feat(cua): add delegated-run provider#678
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 3, 2026, 11:45 PM ET / 03:45 UTC. Summary Reproducibility: not applicable. this is a feature PR rather than a report of broken current-main behavior. The relevant verification is live CUA runtime proof on the proposed provider branch. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Merge only after maintainers accept CUA as a built-in delegated-run provider and the PR body includes redacted live CUA lifecycle proof on the exact head. Do we have a high-confidence way to reproduce the issue? Not applicable; this is a feature PR rather than a report of broken current-main behavior. The relevant verification is live CUA runtime proof on the proposed provider branch. Is this the best way to solve the issue? Yes for the implementation direction: the provider-local delegated-run adapter matches the linked issue and repository architecture. It is not merge-ready until live CUA proof and maintainer product acceptance are in place. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against b8abdbc5b874. Label changesLabel justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
947eb6e to
a0d8ab0
Compare
Register the CUA delegated-run provider with non-secret config, provider-prefixed flags, safe local-only API URL handling, generated metadata, and foundation tests. Keep lifecycle and bridge behavior non-mutating and explicitly deferred so later plan branches can add claims, doctor probing, and run execution without changing the provider contract.
Implement the PLAN-02 CUA SDK bridge contract, conservative local claim helpers, and bridge-backed non-mutating doctor checks. The bridge uses JSON stdin/stdout through Runtime.Exec, maps Crabbox credentials only into the child process environment, and runs from a trusted cache directory to avoid repository-controlled Python imports.
Add the CUA delegated-run backend for warmup, fresh run, retained reuse, list, status, stop, cleanup, and archive sync through the Python SDK bridge.\n\nDocument the completed provider contract, add guarded live-smoke classification, and cover lifecycle, ownership, sync, timeout, env-forwarding, and cleanup behavior with focused tests.
Add a provider-local per-lease operation lock around retained run reuse, explicit stop, and cleanup so cleanup cannot delete a sandbox while another CUA lifecycle operation is using it. Refresh retained claims with compare-and-swap semantics and transition stop/cleanup through a cleanup claim state before deleting remote sandboxes.
a0d8ab0 to
113ce8e
Compare
Closes #381
Summary
0600before writing values, and remove them idempotentlyVerification
Exact candidate:
113ce8e36c533a39c6a83ffad7b3211e1da0b1c5go vet ./...go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./...scripts/check-go-coverage.sh 90.0(90.1%core coverage)go test -race ./internal/providers/cua ./internal/providers/all ./cmd/crabbox -count=1go test -race ./internal/cli -run '^(TestApplyEnvRejectsNegativeCUAResources|TestCUARepoConfigCannotReplaceBridgeRuntime|TestCUAConfigRejectsNegativeYAMLValues)$' -count=1node scripts/check-provider-matrix.mjs(72 providers)scripts/check-docs.sh(52 command docs, 206 Markdown files, generated site)node --test scripts/live-cua-smoke.test.jscua==0.1.6/cua-sandbox==0.1.17installed in disposable Python 3.13; the built CLI doctor proves Python and SDK readiness and classifies only missing authThe module-wide runner encountered two unrelated controller timing assertions in separate runs; each passed immediately in an isolated rerun. Hosted CI is running on the exact candidate above.
Live proof gate
The current CUA service routes new accounts to an early-access request instead of issuing dashboard access or an API key. The approved test-account request was submitted and confirmed, but no credential or paid resource exists yet. Keep this PR unmerged until access is enabled and
CRABBOX_CUA_LIVE=1 scripts/live-cua-smoke.shpasses create, run, reuse, stop, and list-confirmed zero-residue cleanup on this exact head.