docs: add crash recovery, sandboxing, analytics, and testing decisions

[Aureliolo]

Summary

Addresses open questions raised by three external reviews of the design spec. Adds four new sections and updates existing tables with resolved decisions.

• §6.6 Agent Crash Recovery — pluggable RecoveryStrategy protocol: fail-and-reassign (M3 MVP), checkpoint recovery (M4/M5), with environment reconciliation on resume
• §10.5 LLM Call Analytics — incremental build: proxy overhead metrics (M3) → call categorization + orchestration ratio (M4) → full analytics with retry/latency/cache tracking (M5+)
• §11.1.2 Tool Sandboxing — layered SandboxBackend protocol: SubprocessSandbox for low-risk tools (file, git), DockerSandbox for code execution/terminal, K8sSandbox for future container deployments
• §15.3 updated project tree (tools/sandbox/ directory with protocol, subprocess, docker)
• §15.4 new design decision row for sandboxing
• §15.5 five new convention rows: sandboxing, crash recovery, agent behavior testing, LLM call analytics
• §17.1 resolved question Implement retry logic, rate limiting, and provider error handling #9 (sandboxing), added Design and implement basic tool system (registry, invocation, results) #15-17 as resolved (crash recovery, testing strategy, overhead tracking)
• §17.3 updated crash risk mitigation, added orchestration overhead risk

Test plan

• Verify all new sections have correct markdown formatting and render properly
• Verify cross-references (§ links) point to correct sections
• Verify §15.3 project tree matches the intended sandbox directory structure
• Verify §17.1 open questions table has correct resolved/open status

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the design specification by formalizing critical architectural decisions related to agent resilience, security, and observability. It introduces detailed strategies for handling agent crashes, implementing layered tool sandboxing, and establishing an incremental LLM call analytics framework. These updates address key concerns raised during external reviews, providing clear paths for development across upcoming milestones and improving the overall robustness and manageability of the agent system.

Highlights

• Agent Crash Recovery: Introduced a pluggable RecoveryStrategy protocol, detailing an M3 MVP 'fail-and-reassign' strategy and planned M4/M5 'checkpoint recovery' with environment reconciliation.
• LLM Call Analytics: Defined an incremental analytics build, starting with M3 proxy overhead metrics, moving to M4 call categorization and orchestration ratio, and M5+ full analytics including retry/latency/cache tracking.
• Tool Sandboxing: Established a layered SandboxBackend protocol, detailing SubprocessSandbox for low-risk tools, DockerSandbox for high-risk tools (code execution/terminal), and K8sSandbox for future deployments.
• Project Structure Update: Modified the project tree to include a tools/sandbox/ directory with protocol.py, subprocess.py, and docker.py.
• Design Decisions & Conventions: Added a new design decision row for sandboxing and five new convention rows covering sandboxing, crash recovery, agent behavior testing, and LLM call analytics.
• Resolved Questions & Risks: Updated the open questions table, resolving question Implement retry logic, rate limiting, and provider error handling #9 (sandboxing) and adding Design and implement basic tool system (registry, invocation, results) #15-17 (crash recovery, testing strategy, overhead tracking) as resolved. Also updated crash risk mitigation and added orchestration overhead risk.

Changelog

• DESIGN_SPEC.md
  • Added a new section 6.6 Agent Crash Recovery detailing pluggable recovery strategies.
  • Added a new section 10.5 LLM Call Analytics outlining an incremental analytics system.
  • Added a new section 11.1.2 Tool Sandboxing describing a layered sandboxing approach.
  • Updated section 15.3 Project Tree to reflect the new tools/sandbox/ directory structure.
  • Updated section 15.4 Design Decisions with a new entry for sandboxing.
  • Updated section 15.5 Pydantic Model Conventions with new entries for tool sandboxing, crash recovery, agent behavior testing, and LLM call analytics.
  • Updated section 17.1 Open Questions to mark questions Implement retry logic, rate limiting, and provider error handling #9, Design and implement basic tool system (registry, invocation, results) #15, Implement tool permission checking based on role and access level #16, and Implement loop prevention (depth limits, dedup, circuit breakers, ancestry) #17 as resolved.
  • Updated section 17.2 Technical Risks to include specific mitigation strategies for data loss on crash and orchestration overhead.

Activity

• No human activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Code Review

This pull request significantly enhances the design specification by adding detailed sections on agent crash recovery, LLM call analytics, tool sandboxing, and agent behavior testing. The new content is well-structured, clear, and resolves several previously open questions. The updates to the project structure, design decisions, and risk tables are consistent with these additions. I have one suggestion to improve the security posture of the proposed tool sandboxing design.

_{Note: Security Review has been skipped due to the limited scope of the PR.}

[gemini-code-assist]

In the sandboxing.overrides configuration, assigning the web tool category to the subprocess backend might introduce security risks. A subprocess has access to the host's network stack, which could allow it to connect to internal services on localhost or the local network, even if its filesystem access is restricted.

The comment mentions a 'timeout + allowlist', but the subprocess configuration doesn't show how this network allowlist would be implemented or enforced. For better security and isolation, consider defaulting the web category to the docker backend. The docker sandbox is configured with network: "none" by default, providing strong network isolation. If network access is needed for specific web tools, a dedicated Docker network with an egress-only policy could be used.

Suggested change

	web: "subprocess" # medium risk — timeout + allowlist
	web: "docker" # medium risk — requires network isolation

[Copilot]

Pull request overview

Updates the design specification to resolve external review questions by documenting crash recovery, tool sandboxing, LLM call analytics, and testing conventions, plus reflecting those decisions in the architecture tables.

Changes:

• Add new spec sections: §6.6 Agent Crash Recovery, §10.5 LLM Call Analytics, §11.1.2 Tool Sandboxing.
• Update §15 architecture tables/project tree to include sandboxing decisions and planned directory structure.
• Mark previously open questions as resolved in §17.1 and add related risk mitigations in §17.3.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The spec says the engine should log the full AgentContext snapshot including the conversation on crash. In the current codebase, AgentContext.to_snapshot() produces an AgentContextSnapshot that intentionally excludes message contents (only message_count, turn_count, cost, etc.), which is safer and avoids leaking sensitive prompts/tool outputs into logs. Suggest updating this section to align with the existing snapshot model and explicitly call out redaction/truncation if any message content is ever logged.

[Copilot]

BaseCompletionProvider.complete() does not currently record a CostRecord (and it also lacks agent/task context needed to populate one). It only logs provider call start/success/error; cost aggregation happens via TokenUsage on responses and (when wired) the budget layer. Please reword this to avoid stating it "already records a CostRecord" and instead describe where/when CostRecord entries are created (e.g., in the engine when agent_id/task_id are known, recorded into CostTracker).

[Copilot]

tokens_per_task is described as coming from AgentContext.accumulated_cost, but accumulated_cost is a TokenUsage object. To avoid ambiguity, consider calling out the exact field used for the token total (e.g., accumulated_cost.total_tokens or input_tokens + output_tokens) vs cost (accumulated_cost.cost_usd).

Suggested change

	- `tokens_per_task` — total tokens consumed (from `AgentContext.accumulated_cost`)
	- `tokens_per_task` — total tokens consumed (from `AgentContext.accumulated_cost.total_tokens`)

[greptile-apps]

Greptile Summary

This PR addresses four open questions from external design-spec reviews by adding §6.6 (Agent Crash Recovery), §10.5 (LLM Call Analytics), §11.1.2 (Tool Sandboxing), and corresponding entries in §15–§17. The overall structure is well-thought-out — the pluggable protocol pattern (RecoveryStrategy, SandboxBackend) is consistent with the rest of the spec, and the incremental milestone approach for analytics is practical.

Key issues found:

• egress-only is not a valid Docker network mode (DESIGN_SPEC.md §11.1.2, line 1337) — Docker has no built-in "egress-only" driver; this would fail at runtime and requires a concrete implementation plan (sidecar proxy, iptables rules, etc.)
• Empty allowed_hosts: [] with database: "bridge" provides no host-level isolation (DESIGN_SPEC.md §11.1.2, lines 1335–1338) — without a populated allowlist and an enforcement mechanism, bridge-networked database containers have unrestricted network access
• Checkpoint storage silently persists full AgentContext message contents (DESIGN_SPEC.md §6.6, lines 873–891) — Strategy 1 explicitly redacts message contents from crash logs, but Strategy 2 checkpoints write the full conversation history to SQLite/filesystem at rest with no mention of encryption, access controls, or whether redaction applies

Confidence Score: 3/5

• Safe to merge for documentation purposes, but two sections contain implementation-blocking spec errors that will cause confusion or failures when developers implement them in M3.
• The structural and organizational changes are clean and address prior review feedback well. However, §11.1.2 specifies a non-existent Docker network mode (egress-only) and an unenforced allowlist mechanism — both would mislead M3 implementers. §6.6 has a security gap (plaintext checkpoint storage of sensitive message contents) that is inconsistent with the redaction discipline established in Strategy 1. These are spec-level errors in sections that will be directly implemented in M3, so they warrant a lower confidence score despite being a docs-only PR.
• Pay close attention to DESIGN_SPEC.md §11.1.2 (Docker network configuration) and §6.6 (checkpoint storage security).

Important Files Changed

Filename	Overview
DESIGN_SPEC.md	Adds four new spec sections (§6.6, §10.5, §11.1.2, updates to §15–§17). Contains two concrete implementation blockers in §11.1.2 (egress-only is not a valid Docker network mode; empty allowed_hosts with bridge networking provides no isolation), and a security gap in §6.6 (checkpoint storage persists full message contents without any acknowledgement or controls, inconsistent with Strategy 1's explicit redaction).
CLAUDE.md	Minor package-structure comment update: moves sandboxing annotation from security/ to tools/. Accurately reflects the §15.3 project tree change. No issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Agent Execution Start] --> B[Engine Execution Loop]
    B --> C{Exception?}
    C -- No --> D[Turn Completed]
    D --> E{Strategy?}
    E -- fail_reassign --> F[Strategy 1: Skip checkpoint]
    E -- checkpoint --> G[Strategy 2: Persist AgentContext snapshot\nto SQLite / filesystem]
    G --> B

    C -- Yes --> H{Strategy?}
    H -- fail_reassign --> I[Catch at engine boundary\nLog redacted snapshot\nmessage contents excluded]
    H -- checkpoint --> J[Detect via exception\nor heartbeat timeout]

    J --> K[Load last checkpoint\nfull AgentContext incl. messages]
    K --> L{Resume attempts\n< max_resume_attempts?}
    L -- Yes --> M[Environment reconciliation\nsummary of changes since checkpoint]
    M --> B
    L -- No --> N[Fall back to fail_reassign]
    N --> I

    I --> O[TaskExecution → FAILED\nwith failure reason]
    O --> P[Task available for reassignment\nvia task router]

Loading

_{Last reviewed commit: 383125d}

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Summary by CodeRabbit

Documentation

• Updated design specifications with agent crash-recovery system featuring configurable recovery strategies
• Added tool sandboxing capabilities supporting multiple backends (subprocess, Docker, Kubernetes planned)
• Extended engineering conventions documentation with new development milestones

Walkthrough

Documentation updates to CLAUDE.md with directory taxonomy and capability terminology adjustments. DESIGN_SPEC.md significantly expanded with new crash-recovery design (RecoveryStrategy pattern), tool sandboxing specification (SandboxBackend protocol), updated task failure workflows, and extended engineering conventions section.

Changes

Cohort / File(s)	Summary
Documentation Metadata CLAUDE.md	Updated directory structure, adjusted security description from "sandboxing" to "audit", and added "sandboxing" to tools/capabilities list.
Design Specification Expansion DESIGN_SPEC.md	Added crash-recovery design section with pluggable RecoveryStrategy implementations (Fail-and-Reassign default, Checkpoint planned), new FAILED task status variant, YAML config examples. Introduced modular Tool Sandboxing (§11.1.2) with SandboxBackend protocol supporting SubprocessSandbox, DockerSandbox, and future K8sSandbox backends. Extended Engineering Conventions (§15.5) with entries for sandboxing, crash recovery, and agent analytics. Updated risk/plan narrative and cross-references to align crash-recovery and analytics as M3–M5 milestones.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• docs: expand design spec with pluggable strategy protocols #121: Introduces pluggable protocol/strategy abstractions in DESIGN_SPEC.md (RecoveryStrategy, SandboxBackend patterns) aligned with this PR's architectural abstractions.
• docs: add CLAUDE.md, contributing guide, and dev documentation #65: Modifies CLAUDE.md terminology and structure, directly related to this PR's documentation taxonomy updates.
• Add design specification, license, and project setup #2: Added initial DESIGN_SPEC.md; this PR significantly extends it with crash-recovery and sandboxing design sections.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: adding crash recovery, sandboxing, analytics, and testing decisions to the design specification documentation.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing detailed summaries of each new section and update made to the design specification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/design-spec-review-decisions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

egress-only is not a valid Docker network mode

network: "egress-only" is not a recognized Docker network driver. Docker's built-in network modes are bridge, host, overlay, macvlan, ipvlan, and none. Passing egress-only as the --network argument to docker run would fail with an error like network egress-only not found.

Restricting a container to outbound-only traffic in Docker actually requires either:

1. A custom network + iptables rules (or nftables) to block inbound connections while permitting outbound ones
2. Routing all traffic through a local HTTP proxy (e.g., Squid) whose allowlist controls what the container can reach
3. A userspace sandboxing layer like gVisor (--runtime=runsc) with a custom network policy

The spec should document which of these mechanisms is intended and not use a non-existent Docker primitive. Otherwise implementers will hit a runtime error and have no guidance on what to build.

Suggested change

	web: "egress-only" # web tools need outbound HTTP; no inbound
	web: "bridge" # web tools need outbound HTTP; enforce allowlist via proxy or iptables — see note

Note: Docker has no native "egress-only" mode. Outbound-only restriction for web tools must be implemented via a sidecar proxy (e.g., Squid + http_access rules) or iptables FORWARD rules on a custom bridge network. Document the chosen mechanism before implementing DockerSandbox for the web category.

Prompt To Fix With AI

This is a comment left during a code review.
Path: DESIGN_SPEC.md
Line: 1337

Comment:
**`egress-only` is not a valid Docker network mode**

`network: "egress-only"` is not a recognized Docker network driver. Docker's built-in network modes are `bridge`, `host`, `overlay`, `macvlan`, `ipvlan`, and `none`. Passing `egress-only` as the `--network` argument to `docker run` would fail with an error like `network egress-only not found`.

Restricting a container to outbound-only traffic in Docker actually requires either:
1. A custom network + `iptables` rules (or `nftables`) to block inbound connections while permitting outbound ones
2. Routing all traffic through a local HTTP proxy (e.g., [Squid](http://www.squid-cache.org/)) whose allowlist controls what the container can reach
3. A userspace sandboxing layer like `gVisor` (`--runtime=runsc`) with a custom network policy

The spec should document which of these mechanisms is intended and not use a non-existent Docker primitive. Otherwise implementers will hit a runtime error and have no guidance on what to build.

```suggestion
      web: "bridge"                      # web tools need outbound HTTP; enforce allowlist via proxy or iptables — see note
```

> **Note:** Docker has no native "egress-only" mode. Outbound-only restriction for web tools must be implemented via a sidecar proxy (e.g., Squid + `http_access` rules) or `iptables FORWARD` rules on a custom bridge network. Document the chosen mechanism before implementing `DockerSandbox` for the `web` category.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

allowed_hosts is empty by default but database: "bridge" provides no isolation without it

The network_overrides section sets database: "bridge", which correctly allows the container to reach a database over TCP. However, allowed_hosts: [] is empty by default, meaning there is no host-level allowlist enforced. A Docker container on a bridge network can reach any host reachable on that bridge — not just the database. The combination of bridge network + empty allowed_hosts offers essentially no isolation beyond the container boundary itself.

For the allowed_hosts field to be meaningful, DockerSandbox must:

1. Enforce it via iptables rules, a sidecar proxy, or Docker's --add-host + --network combination
2. Document that allowed_hosts: [] means "deny all outbound connections on bridge" (deny-by-default), not "allow all"

The spec currently implies the allowlist is opt-in but provides no mechanism for its enforcement, leaving a gap that implementers will silently skip. At minimum, add a clarifying note:

    allowed_hosts: []                  # REQUIRED for database category: e.g. ["db:5432"]. Empty = deny all outbound on bridge.

Prompt To Fix With AI

This is a comment left during a code review.
Path: DESIGN_SPEC.md
Line: 1335-1338

Comment:
**`allowed_hosts` is empty by default but `database: "bridge"` provides no isolation without it**

The `network_overrides` section sets `database: "bridge"`, which correctly allows the container to reach a database over TCP. However, `allowed_hosts: []` is empty by default, meaning there is no host-level allowlist enforced. A Docker container on a `bridge` network can reach *any* host reachable on that bridge — not just the database. The combination of `bridge` network + empty `allowed_hosts` offers essentially no isolation beyond the container boundary itself.

For the `allowed_hosts` field to be meaningful, `DockerSandbox` must:
1. Enforce it via `iptables` rules, a sidecar proxy, or Docker's `--add-host` + `--network` combination
2. Document that `allowed_hosts: []` means "deny all outbound connections on bridge" (deny-by-default), not "allow all"

The spec currently implies the allowlist is opt-in but provides no mechanism for its enforcement, leaving a gap that implementers will silently skip. At minimum, add a clarifying note:

```yaml
    allowed_hosts: []                  # REQUIRED for database category: e.g. ["db:5432"]. Empty = deny all outbound on bridge.
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Checkpoint storage silently persists full message contents

Strategy 1 (fail-and-reassign) explicitly redacts message contents from its log entry: "excluding message contents to avoid leaking sensitive prompts/tool outputs". But Strategy 2 (checkpoint recovery) persists the full AgentContext snapshot — which includes the entire message history — to SQLite or the filesystem after every turn.

This creates an inconsistency: the same sensitive content that is deliberately excluded from crash logs in Strategy 1 is written in plaintext to a persistent checkpoint storage in Strategy 2. If the SQLite file or filesystem checkpoint directory is accessible to other agents, processes, or backup systems, sensitive prompts and tool outputs (API keys returned by tools, user PII in prompts, etc.) are silently at rest.

The spec should acknowledge this security implication and at least document the intended controls:

• Should checkpoint storage be encrypted at rest? (e.g., SQLCipher for SQLite, or filesystem-level encryption)
• Should AgentContext checkpoints exclude message contents (storing only tool call history + turn count) and rely on the task description for context on resume?
• What is the access model for the checkpoint database — is it per-agent, shared, or controlled by the engine process only?

Without explicit guidance here, implementers will default to unencrypted plaintext storage, which is a meaningful downgrade from the redaction discipline already applied in Strategy 1.

Prompt To Fix With AI

This is a comment left during a code review.
Path: DESIGN_SPEC.md
Line: 873-891

Comment:
**Checkpoint storage silently persists full message contents**

Strategy 1 (fail-and-reassign) explicitly redacts message contents from its log entry: *"excluding message contents to avoid leaking sensitive prompts/tool outputs"*. But Strategy 2 (checkpoint recovery) persists the *full* `AgentContext` snapshot — which includes the entire message history — to SQLite or the filesystem after every turn.

This creates an inconsistency: the same sensitive content that is deliberately excluded from crash logs in Strategy 1 is written in plaintext to a persistent `checkpoint` storage in Strategy 2. If the SQLite file or filesystem checkpoint directory is accessible to other agents, processes, or backup systems, sensitive prompts and tool outputs (API keys returned by tools, user PII in prompts, etc.) are silently at rest.

The spec should acknowledge this security implication and at least document the intended controls:

- Should checkpoint storage be encrypted at rest? (e.g., SQLCipher for SQLite, or filesystem-level encryption)
- Should `AgentContext` checkpoints exclude message contents (storing only tool call history + turn count) and rely on the task description for context on resume?
- What is the access model for the checkpoint database — is it per-agent, shared, or controlled by the engine process only?

Without explicit guidance here, implementers will default to unencrypted plaintext storage, which is a meaningful downgrade from the redaction discipline already applied in Strategy 1.

How can I resolve this? If you propose a fix, please make it concise.