics across channels
• Claude Managed Agents driver class C-prime runtime (schema-only in v1)

[github-actions]

nit (consistency, same shape as prior alias-store.ts:198 finding): const tmp = \${filePath}.tmp`is a non-unique tmp path. The in-process write mutex serialises mutations from this daemon, but two daemon instances (a stale process from a crash + a freshly-spawned replacement during the briefrespawn-rebind` window) would race on the same path and silently overwrite each other's in-flight tmp.

install-identity-service.ts:427 already uses the pid+random pattern:

const tmp = `${target}.tmp.${process.pid}.${randomBytes(4).toString('hex')}`

Replicating that pattern here (and extracting an atomicWrite() helper that both call) would close the prior round's finding and prevent the same pattern from spreading further. Non-blocking, polish.

[github-actions]

nit (robustness, low): flushStdoutBuffer(stdoutBuffer, processEvent) is called inside the exit branch immediately before break. Any items processEvent enqueues during the flush (a trailing result event without a trailing newline, e.g.) are added to the queue but the loop exits without yielding/handling them.

In practice claude's stream-json emits newlines after every event, so this is unlikely to bite. But if it does, the symptom is "subprocess exited without a result event" → ADAPTER_SUBPROCESS_FAILED thrown, and the session ID from the trailing system_init is lost. Specifically, the success-path resultSessionId assignment at line 354 never fires.

Two fixes — either is fine:

1. Drain the queue after flush:

   } else if (item.kind === 'exit') {
     flushStdoutBuffer(stdoutBuffer, processEvent)
     while (queue.length > 0) {
       const drained = queue.shift()
       if (drained?.kind === 'result_success') {
         resultReceived = true
         resultSessionId = drained.newSessionId
       } else if (drained?.kind === 'result_error') {
         resultError = true
       }
     }
     break
   }

2. Run flushStdoutBuffer BEFORE the close handler enqueues exit (move into close handler before enqueue), so the items go onto the queue in order.

Non-blocking — speculative against a claude version that ever omits a trailing newline.

[github-actions]

nit (doc/code drift): The file-level invocation comment shows:

claude -p --output-format stream-json --dangerously-skip-permissions \
  --cwd <projectRoot> [--resume <sessionId>]

…but buildSpawnArgs (line 429–441) does not emit --cwd. The actual cwd is set via the spawn options bag at line 206 (cwd: ctx.projectRoot). The two paths converge to the same result in practice, but the comment will mislead the next reviewer who tries to grep for --cwd in the args.

Suggest just dropping the --cwd snippet from the comment, or adding "(set via spawn options, not argv)" inline.

[github-actions]

nit (operator UX, low): When BRV_BRIDGE_CLAUDE_UNSAFE=1 is set but sessionStore or concurrencyGate is missing, the code logs a warning and continues without registering the adapter. If BRV_BRIDGE_PARLEY_PROFILE=claude-code is ALSO set, the strict-resolution path at brv-server.ts:1025-1027 will then throw ParleyAdapterNotFoundError with Available: ["mock-echo", ...] — and the operator sees "the env flag I set didn't take effect" without an obvious clue that the cause was the upstream wiring rather than their flag.

The PROFILE_HINTS['claude-code'] table tells them to set BRV_BRIDGE_CLAUDE_UNSAFE=1, but if they ALREADY did and it still didn't register, the hint is misleading.

Cheap fix: in this branch, also throw (or surface a second hint line) so the operator learns the registration failed despite the env flag. The current "log + continue" pattern is fine when daemon-wide registration is a soft-fail concern, but for an explicitly-requested profile with an explicitly-set unsafe flag, the wiring being broken should fail loud.

Non-blocking. In practice the daemon's own DI wiring at brv-server.ts:980-994 always provides both deps when the env flag is set, so the branch is effectively unreachable today — but it would silently misbehave if future wiring drift drops one of them.

[github-actions]

Claude finished @ngduyanhece's task in 2m 28s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 11:01 UTC push)

Overall: 4 / 5 (unchanged from prior reviews). Scope of this re-review is narrow: one substantive commit since the previous pass.

• Identify commits added since prior review (2026-05-23 10:34 UTC)
• Diff the new commits
• Spot-check new code (--verbose argv, stderr collection, claim that --verbose doesn't affect stdout)
• Post inline findings (3 new buffered)
• Post final summary + score

---

Diff since 2026-05-23 10:34 UTC review

Only one substantive commit landed:

SHA	Change
1e23de6c	ClaudeCodeHeadlessAdapter.buildSpawnArgs now passes --verbose alongside --output-format stream-json. Required by Claude Code 2.x; without it every cross-bridge mention into a Claude-driven peer dies with ADAPTER_SUBPROCESS_FAILED: ... Error: When using --print, --output-format=stream-json requires --verbose. Live two-machine test (laptop → VM, 2026-05-23) surfaced it.

Total delta: 1 file, +6 / -0.

What's good in this delta

• The fix is correct and well-anchored. Claude Code 2.x explicitly requires --verbose with --print --output-format stream-json — the addition is the minimum-viable spawnargs change, with a justification comment that survives future "argv cleanup" refactors.
• Commit message documents the root cause completely — exact stderr error string, version requirement, and the load-bearing claim that --verbose only adds stderr noise (not stdout parsing risk). That last claim is correct: Claude Code's stream-json output format means structured events still emit one-per-line on stdout regardless of --verbose.
• Tight blast radius — only the live cross-bridge Claude path needs this; the mock-echo and ACP adapter paths are unaffected.

New inline findings (3 buffered)

1. claude-code-headless-adapter.ts:439 — no unit test asserts --verbose is in the spawnargs. A trivial argv-capture assertion would prevent the next "discovered via remote VM" rediscovery if someone reorders / drops the line during a future refactor.
2. claude-code-headless-adapter.ts:229 — stderrChunks accumulates unbounded for the lifetime of the turn, but only the last 500 chars are ever read. With --verbose now adding stderr noise on every turn, this becomes a small per-turn memory tax that's trivial to bound to a rolling 4KB tail.
3. claude-code-headless-adapter.ts:20 — file-level invocation comment now drifts in two ways: doesn't show --verbose (added in this commit), still shows --cwd <projectRoot> which buildSpawnArgs doesn't emit (cwd is set via spawn options; this was flagged in the prior round too). Comment is becoming actively misleading.

Prior-round findings — status

1e23de6c did not touch any of the files flagged in earlier reviews. All 9 prior-round findings still open as written:

• install-identity-service.ts:56 (master-key colocation) — still open
• identity-client.ts:507 (NFC normalization only on writer side) — still open
• parley-nonce-lru.ts:31 + parley-rate-limit.ts:51 + auto-create-quota.ts:53 (unbounded outer Map family) — still open
• process-lock.ts:52 (comment says "recurse" but code doesn't) — still open
• alias-store.ts:198 + parley-adapter-session-store.ts:126 (non-unique tmp path) — still open
• discovery.py:80 (isinstance(port, int) accepts bool) — still open
• channel-skill/install-lib.js:105 (accessSync(X_OK) accepts directories) — still open
• claude-code-headless-adapter.ts:207 (env-passthrough to --dangerously-skip-permissions subprocess) — still open
• claude-code-headless-adapter.ts:357-361 (flushStdoutBuffer race on exit) — still open
• bridge-config-store.ts:37 (listenAddrs not multiaddr-refined) — still open

This is consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Verdict for this push

LGTM-incremental. 1e23de6c closes a real CLI-compatibility gap that broke every cross-bridge Claude turn in the wild. The fix is one of the cleanest possible — six lines, the five-line justification comment carrying the why, and a structural reason (Claude Code 2.x interface contract) that's unlikely to need future re-evaluation. The three inline findings are polish items: test coverage parity, a small per-turn memory bound, and doc/code drift on the file-level comment. None are ship blockers.
· branch

[github-actions]

nit (test coverage, low): the --verbose addition is the kind of one-line ordering tweak that silently breaks the live cross-bridge path if anyone refactors buildSpawnArgs later (e.g. an "argv reorder for readability" PR that drops a line). The live integration path tested it the hard way on 2026-05-23 (ADAPTER_SUBPROCESS_FAILED: ... requires --verbose); a one-line unit assertion would prevent the next round of "discovered via remote VM failure".

Existing claude-code-headless-adapter.test.ts already builds FakeChild + a spawn() factory — adding an args capture is trivial:

it('passes --verbose with --output-format stream-json (Claude Code 2.x compat)', () => {
  let capturedArgs: string[] = []
  // spawn factory: spawn: (_bin, args) => { capturedArgs = args; return child }
  // … drive one turn …
  expect(capturedArgs).to.include('--verbose')
  expect(capturedArgs).to.include('-p')
  expect(capturedArgs).to.include('stream-json')
})

Non-blocking; the live-test catch is documented and the fix is correct.

[github-actions]

nit (resource, low — surfaced by the --verbose addition): stderrChunks: string[] grows unbounded for the full lifetime of the turn, but only the last 500 chars (stderr.slice(-500)) are ever used (lines 397, 415). With --verbose now adding stderr noise on every turn (the PR-of-record reason for the prior commit), this becomes a small per-turn memory tax on every cross-bridge mention.

For a long-running daemon serving many parley turns, the cumulative effect is bounded (chunks are GC'd at turn end) but the peak per-turn allocation now scales with whatever Claude Code logs to stderr. Cheap fix — keep a rolling tail:

const STDERR_TAIL_BYTES = 4096
let stderrTail = ''
child.stderr?.on('data', (chunk: Buffer) => {
  stderrTail = (stderrTail + chunk.toString('utf8')).slice(-STDERR_TAIL_BYTES)
})
// …
const stderr = stderrTail

4KB is plenty headroom for the existing 500-char slice and the stale-session pattern matcher in isStaleSessionError. Non-blocking; the per-turn cost is small. Worth tracking with the prior round's unbounded-Map family of findings.

[github-actions]

nit (doc/code drift, low): the file-level invocation comment is now drifting in two ways:

claude -p --output-format stream-json --dangerously-skip-permissions \
  --cwd <projectRoot> [--resume <sessionId>]

1. --verbose (added in this commit) is not shown — the next reviewer who tries to grep for the canonical argv will be confused.
2. --cwd is still shown but buildSpawnArgs does not emit it (cwd is set via spawn options at line 206). This was flagged in the prior review round as well.

Both fixes are one-line; the comment is becoming the "stale doc that lies" hazard rather than load-bearing context. Either drop the invocation snippet entirely (the real argv is right there at buildSpawnArgs, with the --verbose justification comment now anchoring intent) or update it to match. Non-blocking.

[github-actions]

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 12:09 UTC push)

• Identify commits added since the prior review (2026-05-23 11:01 UTC)
• Diff the new commits
• Spot-check new code
• Verify prior-round findings (any addressed?)
• Post inline findings
• Post final summary + score

Single commit since last pass: 49bc3784 (docs only — INTERNAL_TEST.md Phase 9.5 refresh, +166 / -64). Posting inline findings now.

View job run · branch

[github-actions]

nit (threat-model documentation parity, low-medium): the security callout calls out "Bob's filesystem and process permissions" but doesn't explicitly flag the environment-variable exfiltration vector that prompted the prior round's claude-code-headless-adapter.ts:207 finding. The adapter spawns Claude with env: process.env (full daemon-env passthrough), and --dangerously-skip-permissions gives the peer Bash access — so a verified peer prompt like Run "env | grep -iE 'key|token|secret|api'" exfiltrates every API key the operator has in ~/.zshrc, including ANTHROPIC_API_KEY, BRV_API_KEY, OPENAI_API_KEY, cloud creds, etc. That's a credential-theft surface — distinct from (and sharper than) the filesystem-access one.

The "dedicated VM/sandbox" mitigation is correct but doesn't tell operators what specifically not to put on that VM. Suggest expanding the callout with one concrete bullet:

> **Concretely:** the responder VM's environment is fully exposed. Do NOT put your personal `ANTHROPIC_API_KEY`, `BRV_API_KEY`, cloud creds, or shell secrets in the responder's `~/.bashrc` / `~/.zshrc`. A verified peer can extract them with one Bash prompt (`env | grep -i key`). Either run the responder in a clean VM with only the env vars listed above, or wait for the env-allowlist work tracked in [the prior review's `claude-code-headless-adapter.ts:207` finding].

Also worth surfacing in §7 (feedback) — operators are unlikely to spot this on their own, and the env-passthrough is the kind of footgun that scales badly with the first non-VM internal-test setup. Non-blocking; the gate keeps the surface opt-in, but the docs are the only mitigation between operators and credential theft right now.

[github-actions]

nit (security/UX interaction, low): the recommended internal-test combination is BRV_BRIDGE_AUTO_PROVISION=auto (§3.1, line 37) plus BRV_BRIDGE_CLAUDE_UNSAFE=1 (§3.5, line 158). Phase 9.5.4 hardened the trust gate so auto-tofu peers can't seed new channels — but they CAN still dispatch into existing channels they've been invited to, which means an unverified first-contact peer can drive the headless Claude through any pre-existing channel-member relationship.

For internal-test where channels are short-lived and the team is small, the combination is fine. But the §3.5 security callout reads as if --verify alone is the trust boundary, when in practice the AUTO_PROVISION policy is the upstream gate. Worth one extra sentence in §3.5 along the lines of:

Tighten BRV_BRIDGE_AUTO_PROVISION=pinned-only (the production default) once the team is set up — auto is convenient for first-contact pinning but lets any peer-id-cycling attacker rotate identities cheaply through existing channels.

Non-blocking; this is doc-clarity polish, not a code change.

[github-actions]

nit (operator-doc race, low): the pkill -f brv-server || true; sleep 2; brv bridge whoami --format json >/dev/null pattern relies on the soft assumption that 2s is enough for the dying daemon to release the libp2p port + Socket.IO daemon-discovery file. On a loaded laptop (or a VM running other work), this race occasionally loses — the next brv bridge whoami either auto-spawns a new daemon while the old one's port-bind is still tearing down (causes EADDRINUSE deep in the log), or finds the dying daemon and hits a half-shutdown state.

Two reasonable fixes — either is fine:

1. Loop until pgrep -f brv-server returns empty (matches the existing daemon-discovery.ts pattern):

   pkill -f brv-server || true
   while pgrep -f brv-server >/dev/null 2>&1; do sleep 0.2; done
   brv bridge whoami --format json >/dev/null

2. Use brv restart if that command exists in this cut (it does — see oclif/commands/restart.ts), which has the right shutdown-then-spawn ordering wired in.

Non-blocking — operators who hit the race will just re-run the command. But the doc snippet is going to be copy-pasted into many onboarding sessions, and a deterministic version is one extra line.

[github-actions]

Claude finished @ngduyanhece's task in 1m 43s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-23 12:13 UTC push)

Overall: 4 / 5 (unchanged). Latest push is a clean merge from origin/main (Release 3.15.1, d903cb39) — no channel/bridge code touched. The 3 inline comments posted at 12:12 UTC on INTERNAL_TEST.md stand as the substantive findings for the docs-only 49bc3784 cycle that prompted this review window.

• Identify commits added since the prior review wall-clock (2026-05-23 12:09 UTC)
• Diff the new commits
• Spot-check new code
• Verify prior-round findings (any addressed?)
• Post inline findings (3 already buffered against INTERNAL_TEST.md)
• Post final summary + score

---

Diff since 2026-05-23 12:09 UTC

SHA	Change
8219e368	Merge origin/main into proj/channel-protocol. Touches 9 files (AGENTS.md, CHANGELOG.md, CLAUDE.md, package.json, postrun hook rename restart-after-update.ts → after-update.ts, +130-line tidy-update-plugin-client-cache.test.ts, 2-line webui VC page bump). Zero channel/bridge/trust code touched.
d903cb39	(Brought in by the merge — Release 3.15.1 on main.)

Total delta on the branch: 9 files, +262 / -59 — entirely from the main sync.

What's good in this delta

• Clean main sync. git diff 49bc3784..HEAD -- 'src/server/infra/channel/**' 'src/agent/core/trust/**' 'src/server/infra/channel/bridge/**' returns empty. The merge is mechanical — no resolution work, no cross-contamination between Release 3.15.1's postrun-hook rework and Phase 9's channel surface.
• Tracks the prior pattern of keeping proj/channel-protocol rebased on main so the eventual squash-merge is conflict-free.

Inline findings buffered on this branch (from the 12:12 UTC pass on 49bc3784)

The prior review window opened the docs-only 49bc3784 (INTERNAL_TEST.md +166 / -64) and posted three nits before the summary stage:

1. INTERNAL_TEST.md:183 — security callout for BRV_BRIDGE_CLAUDE_UNSAFE=1 doesn't explicitly call out the env-passthrough vector (verified peer can env | grep -iE 'key|secret' to exfiltrate ANTHROPIC_API_KEY / BRV_API_KEY / cloud creds). Distinct from the filesystem-access surface the §5 wording already covers.
2. INTERNAL_TEST.md:37 — BRV_BRIDGE_AUTO_PROVISION=auto (recommended for §3.1 setup) + BRV_BRIDGE_CLAUDE_UNSAFE=1 (§3.5) interact: unverified peers can drive headless Claude through pre-existing channels they've been invited to. Worth a one-line pinned-only migration note for operators past first-contact.
3. INTERNAL_TEST.md:165 — pkill ...; sleep 2; brv bridge whoami snippet has a port/socket-release race on loaded machines. A while pgrep loop or just brv restart (which exists in this cut) is deterministic.

All three are operator-doc polish, non-blocking. They remain consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Prior-round findings — status

8219e368 did not touch any of the files flagged across the prior six review rounds (2026-05-20 through 12:09 UTC). All earlier findings still open as written:

• install-identity-service.ts:56 (master-key colocation) — still open
• identity-client.ts:507 (NFC normalization only on writer side) — still open
• parley-nonce-lru.ts:31 + parley-rate-limit.ts:51 + auto-create-quota.ts:53 (unbounded outer Map family) — still open
• process-lock.ts:52 (comment says "recurse" but code doesn't) — still open
• alias-store.ts:198 + parley-adapter-session-store.ts:126 (non-unique tmp path) — still open
• discovery.py:80 (isinstance(port, int) accepts bool) — still open
• channel-skill/install-lib.js:105 (accessSync(X_OK) accepts directories) — still open
• claude-code-headless-adapter.ts:207 (env-passthrough to --dangerously-skip-permissions subprocess) — still open
• claude-code-headless-adapter.ts:229 (stderrChunks unbounded — surfaced by the --verbose addition) — still open
• claude-code-headless-adapter.ts:357-361 (flushStdoutBuffer race on exit) — still open
• claude-code-headless-adapter.ts:20 (file-level comment now drifts on both --verbose and --cwd) — still open
• claude-code-headless-adapter.ts:439 (no unit test asserts --verbose is in the spawnargs) — still open
• bridge-config-store.ts:37 (listenAddrs not multiaddr-refined) — still open
• parley-adapter-registry.ts:167 (UNSAFE=1 + missing deps logs-and-continues instead of failing loud) — still open
• ai-sdk-content-generator.ts:390 (synthetic usage masks upstream) — still open
• INTERNAL_TEST.md §3.1 / §3.5 / §5 / §5.1 doc-polish trio above

Verdict for this push

LGTM-incremental. 8219e368 is a hygienic main sync; no new branch code to review, no conflicts touching the channel/bridge surface. The earlier 4 / 5 score stands.
· branch

[github-actions]

Claude finished @ngduyanhece's task in 9m 0s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-24 05:20 UTC push)

Overall: 4 / 5 (unchanged). Phase 9.5.7 is a tightly-scoped fix-pack for three live-test bugs from the 2026-05-24 cross-bridge session. The commit message + plan doc explicitly track every codex round; the resulting code is structurally sound and well-tested.

• Identify commits added since the prior review (2026-05-23 12:13 UTC)
• Diff the new commits
• Spot-check new code (Phase 9.5.7: parley timeout + observability hardening)
• Verify prior-round findings (any addressed?)
• Post inline findings (5 buffered)
• Post final summary + score

---

Diff since 2026-05-23 12:13 UTC

SHA	Change
1abbe7a5	Phase 9.5.7 — parley timeout + observability hardening. Three live-test bugs fixed: (1) AcpAdapter shadowing the reserved claude-code profile name → new BUILTIN_PARLEY_PROFILE_NAMES Set, AcpAdapter registration is skipped (not early-returned) for reserved names so downstream built-in registration still runs; strict resolve fails-fast with the existing UNSAFE hint. (2) TRANSCRIPT_TERMINAL_MISSING seal-emission race → responder wraps both seal-send paths in try/catch with diagnostic logs (Layer B); dialer's verifyResponseStream now async and falls back to a verified stream_end terminal when seal is missing AND chunks exist AND stream_end is the last non-heartbeat frame, marking the result sealOrigin='implicit-from-signed-terminal' + integrityDegraded=true (Layer A). Signature verification binds the same payload fields as verifyResponseTerminal (channel_id, delivery_id, protocol, request_envelope_hash, seq, turn_id, terminal_payload), so the fallback never trusts a forged terminal. (3) ACP_PROMPT_FAILED 10-min abort → split timeouts (BRV_BRIDGE_PARLEY_DIAL_TIMEOUT_MS default 30s, BRV_BRIDGE_PARLEY_TURN_IDLE_TIMEOUT_MS default 60min) with twin AbortControllers in remote-member-driver.ts; onDialComplete clears dial timer + starts idle interval + resets lastActivityAt to "now"; onFrameReceived resets lastActivityAt on every frame (heartbeats count). New PhaseStampedAbort error class carries phase/elapsedMs/frameCount/lastFrameKind/lastFrameSeq/localTimeoutFired. libp2p-host.dialAndSendAndConsume gains optional signal arg (BC overload preserved). Plus a subscribe.ts lost-wakeup fix: --turn set without --after-seq defaults afterSeq=0 to trigger replay.
21437c58	Docs only — plan/bridge-smoothness/PLAN.md + docs/channel-events.md (already reviewed in prior pass).

Total delta on this branch since 2026-05-23 12:13 UTC: 18 files, +2445 / -38.

What's good

• Reserved-name guard is the right shape. BUILTIN_PARLEY_PROFILE_NAMES as ReadonlySet<string> for .has() membership; AcpAdapter registration skipped (not early-returned) so ClaudeCodeHeadlessAdapter registration still runs. The log line is operator-friendly with the recovery hint (BRV_BRIDGE_CLAUDE_UNSAFE=1).
• Degraded-completion fallback verifies the stream_end signature using the SAME payload binding as the normal terminal-verify path (channel_id, delivery_id, protocol, request_envelope_hash, seq, turn_id, terminal_payload). Forged-key tests confirm the negative case throws TRANSCRIPT_TERMINAL_MISSING. Strict pre-conditions (signed stream_end + ≥1 chunk + stream_end is last non-heartbeat) — no path silently accepts an under-bound terminal. seq monotonicity check (line 320) defends against drop/reorder of unsigned chunks within the Noise session.
• Twin AbortController + PhaseStampedAbort correctly separates dial-phase vs frame-read-phase timeouts; onDialComplete reset of lastActivityAt to "now" closes the round-2 codex finding (post-dial idle window shouldn't be shortened by slow dial); signal listener removed in finally so it never leaks.
• signal.reason propagation through dialAndSendAndConsume and readResponseFramesInternal preserves the PhaseStampedAbort verbatim — operators get a stamped error with phase + frame state, not a generic The operation was aborted.
• Test coverage is proportionate to the addition — 5 new test files (~1300 LOC) cover: degraded-fallback positive + 3 negative cases, reserved-name guard, env-config parsing, phase-stamped abort, replay cursor, abort-signal propagation, twin-timer behaviour.

New inline findings (5 buffered)

1. parley-server.ts:538 — asymmetric protection: error-path errorFrame send is NOT wrapped in the §3.2 Layer B try/catch, but the immediately-following seal-send IS. If the dialer disconnects mid-generation (the exact Layer B scenario), the errorFrame throws first and the seal-send try/catch never runs, defeating the operator-visibility intent.
2. libp2p-host.ts:191 — TOCTOU race between dialProtocol returning and signal.addEventListener('abort', onAbort, {once: true}). If the abort fires in that microsecond gap, the listener attaches against an already-aborted signal (AbortSignal doesn't replay), stream.abort() never runs, and the subsequent stream.send() can hang — defeating §3.3 Layer C in a narrow window. Cheap fix: if (signal.aborted) onAbort() after attach.
3. parley-client.ts:344 — degraded-fallback comment says "chunks transported under same authenticated libp2p session", but the load-bearing in-session integrity property is the seq-monotonicity check at line 320-328. Note worth anchoring in the fallback rationale. PLUS: integrityDegraded=true only propagates through --json; a text-mode banner in brv channel show would surface this safety-critical state to operators who don't know to look.
4. parley-timeout-config.ts:43 — no validation that dialTimeoutMs < idleTimeoutMs. Operator who sets IDLE=10s without overriding default DIAL=30s gets a structurally-uncatchable configuration. Warn-log at parse fixes it.
5. subscribe.ts:39 — resolveReplayCursor returns {afterSeq, turn} but callers destructure only afterSeq; turn is identity. Shape polish.

Prior-round findings — status

1abbe7a5 did not touch any of the files flagged in earlier rounds. All ~15 prior-round findings still open as written (master-key colocation, NFC normalization writer-only, unbounded Map family across parley-nonce-lru.ts / parley-rate-limit.ts / auto-create-quota.ts, process-lock.ts doc/code drift, non-unique tmp paths in alias-store.ts + parley-adapter-session-store.ts, discovery.py bool-int, channel-skill/install-lib.js directory accept, claude-code-headless-adapter.ts env-passthrough + unbounded stderrChunks + flushStdoutBuffer race + doc/code drift + missing --verbose test, parley-adapter-registry.ts UNSAFE-without-deps logs-and-continues, bridge-config-store.ts listenAddrs not multiaddr-refined, ai-sdk-content-generator.ts synthetic usage masking, INTERNAL_TEST.md §3.1 / §3.5 / §5 / §5.1 doc trio). Consistent with the PR's "internal-test cut, follow-ups tracked" framing.

Verdict for this push

LGTM-incremental. Phase 9.5.7 is a high-quality fix-pack: each of the three live-test bugs has a documented root cause, a structural (not symptomatic) fix, and proportionate test coverage. The degraded-completion fallback is the most security-sensitive piece and its signature verification is properly bound to the same payload fields as the normal terminal-verify path — this is the right shape. The five inline findings are robustness/polish items (asymmetric error-path protection, TOCTOU race window, documentation anchor, config sanity warning, dead-return shape), not blockers.
· branch

[github-actions]

nit (asymmetric protection, low): the §3.2 Layer B try/catch wraps the seal-send on the error path (lines 539-560) but the immediately-preceding errorFrame send at line 538 is NOT wrapped. The motivating scenario for Layer B — "dialer torn down the stream before the seal lands" — applies equally to the error frame: if the dialer disconnects during generation, the error frame send fails first, throws out of the catch handler, and the carefully-crafted seal-send try/catch never runs. The diagnostic [parley-server] Failed to send transcript_seal frame (error path) log that §3.2 Layer B is designed to surface never fires.

Cheap fix — wrap both sendFrame calls symmetrically:

try {
  await sendFrame(stream, errorFrame)
} catch (errFrameError) {
  console.warn(`[parley-server] Failed to send error frame for turn=${envelope.turn_id} ...`)
  // Don't return — still try the seal for the dialer's implicit-fallback path
}
try {
  await sendFrame(stream, buildTranscriptSealFrame({...}))
} catch (sealError) { /* existing log */ }

Or accept the throw and add a single outer try/catch around both sends. Non-blocking; on the happy path nothing changes, but the operator-visibility intent of Layer B is partially defeated for the most common torn-down-mid-generation scenario.

[github-actions]

issue (TOCTOU race, low-medium — defeats §3.3 Layer C in a narrow window): there's a small race window between dialProtocol returning (line 184) and signal.addEventListener('abort', onAbort, {once: true}) (line 191). If combinedAbortController.signal aborts in that gap (e.g. RemoteMemberDriver's dial-timer fires exactly as dialProtocol resolves), the listener attaches against an already-aborted signal — and AbortSignal does NOT replay events for listeners attached after the abort fired. Result: stream.abort() is never called, the listener never runs, and the next await stream.send(payload) can hang because nothing tore the substream down.

The likelihood is low (the window is microseconds), but the consequence — a turn that hangs until libp2p's own connection-level timeout fires, which is the very pathology Phase 9.5.7 is fixing — is the exact failure-mode this PR sets out to make impossible.

Cheap fix — replay the abort check right after attaching:

if (signal !== undefined) {
  signal.addEventListener('abort', onAbort, {once: true})
  // Replay: if signal aborted between dialProtocol returning and addEventListener
  // attaching, onAbort would never fire (AbortSignal doesn't replay). Run it once
  // synchronously so the stream is torn down before stream.send().
  if (signal.aborted) onAbort()
}

Non-blocking; the race is narrow and not directly the original bug. But this is the exact kind of edge case that surfaces in live tests months later.

[github-actions]

nit (security documentation, low — but load-bearing for future reviewers): the fallback-rationale comment at lines 332-347 says the chunks "were transported under the same authenticated libp2p session." That's true but it's the peer-authentication property of Noise XX, not what defends against drop/reorder of the unsigned chunks within that session. The load-bearing security claim for the degraded path is:

1. Noise XX binds the peer identity — only Bob's daemon could have emitted these chunks.
2. The seq-monotonicity check at lines 320-328 — checked BEFORE the fallback runs — rejects any frame stream where seq isn't strictly increasing, so a tampering MITM (who somehow has Bob's Noise key) couldn't reorder/drop chunks, and Bob himself can't accidentally lose a chunk without the dialer noticing.

The signed stream_end then anchors "Bob says the turn ended at seq=N" to the L2 key — but the content of seqs 1..N-1 is bound only by the combination of (Noise peer-auth + seq monotonicity). A one-sentence note pointing at the seq-check as the in-session integrity anchor would make the proof airtight for future reviewers.

Separate / heavier — operator visibility: integrityDegraded=true now propagates through TurnDelivery and is visible only via brv channel show --json. For the most safety-critical state in this entire codepath (turn succeeded but the cryptographic binding is missing), a text-mode banner — e.g. brv channel show prints ⚠ integrity-degraded next to the turn-id — would be safer than relying on operators to remember to add --json | jq .integrityDegraded. Operators only think to check JSON when they suspect a problem; this is the case where they don't know to suspect.

Non-blocking; the degraded-fallback logic itself is sound.

[github-actions]

nit (config sanity, low): parseParleyTimeoutEnv silently accepts any positive integer for both values, including combinations where dialTimeoutMs >= idleTimeoutMs. The two timers compose temporally — the idle timer doesn't start until onDialComplete fires (see remote-member-driver.ts:191-207) — so an operator who sets

export BRV_BRIDGE_PARLEY_TURN_IDLE_TIMEOUT_MS=10000

without overriding the default BRV_BRIDGE_PARLEY_DIAL_TIMEOUT_MS=30_000 ends up with a 30s dial timeout that the idle timer is structurally incapable of catching (the dial finishes after the idle threshold the operator wanted). The values "work" in the sense that the timers fire, but the operator's intent is silently misapplied.

Cheap fix — warn at parse time when dialTimeoutMs >= idleTimeoutMs:

if (dialTimeoutMs >= idleTimeoutMs) {
  console.warn(
    `[parley-timeout] BRV_BRIDGE_PARLEY_DIAL_TIMEOUT_MS=${dialTimeoutMs}ms >= ` +
    `BRV_BRIDGE_PARLEY_TURN_IDLE_TIMEOUT_MS=${idleTimeoutMs}ms; the idle timer ` +
    `cannot catch slow dials.`,
  )
}

Non-blocking; defaults make this unreachable, but internal-test users who tune one value without the other will hit it silently.

[github-actions]

nit (dead-return, low): resolveReplayCursor returns {afterSeq, turn} but the only caller (line 183) destructures only afterSeq. The returned turn is identical to the input turn on both branches (the function never modifies it). Either drop turn from the return signature (it's redundant) or have the caller use the destructured turn for the downstream flags.turn access — that would defend against future refactors where the function might want to normalize turn too. The current shape passes the linter but invites the next contributor to ignore one return field.

Functional behaviour is correct; this is shape polish only.

[github-actions]

Claude finished @ngduyanhece's task in 4m 50s —— View job

---

Re-review — Channel + Bridge protocol (synchronize, 2026-05-24 07:24 UTC push)

Overall: 4 / 5 (unchanged). Phase 9.5.8 closes the failure mode #2 gap from the 2026-05-24 live-test bug report with a sound three-fix structure (responder terminal hardening, dialer second-tier fallback, libp2p observability). The cryptographic discipline of 9.5.7 carries through — the new fallback verifies the signed error frame using the same payload binding as the normal verifyResponseError path. Findings below are robustness and semantic-clarity items, not blockers.

• Identify commits added since prior review (2026-05-24 05:20 UTC)
• Diff the new commits
• Spot-check new code (terminal-send hardening, dialer fallback ladder, libp2p observability, marker propagation)
• Verify prior-round findings (any addressed?)
• Post inline findings (5 buffered)
• Post final summary + score

---

Diff since 2026-05-24 05:20 UTC

SHA

Change

c4ee1135

Phase 9.5.8 — close TRANSCRIPT_TERMINAL_MISSING gap + libp2p observability. Three coordinated fixes for failure mode #2 from the live retest. Fix A (parley-server.ts): new sendFrameDiagnostic() wraps every terminal-frame send (success-path stream_end, error-path error frame, transcript_seal on both paths) in try/catch with structured [parley-server] Failed to send <label> for turn=... (channelId=...): <err> logging. Failures are logged but not re-thrown — work product is on disk and the dialer's fallback covers the wire-level loss. Fix B (parley-client.ts:verifyResponseStream is now async, verifyNoSealFallback handles two new branches): (1) chunks + signed error + no seal → verify the error terminal using the same payload binding as verifyResponseError, return endedState='errored' with errorCode/errorMessage populated, integrityDegraded=true, sealOrigin='implicit-from-signed-terminal'; (2) chunks + no terminal at all → second-tier soft completion: return endedState='completed' with sealOrigin='implicit-from-stream-eof', terminalMissing=true, integrityDegraded=true. Schema additions on TurnDelivery: sealOrigin enum gains 'implicit-from-stream-eof'; new optional terminalMissing: boolean. Fix C (libp2p-host.ts): connection:open / connection:close / peer:connect / peer:disconnect listeners log via console.warn + a 30s setInterval heartbeat logs age/status for every open connection; cleanup in stop(). Marker propagation: RemoteMemberDriver.prompt() yield-order is now chunks → parley_integrity agent_meta → error frame surfacing (was: error frame first, dropping chunks + meta). ChannelOrchestrator extracts markers from the parley_integrity event into TurnDelivery. bridge ping text mode emits a ⚠ integrity-degraded warning when integrityDegraded or terminalMissing is set.

Total delta: 13 files, +1215 / -120. +19 new tests across the three fixes.

---

What's good

• Fix B's signed-error verification path uses the same payload binding (channel_id, delivery_id, protocol, request_envelope_hash, seq, turn_id, terminal_payload) as the normal verifyResponseError path. On invalid signature → throws TRANSCRIPT_TERMINAL_MISSING. The fallback never silently trusts an under-bound terminal. (parley-client.ts:406-440)
• Yield-order fix in remote-member-driver.ts:303-329 is the right shape. Chunks + the parley_integrity agent_meta marker yield BEFORE the error-frame surfacing throw, so the orchestrator persists both before the delivery transitions to errored. The prior order would have dropped chunks + integrity meta for any chunks+signed_error+no_seal turn.
• Marker propagation flows end-to-end: driver → orchestrator → on-disk TurnDelivery → brv channel show --json → brv bridge ping text-mode ⚠ integrity-degraded warning. The operator-visibility chain that the prior review flagged as missing for --json is now also surfaced in text mode (ping.ts:formatPingResult).
• sendFrameDiagnostic discipline is consistent: every terminal/seal send inside dispatchResponseStream now logs + swallows. parley-server.ts:540-554 (error path) and parley-server.ts:571-585 (success path) are symmetric — this directly addresses the prior round's parley-server.ts:538 finding about asymmetric error-path protection.
• Test coverage is proportionate — parley-client-verify.test.ts gains 5 new cases for Fix B (signed-error positive, signed-error forged-sig negative, no-terminal-at-all soft completion, 9.5.7 path unchanged regression, empty-frames throw); orchestrator-phase2.test.ts gains 2 marker-persistence integration tests; ping.test.ts is new (4 cases) for the text-mode warning; libp2p-host.test.ts exercises connection-open/close listener wiring.
• Heartbeat timer cleanup in stop() (lines 357-361) is correct shape — clearInterval before node.stop() so the closed-node reference isn't accessed.

---

Inline findings (5 buffered)

1. parley-server.ts:870-871 — writeErrorTerminal (pre-dispatch verifier-reject path) still uses bare sendFrame. Fix A only closed the gap for dispatchResponseStream; the verifier-reject paths (IMPLEMENTATION_THROW / verifyResponseStream failure / CHANNEL_AUTO_PROVISION_DECLINED) are the most likely scenarios for a dialer-already-giving-up tear-down and are now the asymmetric remainder. Same sendFrameDiagnostic helper would close it.
2. parley-client.ts:459-477 — second-tier fallback labels an unknown completion state as endedState: 'completed'. The path is engaged when chunks arrived but neither stream_end nor error did — meaning we cannot distinguish "actually completed, libp2p torn down at the wrong instant" from "actually errored" from "actually still generating". terminalMissing=true is the only differentiator, and downstream consumers that destructure endedState (metrics, future auto-actioners) will read this as authoritative success. Recommend introducing endedState: 'unknown' (preferred) or reusing 'cancelled' for the v1.0 hardening pass — internal-test ship can absorb the optimistic label because formatPingResult surfaces the warning.
3. parley-client.ts:280-282 — Promise.race([iterator.next(), abortPromise]) correctly unblocks on abort but the in-flight iterator.next() promise is never settled and the iterator is never .return()'d. Underlying network buffers / partial decode state aren't released until the source finalizes, which in the abort-during-read scenario may never happen. Cheap fix: iterator.return?.().catch(() => {}) in the abort listener (or try { ... } finally { iterator.return?.()... } around the loop).
4. libp2p-host.ts:420-435 — two concerns on the new connection heartbeat: (a) log volume: 30s heartbeat fires unconditionally with console.warn (= daemon stderr); a daemon holding one Tailscale connection during a multi-hour session emits ~120 lines/hour. Gate behind BRV_BRIDGE_LIBP2P_HEARTBEAT_LOG=1 or lower to console.debug. (b) robustness: heartbeat closure doesn't catch node.getConnections() errors; an already-queued tick that fires after clearInterval but before node.stop() finishes could throw. Wrap body in try/catch.
5. orchestrator.ts:1517-1540 — implicit driver contract: marker propagation is hard-coded against payload.kind === 'agent_meta' && payload.subKind === 'parley_integrity' with Record<string, unknown> field extraction. A future driver that wants to surface integrity markers must match the exact subKind + field names or the markers silently disappear. Extract a typed ParleyIntegrityMarkers interface in shared/types/channel.ts, OR add a // Driver contract: see RemoteMemberDriver.prompt():323-326 anchor comment.

---

Prior-round findings — status

c4ee1135 addressed one prior round finding directly: the parley-server.ts:538 asymmetric error-path protection from the 2026-05-24 05:29 UTC review is now closed (both errorFrame and seal sends inside dispatchResponseStream go through sendFrameDiagnostic). The new finding above (writeErrorTerminal's verifier-reject path) is structurally the same shape on a different code path — call it a partial close.

All other prior findings still open as written (master-key colocation, NFC normalisation writer-only, unbounded Map family, process-lock doc/code drift, non-unique tmp paths, discovery.py bool-int, channel-skill/install-lib.js directory accept, claude-code-headless-adapter.ts env-passthrough + unbounded stderrChunks + flushStdoutBuffer race + doc/code drift + missing --verbose test, parley-adapter-registry.ts UNSAFE-without-deps logs-and-continues, bridge-config-store.ts listenAddrs not multiaddr-refined, ai-sdk-content-generator.ts synthetic usage masking, INTERNAL_TEST.md §3.1 / §3.5 / §5 / §5.1 doc trio, Phase 9.5.7 quartet from the 05:29 UTC review). Consistent with the PR's "internal-test cut, follow-ups tracked" framing.

---

Verdict for this push

LGTM-incremental. Phase 9.5.8 is a high-quality fix-pack with the same proportionate test discipline as 9.5.7. The signed-error fallback's payload binding is rigorous; the marker-propagation chain is plumbed end-to-end; the libp2p observability instrumentation will materially help the next live-test debug session. The 5 inline findings are robustness/clarity polish (verifier-reject path symmetry, optimistic endedState labeling, iterator cleanup on abort, heartbeat log volume, implicit driver contract on markers), not ship blockers.
· branch

[github-actions]

issue (asymmetric protection, low-medium — same shape as the prior round's §3.2 Layer B finding, this PR's Fix A only partially closes it): §9.5.8 Fix A wrapped every terminal-frame send inside dispatchResponseStream in sendFrameDiagnostic (lines 541, 572, 583), but the pre-dispatch verifier-reject path at lines 235-242 (IMPLEMENTATION_THROW), 260-267 (verifyResponseStream failure), and 310-322 (CHANNEL_AUTO_PROVISION_DECLINED) calls into writeErrorTerminal, which still uses bare sendFrame here at lines 870-871.

These are the exact code paths most likely to hit a torn-down stream — the dialer who hit a verifier failure may already be in the process of giving up. If sendFrame throws here, the rejection propagates up through the libp2p handle callback registered at host.handle(PARLEY_QUERY_PROTOCOL, async (stream) => {...}) (line 202), and the entire diagnostic-visibility intent of Fix A is bypassed for the verifier-reject paths.

Cheap fix — wrap both calls with the same sendFrameDiagnostic helper, threading channel_id + turn_id from bound (or use sentinel "unknown" for the no-parse path):

await sendFrameDiagnostic({
  channelId: bound.channel_id,
  frame: errorFrame,
  label: 'error terminal frame (verifier reject path)',
  stream,
  turnId: bound.turn_id,
})
await sendFrameDiagnostic({
  channelId: bound.channel_id,
  frame: seal,
  label: 'transcript_seal frame (verifier reject path)',
  stream,
  turnId: bound.turn_id,
})

Non-blocking — the operator-visibility intent of Fix A is what's at stake, not work-product loss (the verifier-reject path has no on-disk artifact to preserve). But the inconsistency invites the next contributor to copy the wrong pattern.

[github-actions]

issue (semantic correctness, medium — the most semantically loaded choice in 9.5.8): the second-tier "no terminal at all" fallback returns endedState: 'completed' for what is genuinely an unknown completion state. The path is engaged when chunks arrived but neither stream_end NOR error did — meaning we cannot distinguish:

1. Responder generated a partial answer, was about to emit stream_end, libp2p tore down at the wrong instant → actually completed.
2. Responder errored mid-generation, was about to emit a signed error frame, libp2p tore down at the wrong instant → actually errored.
3. Responder was still generating, libp2p tore down before the rest of the answer → actually cancelled / incomplete.

Labeling all three as endedState: 'completed' (with terminalMissing: true as the only guardrail) biases toward optimism. The formatPingResult warning at ping.ts:46-50 correctly surfaces the degradation when an operator runs brv bridge ping in text mode, but any other downstream consumer that simply destructures endedState — metrics, brv channel show in default mode, future code that auto-actions on completion — will read this as authoritative success.

Two reasonable fixes:

1. Introduce a distinct endedState: 'unknown' (preferred — lexically unambiguous):

   endedState: 'unknown' as const,

   and update TurnDeliverySchema in src/shared/types/channel.ts to extend the enum.

2. Re-use 'cancelled' (the existing wire-protocol value closest to "responder didn't finish on the record") and document this as the convention.

The current shape — 'completed' with a terminalMissing flag — is fine for the internal-test ship if every consumer is audited to check the flag. For follow-up work it's worth tightening to make the unknown-completion case structurally undeniable rather than relying on a Boolean side-channel.

Non-blocking for internal-test; flag for the v1.0 hardening pass.

[github-actions]

nit (resource cleanup, low): Promise.race([iterator.next(), abortPromise]) correctly unblocks the loop on abort, but the in-flight iterator.next() promise is never settled and never explicitly closed. If the underlying length-prefixed source's iterator is holding network buffers, partial decode state, or a stream reference, those aren't released until the source's own finalization runs — which, in the abort-during-read scenario this code is built for, may never happen because the connection went away.

Cheap fix — formally close the iterator on abort:

const abortPromise: Promise<never> =
  signal === undefined
    ? new Promise<never>(() => {})
    : new Promise<never>((_, reject) => {
        signal.addEventListener(
          'abort',
          () => {
            // Formally close the iterator so any held resources release.
            // Errors here are swallowed — we're already aborting.
            iterator.return?.().catch(() => {})
            reject(abortReasonAsError(signal))
          },
          {once: true},
        )
      })

Note: iterator would need to be hoisted out of the while setup at line 277-278 to be in scope here. Alternatively, wrap the loop in try { ... } finally { iterator.return?.().catch(() => {}) } so the iterator is closed on all loop exits (abort, seal, parse-fail, source-EOF), not just abort.

Non-blocking; the leak is bounded to the lifetime of the libp2p stream tear-down, which is itself bounded. But this is the kind of pattern that compounds badly under load.

[github-actions]

nit (operator UX / log volume, low — and one robustness gap):

1. Log volume. The 30s heartbeat fires unconditionally and emits one console.warn line per open connection. For internal-test (rare, short-lived turns) this is fine — the commit message frames it as "the diagnostic instrumentation the original bug report's '17-minute abort mystery' needs." But for a long-running daemon that holds a single Tailscale connection open during a multi-hour session, that's 120 lines per hour per connection in the server-*.log, on top of the existing connection:open / connection:close listeners that already give event-driven coverage of the same data. Recommend either:

   • Gate behind a BRV_BRIDGE_LIBP2P_HEARTBEAT_LOG=1 env flag (default off), so operators chasing the 17-min abort can opt in.
   • Lower to console.debug and let the standard logging filter handle it.

2. Robustness gap. The heartbeat closure captures const {node} = this (line 422) but doesn't guard against node.getConnections() throwing if the body runs after stop() has begun. There's a small race window: an interval callback that was already queued before clearInterval(...) in stop() will still execute, and by the time it does, await node.stop() may be in flight. Wrap the body in try/catch:

   this.connectionHeartbeatTimer = setInterval(() => {
     try {
       const conns = node.getConnections()
       if (conns.length === 0) return
       for (const conn of conns) { /* … */ }
     } catch (error) {
       // Race: stop() invalidated the node between clearInterval and this tick.
       // Drop silently; the heartbeat timer is observability-only.
     }
   }, 30_000)

Non-blocking; both are polish items. The 17-minute-mystery use case is served fine by the event listeners alone, which don't poll.

[github-actions]

nit (coupling, low): the integrity-marker propagation is hard-coded against a single event shape — agent_meta events with subKind === 'parley_integrity' — and the field names (sealOrigin / integrityDegraded / terminalMissing) are extracted via Record<string, unknown> rather than a typed payload. Two consequences:

1. Implicit driver contract. If a future driver (kimi-acp, a yet-unwritten quorum adapter, anything in the cross-machine wiring after 9.6/9.7/9.9) wants to surface integrity-degraded markers, it MUST emit precisely this subKind with precisely these field names — or the marker silently disappears. There's no compile-time check.

2. Field-name drift. A typo on the driver side (e.g. sealOrigin vs seal_origin) is silent — the check typeof markers.sealOrigin === 'string' just evaluates false and skips.

Cheap fixes — pick one:

• Defensive (recommended for the internal-test cut): extract a typed ParleyIntegrityMarkers interface (it'd live alongside TurnDelivery in shared/types/channel.ts), and have the driver yield a discriminated-union payload typed against that. The orchestrator would then narrow with a type guard rather than Record<string, unknown> lookups.

• Light (single comment): add a // Driver contract: see RemoteMemberDriver.prompt():323-326 for the canonical emit shape. block-comment here so future readers of either side know the coupling exists.

Non-blocking; the actual marker propagation is correct for the only driver that emits them today.