From dd97c49e6b60cabb8eddfabdc647e35811186060 Mon Sep 17 00:00:00 2001 From: YeonGyu-Kim Date: Wed, 8 Apr 2026 02:02:48 +0900 Subject: [PATCH] =?UTF-8?q?docs(roadmap):=20file=20startup-friction=20gap?= =?UTF-8?q?=20=E2=80=94=20no=20default=20trusted=5Froots=20in=20settings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit WorkerCreate requires trusted_roots per-call; no config-level default. Any batch that forgets the field stalls all workers at trust_required. Root cause of several 'batch lanes not advancing' incidents. Recommended fix: wire RuntimeConfig::trusted_roots() as default into WorkerRegistry::spawn_worker(), with per-call overrides. Update config_validate schema to include the new field. --- ROADMAP.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ROADMAP.md b/ROADMAP.md index 9fb2003..f0bc6b5 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -404,3 +404,21 @@ to: **Action item:** Wire `WorkerRegistry::transition()` to atomically write `.claw/worker-state.json` on every state transition. Add a `claw state` CLI subcommand that reads and prints this file. Add regression test. **Prior session note:** A previous session summary claimed commit `0984cca` landed a `/state` HTTP endpoint via axum. This was incorrect — no such commit exists on main, axum is not a dependency, and the HTTP server is not ours. The actual work that exists: `worker_boot.rs` with `WorkerStatus` enum + `WorkerRegistry`, fully wired into `runtime/src/lib.rs` as public exports. + +## Startup Friction Gap: No Default trusted_roots in Settings (filed 2026-04-08) + +### Every lane starts with manual trust babysitting unless caller explicitly passes roots + +**Root cause discovered during direct dogfood of WorkerCreate tool.** + +`WorkerCreate` accepts a `trusted_roots: Vec` parameter. If the caller omits it (or passes `[]`), every new worker immediately enters `TrustRequired` and stalls — requiring manual intervention to advance to `ReadyForPrompt`. There is no mechanism to configure a default allowlist in `settings.json` or `.claw/settings.json`. + +**Impact:** Batch tooling (clawhip, lane orchestrators) must pass `trusted_roots` explicitly on every `WorkerCreate` call. If a batch script forgets the field, all workers in that batch stall silently at `trust_required`. This was the root cause of several "batch 8 lanes not advancing" incidents. + +**Recommended fix:** +1. Add a `trusted_roots` field to `RuntimeConfig` (or a nested `[trust]` table), loaded via `ConfigLoader`. +2. In `WorkerRegistry::spawn_worker()`, merge config-level `trusted_roots` with any per-call overrides. +3. Default: empty list (safest). Users opt in by adding their repo paths to settings. +4. Update `config_validate` schema with the new field. + +**Action item:** Wire `RuntimeConfig::trusted_roots()` → `WorkerRegistry::spawn_worker()` default. Cover with test: config with `trusted_roots = ["/tmp"]` → spawning worker in `/tmp/x` auto-resolves trust without caller passing the field.