diff --git a/ROADMAP.md b/ROADMAP.md index 9fb2003..f0bc6b5 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -404,3 +404,21 @@ to: **Action item:** Wire `WorkerRegistry::transition()` to atomically write `.claw/worker-state.json` on every state transition. Add a `claw state` CLI subcommand that reads and prints this file. Add regression test. **Prior session note:** A previous session summary claimed commit `0984cca` landed a `/state` HTTP endpoint via axum. This was incorrect — no such commit exists on main, axum is not a dependency, and the HTTP server is not ours. The actual work that exists: `worker_boot.rs` with `WorkerStatus` enum + `WorkerRegistry`, fully wired into `runtime/src/lib.rs` as public exports. + +## Startup Friction Gap: No Default trusted_roots in Settings (filed 2026-04-08) + +### Every lane starts with manual trust babysitting unless caller explicitly passes roots + +**Root cause discovered during direct dogfood of WorkerCreate tool.** + +`WorkerCreate` accepts a `trusted_roots: Vec` parameter. If the caller omits it (or passes `[]`), every new worker immediately enters `TrustRequired` and stalls — requiring manual intervention to advance to `ReadyForPrompt`. There is no mechanism to configure a default allowlist in `settings.json` or `.claw/settings.json`. + +**Impact:** Batch tooling (clawhip, lane orchestrators) must pass `trusted_roots` explicitly on every `WorkerCreate` call. If a batch script forgets the field, all workers in that batch stall silently at `trust_required`. This was the root cause of several "batch 8 lanes not advancing" incidents. + +**Recommended fix:** +1. Add a `trusted_roots` field to `RuntimeConfig` (or a nested `[trust]` table), loaded via `ConfigLoader`. +2. In `WorkerRegistry::spawn_worker()`, merge config-level `trusted_roots` with any per-call overrides. +3. Default: empty list (safest). Users opt in by adding their repo paths to settings. +4. Update `config_validate` schema with the new field. + +**Action item:** Wire `RuntimeConfig::trusted_roots()` → `WorkerRegistry::spawn_worker()` default. Cover with test: config with `trusted_roots = ["/tmp"]` → spawning worker in `/tmp/x` auto-resolves trust without caller passing the field.