feat(acp-bridge): F3 — multi-client permission coordination (#4175)

[doudouOUC]

F3 — Multi-Client Permission Coordination (#4175)

Implements F3 from #4175: the
PermissionMediator contract frozen by PR 22a (#4295)
plus 4 strategy implementations, audit ring, capability surface, SDK reducer support, and docs.

Strategies

Strategy	Behavior
first-responder	Pre-F3 default. Any validated voter wins; later voters get 404. Wire-shape byte-for-byte preserved.
designated	Only the prompt originator decides; non-originators get 403 permission_forbidden / designated_mismatch. Anonymous prompts (no X-Qwen-Client-Id) fall back to first-responder.
consensus	N-of-M voters agree (default N = floor(M/2) + 1; override via policy.consensusQuorum). First option to reach quorum wins. Intermediate votes fan out permission_partial_vote SSE events.
local-only	Loopback voters only; remote callers get 403 permission_forbidden / remote_not_allowed. Decided by kernel-stamped req.socket.remoteAddress — does NOT consult X-Forwarded-For or any header.

What's new

• MultiClientPermissionMediator (mediator owns ALL pending + resolved permission state; bridge keeps only entry.pendingPermissionIds as a fast cap-check index)
• PermissionAuditRing + createPermissionAuditPublisher (in-memory bounded ring, default 512 entries, NOT routed onto SSE)
• 2 new SSE wire events: permission_partial_vote (consensus only), permission_forbidden (designated/consensus/local-only)
• 3 new typed errors: PermissionForbiddenError (403), PermissionPolicyNotImplementedError (501, forward-compat), CancelSentinelCollisionError (500)
• New settings: policy.permissionStrategy enum, policy.consensusQuorum number
• New capability: permission_mediation (always-on, modes: [...]); /capabilities.policy.permission exposes the active policy
• SDK: DaemonPermissionPartialVoteEvent / DaemonPermissionForbiddenEvent types, reducer extensions (permissionVoteProgress, forbiddenVotes), barrel re-exports

Hardness invariants

• N1: mediator.request() registers pending entries synchronously inside the Promise executor (no await before register) so a forgetSession racing with the bridge's publish → register → await sequencing can never miss a new pending.
• N2: resolveEntry cleanup is hardened — clearTimeout → state delete → emit (try/catch) → audit (try/catch) → Promise resolve (last). Tests verify the Promise settles even when emit/audit throw.
• N3: New events (permission_partial_vote, permission_forbidden) stamp originatorClientId = pending.originatorClientId (prompt originator). Pre-existing permission_resolved.originatorClientId === voter.clientId inconsistency is deliberately preserved for wire-shape compatibility — frozen by regression test.
• O5: Voter cancel ({outcome:'cancelled'}) maps to optionId: '__cancelled__' sentinel. Mediator resolves cancelled regardless of policy; collision against agent-declared option labels is detected at request issue time and throws CancelSentinelCollisionError.
• O8: Pre-F3 wire shape preserved bit-for-bit when policy is first-responder (default). httpAcpBridge.test.ts snapshot tests continue to pass.

Out of scope (follow-ups)

• GET /workspace/permission/audit query route on the audit ring (Commit 4 stages the ring; route follow-up).
• Pair-token + revocation API for consensus voter authentication.
• POST /workspace/policy live-reload (today: daemon restart).
• Decision persistence ("always allow" rules).
• Hook layer (PreToolUse-style external arbitrators).

References

• Issue: proposal(serve): Mode B feature-priority roadmap toward v0.16 production-ready #4175
• Frozen contract: PR 22a #4295
• Design references: opencode permission/index.ts (Deferred + map-delete-before-resolve), claude-code PermissionRequest hook (decisionReason discriminator)
• Plan: .claude/plans/fluttering-coalescing-kettle.md

Testing

• 35 mediator unit tests (4 strategies × happy path / forbidden / timeout / forgetSession; consensus 48-case property enumeration + M=4 N=3 split timeout)
• 10 audit ring tests (capacity, FIFO, snapshot filters, all 5 record shapes)
• 55 SDK reducer tests (8 new for partial vote / forbidden + ordering + forward-compat)
• 3 bridge integration tests (policy accessor, quorum validation)
• Pre-existing httpAcpBridge.test.ts snapshot suite stays green (first-responder bit-for-bit preserved)

Migration

Default behavior unchanged: omitting policy.permissionStrategy from settings keeps the daemon on first-responder. Operators opt in by writing one of the 4 strings under policy.permissionStrategy in workspace settings.json. Daemon restart required to pick up changes.

🤖 Generated with Qwen Code

[github-actions]

Code Review: F3 — Multi-Client Permission Coordination (#4335)

📋 Review Summary

This PR implements F3 from #4175: a comprehensive multi-client permission coordination system with four distinct mediation policies (first-responder, designated, consensus, local-only), an audit ring, and SDK support. The implementation is well-architected with clear separation of concerns between the MultiClientPermissionMediator and the HTTP bridge layer. The code demonstrates strong attention to backward compatibility, security boundaries, and operational visibility. However, there are several critical and high-priority issues that must be addressed before merging, particularly around error handling consistency, documentation clarity, and edge case coverage.

---

🔍 General Feedback

Positive aspects:

• Excellent separation of concerns: MultiClientPermissionMediator owns all permission state, keeping the bridge layer thin
• Strong invariant documentation (N1-N3, O5, O8) with explicit rationale for each design decision
• Comprehensive test coverage (35 unit tests in permissionMediator.test.ts plus bridge-level integration tests)
• Thoughtful backward compatibility: pre-F3 wire shape preserved bit-for-bit for first-responder policy
• Good operational visibility: stderr breadcrumbs on timeout, audit ring for forensics
• Defense-in-depth validation at multiple layers (settings schema + bridge constructor)

Areas of concern:

• Some critical error paths lack proper cleanup
• Inconsistent handling of undefined clientId across policy implementations
• Missing documentation for several new error types
• Potential race conditions in consensus quorum calculation
• Audit ring capacity defaults may need tuning for high-volume deployments

---

🎯 Specific Feedback

🔴 Critical

• File: packages/acp-bridge/src/permissionMediator.ts:430-450 - The voteConsensus method doesn't handle the edge case where votersAtIssue is empty (anonymous prompt with no registered clients). This could lead to division by zero in quorum calculation or deadlock. Add a guard:

  if (pending.votersAtIssue.size === 0) {
    // Fall back to first-responder for anonymous prompts with no voters
    return this.voteFirstResponder(pending, vote);
  }

• File: packages/acp-bridge/src/bridgeErrors.ts:174-190 - CancelSentinelCollisionError documentation states it's thrown when agent declares '__cancelled__' as an option label, but the error message construction doesn't include the conflicting option ID in the message. This makes debugging extremely difficult. Add the conflicting option to the error message:

  super(`Agent declared '${CANCEL_VOTE_SENTINEL}' as an option label, ` +
        `colliding with the cancel sentinel. Allowed options: ` +
        `${Array.from(allowedOptionIds).join(', ')}`);

• File: packages/cli/src/serve/httpAcpBridge.ts:6204-6220 - The permissionMediator construction passes votersForSession callback that iterates byId.values() on every call. Under high concurrency with many sessions, this becomes O(N) per vote. Cache the voter set at request issue time (already done in mediator via votersAtIssue) and remove this callback entirely—it's redundant.

🟡 High

• File: packages/acp-bridge/src/permissionMediator.ts:370-390 - The voteDesignated method falls back to first-responder for anonymous prompts, but this relaxation is not documented in the PermissionPolicy type definition or the protocol docs. A security-conscious deployment might expect strict designated behavior. Add explicit warning in docs/design/qwen-serve-protocol.md:

  Security note: designated policy falls back to first-responder for prompts without X-Qwen-Client-Id header. For strict per-tenant isolation, ensure all clients register a clientId.

• File: packages/cli/src/serve/permissionAudit.ts:85-95 - The PermissionAuditRing uses FIFO eviction but doesn't expose any metrics on eviction rate. Operators can't detect if the ring size (default 512) is too small for their workload. Add evictionCount getter and include in future /workspace/permission/audit route response.

• File: packages/acp-bridge/src/permissionMediator.ts:480-510 - The voteLocalOnly check uses vote.fromLoopback which is set by the route layer based on req.socket.remoteAddress. However, the comment acknowledges this doesn't consult X-Forwarded-For. If the daemon sits behind a reverse proxy (common in production), all votes appear as non-loopback. Either:

  1. Document this limitation prominently (recommend dedicated daemon or designated policy for proxied deployments)
  2. Add optional trustProxy flag to BridgeOptions to consult X-Forwarded-For when set

• File: packages/sdk-typescript/src/daemon/events.ts:54-65 - New event types permission_partial_vote and permission_forbidden are added to DAEMON_KNOWN_EVENT_TYPE_VALUES, but there's no type-safe discriminator for the reason field in permission_forbidden events. The SDK should export a union type for PermissionForbiddenReason = 'designated_mismatch' | 'remote_not_allowed' to prevent typos in client code.

🟢 Medium

• File: packages/acp-bridge/src/permissionMediator.ts:105-120 - The CANCEL_VOTE_SENTINEL constant is exported but the comment says "Bridge-side precondition: callers MUST NOT forward an incoming vote.optionId === CANCEL_VOTE_SENTINEL". This is a critical security boundary that relies on caller discipline. Consider making the sentinel value dynamic per-mediator instance or using a WeakMap to prevent any possibility of wire-level spoofing.

• File: packages/cli/src/serve/httpAcpBridge.ts:6170-6182 - The conditional audit ring allocation (if (opts.permissionAudit !== undefined)) is correct but the comment says "keeping it would burn an empty array indefinitely". This is a micro-optimization that sacrifices consistency. Always allocate the ring (it's 512 entries ≈ 100KB) and use it uniformly—simpler mental model.

• File: packages/acp-bridge/src/permissionMediator.ts:280-295 - The PermissionDecisionReason type has five variants but only four are used in audit records (timeout resolution doesn't include a decision reason). This is fine, but the type comment should clarify that PermissionResolution { kind: 'cancelled' } maps to no decision reason when the cause is timeout/session-close.

• File: packages/cli/src/serve/capabilities.ts:180-195 - The new permission_mediation capability advertises all four modes, but there's no runtime validation that the configured policy matches one of the advertised modes. Add a defensive check in createHttpAcpBridge:

  const VALID_POLICIES = ['first-responder', 'designated', 'consensus', 'local-only'] as const;
  if (!VALID_POLICIES.includes(opts.permissionPolicy ?? 'first-responder')) {
    throw new Error(`Invalid permissionPolicy: ${opts.permissionPolicy}`);
  }

🔵 Low

• File: packages/acp-bridge/src/permissionMediator.ts:1 - The license header says "Copyright 2025 Qwen Team" but we're in 2026. Update to "Copyright 2025-2026 Qwen Team" or just "Copyright Qwen Team" to avoid annual updates.

• File: docs/developers/qwen-serve-protocol.md:420-427 - The permission policy table is excellent, but the "Wire compatibility" note at the end is buried. Move it to a prominent "⚠️ Compatibility" callout box at the top of the section.

• File: packages/acp-bridge/src/permissionMediator.ts:395-405 - The comment "Per-policy vote handlers" section would benefit from a one-line summary of each policy's behavior before diving into code. Something like:

  // Policy dispatch table:
  // - first-responder: any validated voter wins immediately
  // - designated: only originatorClientId may vote (fallback to first-responder if anonymous)
  // - consensus: N-of-M quorum required, intermediate votes emit permission_partial_vote
  // - local-only: only loopback voters accepted, remote voters get 403
  

• File: packages/cli/src/serve/permissionAudit.ts:150-160 - The recordTimeout method doesn't capture which policy was active when the timeout fired. For forensic analysis, it would be useful to know if a consensus policy timed out (suggesting insufficient voters) vs first-responder (suggesting no engaged clients). Add policy field to timeout entries.

---

✅ Highlights

• Exceptional invariant documentation: The N1-N3 and O5-O8 invariants are model examples of how to document complex async state management. Each invariant includes the "why" (historical bug or edge case) and the "how" (specific code pattern).

• Backward compatibility discipline: The commitment to preserving pre-F3 wire shape for first-responder policy (tested via snapshot tests in httpAcpBridge.test.ts) shows mature API design thinking. The approach of additive-only changes (permission_partial_vote, permission_forbidden as new events that old SDKs gracefully ignore) is exactly right.

• Audit-first mindset: The separation of audit ring from SSE bus is architecturally sound. Operational observability shouldn't compete with wire protocol bandwidth, and the bounded LRU with configurable capacity shows thoughtful resource management.

• Test quality: The 35 unit tests in permissionMediator.test.ts cover all four policies, edge cases (voter cancel sentinel, forgetSession racing with request), and cleanup ordering. The N2 cleanup ordering test (verifying Promise settles even when emit/audit throw) is particularly thorough.

• Error message quality: Most error types include actionable context (requestId, sessionId, clientId, reason). The PermissionForbiddenError constructor includes both the forbidden reason and the request context, making debugging straightforward.

---

Summary Recommendation

Status: Changes Required

This is a well-designed implementation of a complex feature, but the critical issues around empty voter sets, error message clarity, and redundant callbacks must be addressed before merging. The high-priority items around security documentation and proxy handling should also be resolved to prevent production incidents.

Required fixes before merge:

1. Add guard for empty votersAtIssue in consensus policy
2. Improve CancelSentinelCollisionError message to include conflicting options
3. Remove redundant votersForSession callback from mediator construction
4. Document designated policy fallback behavior in protocol docs
5. Add trustProxy option or prominently document loopback limitation

Suggested follow-ups (post-merge):

• Add eviction metrics to audit ring
• Export PermissionForbiddenReason type in SDK
• Consider dynamic sentinel values for additional security
• Add policy field to timeout audit entries

[Copilot]

Pull request overview

Implements F3 multi-client permission coordination for qwen serve (new mediation strategies, wire events, and SDK support), while also landing Phase C worktree session persistence/UI safety nets and a redesign of managed auto-memory recall to be non-blocking.

Changes:

• Add permission-mediation capability + active policy surfacing, new SSE events (permission_partial_vote, permission_forbidden), audit ring, and SDK reducer/type support.
• Persist/restore worktree session state via a per-session sidecar file, add TUI/ACP/headless restore reminders, and add WorktreeExitDialog + footer/statusline worktree indicators.
• Make auto-memory recall fire-and-forget with opportunistic injection; extend selector timeout safety net; fix env-var-only model modalities defaults.

Reviewed changes

Copilot reviewed 62 out of 62 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/vscode-ide-companion/schemas/settings.schema.json	Adds ui.hideBuiltinWorktreeIndicator to the VSCode companion settings schema.
packages/sdk-typescript/test/unit/daemonEvents.test.ts	Adds reducer/type-guard tests for new permission coordination events.
packages/sdk-typescript/src/index.ts	Re-exports new daemon permission event types.
packages/sdk-typescript/src/daemon/events.ts	Adds new daemon event types/guards + reducer state for partial votes/forbidden votes.
packages/core/src/tools/exit-worktree.ts	Updates exit semantics to preserve/clear worktree sidecar appropriately.
packages/core/src/tools/exit-worktree.test.ts	Increases timeouts to avoid flakiness.
packages/core/src/tools/exit-worktree.session.integ.test.ts	Adds integration coverage for sidecar cleanup behavior on exit.
packages/core/src/tools/enter-worktree.ts	Persists worktree session sidecar on successful enter and captures baseline HEAD commit.
packages/core/src/tools/enter-worktree.session.integ.test.ts	Adds integration coverage for sidecar persistence and overwrite semantics.
packages/core/src/services/worktreeSessionService.ts	Introduces sidecar read/write/clear + --resume restore helper with tamper checks.
packages/core/src/services/worktreeSessionService.test.ts	Unit tests for sidecar I/O and restore/tamper cleanup behavior.
packages/core/src/services/sessionService.ts	Adds getWorktreeSessionPath(sessionId) helper.
packages/core/src/services/gitWorktreeService.ts	Adds post-creation core.hooksPath configuration for worktrees.
packages/core/src/services/gitWorktreeService.hooks.integ.test.ts	Integration tests for hooksPath setup behavior.
packages/core/src/models/modelConfigResolver.ts	Fixes modelId resolution and auto-detects default modalities when unset.
packages/core/src/models/modelConfigResolver.test.ts	Regression tests for modalities defaulting in env-var-only + OAuth paths.
packages/core/src/memory/relevanceSelector.ts	Raises safety-net AbortSignal timeout from 1s to 30s (with caller abort still honored).
packages/core/src/memory/recall.ts	Distinguishes caller abort vs selector timeout to control heuristic fallback/logging.
packages/core/src/index.ts	Exports worktreeSessionService from core package surface.
packages/core/src/core/client.ts	Replaces recall deadline-race with non-blocking prefetch handle + opportunistic injection.
packages/core/src/core/client.test.ts	Updates/expands tests for new async prefetch lifecycle and cleanup paths.
packages/cli/src/ui/hooks/useWorktreeSession.ts	Adds hook to watch/read sidecar and drive UI state.
packages/cli/src/ui/hooks/useWorktreeSession.test.tsx	Tests for sidecar watch behavior (create/delete).
packages/cli/src/ui/hooks/useStatusLine.ts	Extends statusline payload with worktree fields and avoids churn via slug tracking.
packages/cli/src/ui/hooks/useDialogClose.ts	Adds Ctrl+C/global escape support for WorktreeExitDialog.
packages/cli/src/ui/contexts/UIStateContext.tsx	Adds activeWorktree and WorktreeExitDialog visibility to UI state.
packages/cli/src/ui/contexts/UIActionsContext.tsx	Renames suggestion visibility reporting hook to onTabConsumerChange and adds worktree-exit handler.
packages/cli/src/ui/components/WorktreeExitDialog.tsx	New dialog for keep/remove/cancel with git dirty/probe checks.
packages/cli/src/ui/components/WorktreeExitDialog.test.tsx	Basic render test with execFile stubbed.
packages/cli/src/ui/components/InputPrompt.tsx	Adds onTabConsumerChange broad Tab-consumer reporting; keeps onSuggestionsVisibilityChange narrow.
packages/cli/src/ui/components/InputPrompt.test.tsx	Adds regression tests for Tab-consumer reporting and narrow dropdown visibility signal.
packages/cli/src/ui/components/Footer.tsx	Adds built-in worktree indicator with opt-out setting.
packages/cli/src/ui/components/DialogManager.tsx	Wires WorktreeExitDialog into dialog routing.
packages/cli/src/ui/components/Composer.tsx	Separates narrow dropdown visibility from broad Tab-consumer signal for AppContainer.
packages/cli/src/ui/AppContainer.tsx	Adds worktree restore notice injection, exit interception via WorktreeExitDialog, and removal flow.
packages/cli/src/serve/types.ts	Extends /capabilities envelope with policy.permission.
packages/cli/src/serve/server.ts	Threads loopback bit into permission vote context and maps new typed permission errors to HTTP.
packages/cli/src/serve/runQwenServe.ts	Loads/validates permission policy settings at boot and wires into bridge options.
packages/cli/src/serve/permissionAudit.ts	Adds in-memory permission audit ring + publisher adapter.
packages/cli/src/serve/permissionAudit.test.ts	Unit tests for audit ring and publisher entry shapes/eviction.
packages/cli/src/serve/httpAcpBridge.test.ts	Bridge-level integration tests for active policy accessor and quorum validation.
packages/cli/src/serve/capabilities.ts	Adds permission_mediation capability descriptor with supported modes.
packages/cli/src/nonInteractiveCli.ts	Injects worktree restore reminder into headless --resume prompts and emits a system message event.
packages/cli/src/nonInteractiveCli.test.ts	Adds tests for headless worktree restore reminder injection and stale sidecar cleanup.
packages/cli/src/config/settingsSchema.ts	Adds ui.hideBuiltinWorktreeIndicator and new policy.* settings metadata.
packages/cli/src/acp-integration/session/Session.worktree.test.ts	Tests one-shot worktree notice consumption in ACP Session prompt pipeline.
packages/cli/src/acp-integration/session/Session.ts	Adds pendingWorktreeNotice injection/clear behavior.
packages/cli/src/acp-integration/acpAgent.worktree.test.ts	Agent-level integration tests for restoreWorktreeContext → pending notice wiring.
packages/cli/src/acp-integration/acpAgent.ts	Adds shared ACP worktree restore on load/resume entrypoints.
packages/acp-bridge/src/permission.ts	Documents forbidden vote reasons on the contract type.
packages/acp-bridge/src/index.ts	Re-exports new permission mediator module.
packages/acp-bridge/src/bridgeTypes.ts	Extends vote request context with fromLoopback and exposes permissionPolicy accessor.
packages/acp-bridge/src/bridgeOptions.ts	Adds permission mediation policy/quorum/audit injection options.
packages/acp-bridge/src/bridgeErrors.ts	Adds typed errors for forbidden votes, unimplemented policy, and cancel sentinel collision.
docs/developers/qwen-serve-protocol.md	Documents new permission mediation capability, policy semantics, and new SSE events/errors.
docs/design/worktree.md	Updates Phase C/D worktree design doc to reflect implemented persistence/UI work.
docs/design/2026-05-15-async-memory-recall-design.md	Adds design spec for async/non-blocking memory recall approach.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wenshao]

Test coverage gaps at the HTTP integration boundary noted (not posted inline): detectFromLoopback (security gate for local-only policy), new HTTP error mappings (PermissionForbiddenError→403, PermissionPolicyNotImplementedError→501), and respondToSessionPermission forbidden/recorded branches all lack integration tests. Consider adding end-to-end vote tests for consensus, designated, and local-only policies through the HTTP surface.

[doudouOUC]

@wenshao on review #4324465567 (HTTP integration test coverage gaps): acknowledged and partially addressing in this PR cycle, partially deferring.

In-PR: the four blocking findings from the inline reviews are landed (commits aac5e63, 318ffe5, 92b58ff) — daemon barrel re-exports unblock npm run build, the audit ring is now wired through runQwenServe.ts so production accumulates audit entries, the timeout stderr breadcrumb is restored, the dead _resolutionToAcpResponse helper is removed, and the SDK reducer now propagates originatorClientId through permissionVoteProgress / forbiddenVotes via the existing mergeOriginator helper.

Test coverage acknowledged but deferred to keep this PR's diff focused on the production-correctness fixes you flagged as Critical. Specifically:

1. detectFromLoopback end-to-end via Express (vs. just unit-testing the helper in isolation) — the security gate for local-only policy.
2. PermissionForbiddenError → 403, PermissionPolicyNotImplementedError → 501, CancelSentinelCollisionError → 500 HTTP mapping tests in httpAcpBridge.test.ts.
3. End-to-end vote-route tests for consensus, designated, local-only strategies (mediator unit tests cover the semantics; the HTTP boundary is uncovered).
4. respondToSessionPermission forbidden / recorded outcome branches.

These four gaps add ~300 LOC of integration tests and will land in a separate follow-up PR off daemon_mode_b_main once this PR is merged. F3 v1's mediator + 4-strategy semantic coverage is locked by the 36 unit tests in permissionMediator.test.ts; the HTTP boundary tests are test-debt but not a correctness regression — the same mediator surface is exercised end-to-end by the 174-test httpAcpBridge.test.ts suite running under first-responder (the default that all pre-F3 behavior used).

If you'd prefer the test backfill in this PR before merge, happy to add a Commit D — let me know which way you'd like to proceed.

[wenshao]

Critical — Pre-merge blockers

[typecheck] packages/cli/src/serve/server.test.ts:529 — FakeBridge is missing the required permissionPolicy property (TS2741). HttpAcpBridge now requires readonly permissionPolicy: PermissionPolicy (added at bridgeTypes.ts:407 in this PR). The fakeBridge() factory must include permissionPolicy: 'first-responder' as const in its return object.

[typecheck] packages/cli/src/serve/server.test.ts:3994 — WorkspaceFileSystemFactory.forRequest() mock is missing the writeTextOverwrite method. Add writeTextOverwrite: async () => { throw new Error('unreachable'); } to the factory return.

[test] 5 F3-related test failures in server.test.ts — fromLoopback was added to the vote context in server.ts (lines ~1677, ~1720) but 4 test expectations (lines ~2806, ~2832, ~2925, ~2941) were not updated to include fromLoopback: true. Update the context assertions to include fromLoopback: true when Host is a loopback address.

— DeepSeek/deepseek-v4-pro via Qwen Code /review

[wenshao]

[Critical] tsc --noEmit reports 2 type errors in packages/cli/src/serve/server.test.ts (lines 529 and 3994) that are outside this PR's diff hunks but block typecheck:

1. Line 529 — FakeBridge missing required permissionPolicy property (TS2741). HttpAcpBridge gained readonly permissionPolicy at bridgeTypes.ts:407.
2. Line 3994 — WorkspaceFileSystem mock missing required writeTextOverwrite method (TS2741).

— qwen-latest-series-invite-beta-v34 via Qwen Code /review

[doudouOUC]

Re #4325674833 (CHANGES_REQUESTED with 3 pre-merge blockers in body): all three are landed in commit c3de8f1 alongside the inline suggestions:

1. server.test.ts:529 FakeBridge missing permissionPolicy — added permissionPolicy: 'first-responder' as const to the factory return. Pins the pre-F3 default so existing assertions stay shape-compatible.
2. server.test.ts:3994 factory missing writeTextOverwrite — added the missing method that PR feat(serve): F1 follow-up — BridgeFileSystem wiring + #4325 channelInfo fix #4334 introduced on WorkspaceFileSystem after this branch forked.
3. 5 (actually 4) fromLoopback test failures — updated the four POST /session/:id/permission/:requestId and POST /permission/:requestId assertions to include fromLoopback: true on the captured context. The supertest peer is 127.0.0.1 so detectFromLoopback correctly stamps the field; the pre-F3 expected shape was stale.

229/229 server.test.ts pass; 180/180 httpAcpBridge.test.ts pass; 37/37 mediator pass.

[doudouOUC]

Re #4326092155 (top-level CHANGES_REQUESTED): both findings are already addressed in commit c3de8f1 (pushed before this review submitted at 07:25:05Z). Likely a stale automated run that scanned HEAD before the c3de8f1 push propagated.

• server.test.ts:529 FakeBridge missing permissionPolicy — fixed at line 534: permissionPolicy: 'first-responder' as const. See comment 3271989651-area replies for the chain.
• server.test.ts:3994 missing writeTextOverwrite — fixed at line 4041: writeTextOverwrite: async () => { throw new Error('unreachable'); }.

Verification at current HEAD 520edc4dc:

$ grep -n "permissionPolicy: 'first-responder' as const\\|writeTextOverwrite: async" packages/cli/src/serve/server.test.ts
534:    permissionPolicy: 'first-responder' as const,
4041:        writeTextOverwrite: async () => {

tsc --noEmit passes; vitest run for server.test.ts (229 tests) and httpAcpBridge.test.ts (180 tests) both green. No further action needed for this review.

[wenshao]

Inline notes from a review of the F3 permission mediator. Solid, carefully-invariant'd PR overall — the N1/N2 hardening, safeEmit/safeAudit wrapping, and the triple-guarded cancel-sentinel defense are well done, and first-responder wire-shape preservation looks intact.

One cleanup worth doing before merge (the bridgeClient.ts dead code, flagged inline); the rest are minor. Posting as comments, not a change request.

[wenshao]

No issues found in the latest Round 9 changes. Build, deterministic checks, and targeted tests passed. LGTM! ✅ — gpt-5.5 via Qwen Code /review

[wenshao]

Approve based on local real-world verification on PR head c3de8f10. One outstanding ask below (CRIT #7) — please reply inline before merge.

Local test results

Item	Result
npm ci	exit 0
packages/acp-bridge/ (incl. new permissionMediator.test.ts + PermissionAuditRing coverage)	6 files / 99/99 pass
packages/cli/src/serve/	19 files / 781/781 pass (one flaky-looking 1/781 on first run, stable on retry)
packages/sdk-typescript/	13 files / 439/439 pass
npm run typecheck	exit 0 (the 3 prior pre-merge blockers in server.test.ts:529 / 3994 + fromLoopback context all landed in c3de8f102)
npm run lint:ci (--max-warnings 0)	exit 0
npm run build --workspace=packages/sdk-typescript	exit 0 (CRIT #3270615836 / #3270622302 — daemon barrel re-export fix in aac5e638c verified)
npm run bundle	exit 0
Boot smoke qwen serve --port 47336 --require-auth	OK; /capabilities exposes permission_mediation feature + policy.permission: 'first-responder'

7 [Critical] threads — disposition

#	thread	Status
1	sdk-typescript/src/index.ts:71 (daemon barrel)	✅ Fixed aac5e638c
2	bridgeOptions.ts:305 (audit ring no-op in production)	✅ Fixed 318ffe5d5 (runQwenServe.ts allocates ring + publisher)
3	sdk-typescript/src/index.ts:71 (duplicate of #1)	✅ Same aac5e638c
4	permissionMediator.ts:481 (timeout stderr breadcrumb regression)	✅ Fixed 318ffe5d5 (breadcrumb + try/catch + spy test)
5	permissionMediator.ts:975 (safeEmit/safeAudit EPIPE → unsettled Promise)	✅ Fixed f7c8010e8 (nested try/catch around stderr write)
6	bridge.ts:2071 (wire cancel sentinel injection bypasses policy)	✅ Fixed d94a0420c (wire guard throws InvalidPermissionOptionError before mediator.vote; bridge-level test added)
7	bridge.ts:2045 (error precedence: 400 vs 404 leaks clientId↔session)	⚠️ Unresolved — no inline reply

On CRIT #7 — please reply inline

The current head adds a comment ("requestId is unknown OR matches THIS session — only now validate clientId") that suggests this validation order is intentional, but there's no explicit reply on the inline review thread (#3271978329). The trade-off is real:

• Pre-F3: 404 for unknown requestId regardless of caller identity.
• F3 current: resolveTrustedClientId throws before the unknown-request branch, so clientId validation happens first. Result: 400 for unregistered clientId even when requestId is fake → probe can distinguish "session X has clientId Y registered" from "no such request".

This is defensible as auth-first validation, but it inverts pre-F3 wire-error precedence and adds a small session-internal probe channel. Please either:

• (a) acknowledge the trade-off explicitly inline + add a note to docs/developers/qwen-serve-protocol.md documenting that voters with unknown requestId receive 400 (not 404) when their clientId isn't registered for the session, so SDK consumers stop expecting pre-F3 404-uniform behavior; OR
• (b) restore 404-first by checking actualSessionId === undefined ahead of resolveTrustedClientId (the suggested patch in the thread).

Approving on the strength of the test results + the 6/7 critical fixes; not blocking on #7 because the security delta is small and the author's posture is defensible — but please leave a paper trail before merge.

[doudouOUC]

@wenshao Thanks for the re-approval and the thorough verification matrix! 🙏

On CRIT #7 (#3271978329 — error precedence): this was actually adopted as option (b) — restore 404-first between the head you tested (c3de8f10, Round 6) and current HEAD 9ac7b022c. The audit trail:

Commit	Round	What landed
520edc4dc	Round 7	respondToSessionPermission short-circuits to return false when actualSessionId === undefined, BEFORE resolveTrustedClientId. Closes the session-scoped oracle. Inline thread #3271978329 resolved.
605894f39	Round 8	Legacy respondToPermission got the symmetric fix — removed resolveAnyTrustedClientId helper that was the cross-session-oracle source on the legacy route (#3272493777). Inverted the previously-leaky test rejects unknown permission votes with unregistered client ids to assert the new uniform-false posture.
9ac7b022c	Round 10	Added matching writeStderrLine on the legacy route's unknown-session path so stderr breadcrumbs are symmetric across both routes (#3273077256).

Both vote routes now uniformly return false (→ 404) for unknown requestId regardless of clientId registration status. tsc + 613 unit tests + manual smoke at HEAD 9ac7b022c all green. The pre-F3 404-uniform behavior is preserved; no protocol-doc update needed because the wire shape didn't change. Thread is already resolved — let me know if you'd like me to re-open it for a fresh paper-trail reply or if a doc note in qwen-serve-protocol.md would still be useful as a forward-compat reference for future SDK readers.

[wenshao]

PR #4335 本地构建与测试验证报告

维护者 merge 参考 · 由本地 tmux 真实运行得出

概要

阶段	结果	耗时
npm ci	✅	1m12s
npm run build	✅	31.5s
npm run typecheck（5 workspaces）	✅ 0 error	~30s
npm run lint（根 scope）	✅ 0 error / 0 warning	<5s
npm test --workspace=packages/acp-bridge	✅ 103 / 103	4.07s
npm test --workspace=packages/sdk-typescript	✅ 443 / 443	24.10s
npm test --workspace=packages/cli	✅ 6927 / 6936（9 skipped）	156.96s
npm test --workspace=packages/core	⚠️ 8567 / 8573（3 failed，已确认全部为 base 上预存在的失败，与 F3 无关）	78.24s

PR 相关代码共 ~816 个测试 覆盖（acp-bridge 47 + sdk-typescript 65 + cli 513，下文 §3 详列），全部通过。

---

1. 验证环境

• PR head: feat/f3-permission-mediator @ 9ac7b022c (Round 10 - wenshao APPROVED + 3 final polish)
• PR base: daemon_mode_b_main @ 981bc7c7e (F1)
• OS: macOS Darwin 25.4.0
• Node: v22.17.0
• npm: 11.8.0
• 隔离工作区: git worktree add 到独立目录 qwen-code/.qwen/tmp/review-pr-4335
• tmux 会话: pr4335（4 windows: install / build / test / lint），各 pane 独立 tee 落盘日志，便于后期对照

---

2. 构建与静态检查

2.1 npm ci ✅

added 1453 packages in 1m

prepare hook 自动跑了一次 bundle，输出全部 dist 资源 OK；只在 vscode-ide-companion/src/utils/editorGroupUtils.ts:32 有 1 条 ESLint warning（Expected { after 'if' condition）。该文件最近一次修改是 PR #4130（df32345d0），与本 PR 完全无关。

2.2 npm run build ✅ 31.5s

所有 workspace 编译通过，包括 PR 第 2 个 commit (aac5e638c) 修复的 sdk-typescript 类型 re-export 链路（之前 vitest 通过但 tsc 失败的两个 commit 3270615836 / 3270622302 已闭合）。

2.3 npm run typecheck ✅

5 个 workspace 全部 tsc --noEmit 干净通过：

@qwen-code/acp-bridge      → tsc --noEmit ✓
@qwen-code/qwen-code       → tsc --noEmit ✓
@qwen-code/qwen-code-core  → tsc --noEmit ✓
@qwen-code/sdk             → tsc --noEmit ✓
@qwen-code/webui           → tsc --noEmit ✓

2.4 npm run lint ✅ exit=0

根目录 eslint . --ext .ts,.tsx && eslint integration-tests 干净无输出。

---

3. 单元测试（按 package）

3.1 packages/acp-bridge ✅ 103 / 103，4.07s

文件	测试数	状态
src/eventBus.test.ts	20	✅
src/permissionMediator.test.ts	40	✅ F3 核心
src/bridgeClient.test.ts	7	✅ 含 cancel-sentinel 注入防御
src/spawnChannel.test.ts	12	✅
src/status.test.ts	16	✅
src/inMemoryChannel.test.ts	8	✅

PR body 自述 "35 mediator unit tests"，实际跑出 40 — 是 Round 4/5/7/8/9/10 review 期间累计补充的 5 个回归测试（idempotent re-vote audit、orphan voteProgress cleanup、unanimity 警示、forbidden stderr 三路径、terminal-event forbidden cleanup）。

stderr 中的 "permissionMediator: audit publisher threw" / "timed out after 5000ms" 是有意 throw 的测试用例（验证 safeAudit/safeEmit 的 try/catch 哑铃和 timer 容错），不是异常。

3.2 packages/sdk-typescript ✅ 443 / 443，24.10s

F3 相关文件	测试数	状态
test/unit/daemonEvents.test.ts	65	✅ partial-vote / forbidden / mergeOriginator / orphan cleanup

其余 12 个文件（ProcessTransport、DaemonClient、Query 等共 378 个）全部通过。

3.3 packages/cli ✅ 6927 / 6936，9 skipped，156.96s

F3 直接覆盖的 6 个文件：

文件	测试数	状态
src/serve/httpAcpBridge.test.ts	181	✅ 含 cancel-sentinel 注入防御 + 跨会话 vote 防泄漏
src/serve/server.test.ts	245	✅ capability registry permission_mediation、EXPECTED_STAGE1_FEATURES 顺序、detectFromLoopback 防 XFF
src/serve/permissionAudit.test.ts	10	✅ FIFO / capacity / snapshot filters / 5 record shapes
src/serve/runQwenServe.test.ts	19	✅ validatePolicyConfig + InvalidPolicyConfigError
src/config/settingsSchema.test.ts	18	✅
src/config/jsonSchemaArg.test.ts	40	✅

剩余 383 个 CLI 测试文件全绿，包括 serve/workspaceFileSystem.test.ts (75)、serve/workspaceAgents.test.ts (38)、serve/bridgeFileSystemAdapter.test.ts (18) 等所有 daemon 模式相邻文件。

3.4 packages/core ⚠️ 3 个失败 — 均为预存在，与 F3 无关

FAIL src/skills/skill-manager.test.ts > SkillManager > bundled skills > should load bundled skills in listSkills
FAIL src/skills/skill-manager.test.ts > SkillManager > bundled skills > should fall back to bundled level in loadSkill
FAIL src/core/anthropicContentGenerator/anthropicContentGenerator.test.ts > treats unset baseURL as Anthropic-native

根因分析（已交叉验证）:

1. PR 4335 完全未触碰 packages/core/：

   $ git diff --name-only origin/daemon_mode_b_main...HEAD | grep -E "^packages/core/" 
   (空 — 无任何 core 文件被改动)

2. 在 PR base daemon_mode_b_main HEAD (981bc7c7e) 独立运行同样 2 个测试文件：

   Test Files  2 failed (2)
        Tests  3 failed | 129 passed (132)
   

   同样的 3 个失败。

3. 在 origin/main HEAD (16f0fde19) 独立运行：

   Test Files  1 failed | 1 passed (2)
        Tests  1 failed | 131 passed (132)
   

   • skill-manager.test.ts 2 个失败在 main 上 不复现（即 main 上已修复）—— 应该是 main 上已合入但 daemon_mode_b_main 尚未 fast-forward 的 feat(core): extend cross-auth fast models to agents #4153 (5fe12d4cc feat(core): extend cross-auth fast models to agents) 间接修复（该 PR 改了 packages/core/src/skills/types.ts）。
   • anthropicContentGenerator 那 1 个失败在 main 上 仍复现，是更上游的预存在 flaky/regression，与本 PR 完全无关。

结论：packages/core 的 3 个失败不是本 PR 引入；将本 PR merge 进 daemon_mode_b_main 不会让任何新测试变红。下次把 daemon_mode_b_main rebase/merge 到 main 之后，2 个 skill-manager 失败会自动消失；1 个 anthropic 失败需要另开 PR 处理（已超出 F3 范畴）。

---

4. F3 关键不变量（hardness invariants）测试覆盖确认

PR body 声明的 5 个硬性不变量都在测试代码中找到对应断言：

不变量	含义	测试位置
N1 同步 register	mediator.request() 在 Promise executor 内同步注册 pending，避免 forgetSession 竞态	permissionMediator.test.ts 中 mediator 单元测试
N2 cleanup ordering	resolveEntry: clearTimeout → state delete → emit (try/catch) → audit (try/catch) → resolve	permissionMediator.test.ts 含 "even when emit/audit throw" 用例（stderr 日志可见 audit publisher threw × 4）
N3 originatorClientId 戳印	partial_vote / forbidden 事件戳 pending.originatorClientId；resolved 维持旧 wire 兼容	daemonEvents.test.ts mergeOriginator 3 用例
O5 cancel sentinel 防注入	取消映射到 __cancelled__，禁止 wire client 直接传该字面量绕过策略	httpAcpBridge.test.ts "rejects cancel sentinel injection via {selected,'cancelled'}" + bridgeClient.test.ts "throws CancelSentinelCollisionError before publish"
O8 字节级 wire 兼容	first-responder 策略下 permission_resolved 形状 bit-for-bit 不变	httpAcpBridge.test.ts cross-session-vote 快照测试组

---

5. 工作流副作用 / 风险扫描

• 默认行为：未在 settings.json 写 policy.permissionStrategy 时，默认 first-responder，与 pre-F3 行为字节级一致。升级零风险。
• 守恒能力：3 个新 typed error（403/500/501）、2 个新 SSE 事件（permission_partial_vote / permission_forbidden）、1 个新 capability（permission_mediation）—— 都是 加法，旧客户端会无视而非崩。
• 观测性：runQwenServe.ts 在 daemon 进程内持有 PermissionAuditRing（默认 512 条），同时 permissionMediator.ts 在 stderr 直接写 timeout/forbidden 面包屑，不依赖 audit publisher 是否实装（Round 3 修复）。
• 预升级清单：daemon 需重启才能让新的 policy.permissionStrategy / consensusQuorum settings 生效（PR 已通过 requiresRestart: true 标注）。
• 未实现：GET /workspace/permission/audit 查询接口（已在 PR body "Out of scope" 列明），不影响 v1 行为。

---

6. 推荐结论

✅ 建议 merge。

• 构建、typecheck、lint、所有 PR 触碰范围的单测 全绿。
• ~816 条 F3 相关测试覆盖了 4 种策略、3 个新错误、5 个不变量、所有 review round 补的回归测试。
• 仅有的 3 条红测在 packages/core，在 PR base 上独立验证为预存在，且 PR 一行 core 代码都没改。
• 10 轮 review fold-in 历史完整可追，N1/N2/N3/O5/O8 都有对应锁定测试。

合入后建议把 daemon_mode_b_main rebase/merge 进 main，预计 2 个 skill-manager 失败会自动消失；剩余 1 个 anthropic User-Agent 失败需另起 PR。

---

附录：复现命令

# 1. 准备隔离 worktree
cd /Users/wenshao/Work/git/qwen-code
git fetch origin pull/4335/head:pr-4335-test
git worktree add .qwen/tmp/review-pr-4335 pr-4335-test
cd .qwen/tmp/review-pr-4335

# 2. tmux 4 窗口并行
tmux new-session -d -s pr4335 -c "$PWD"
tmux send-keys -t pr4335:0 'npm ci 2>&1 | tee /tmp/01-install.log' Enter
# (build/typecheck/lint/test 各自独立 window，见 tmux ls)

# 3. PR-相关测试
npm test --workspace=packages/acp-bridge
npm test --workspace=packages/sdk-typescript
npm test --workspace=packages/cli
npm test --workspace=packages/core   # 仅 skill-manager × 2 + anthropic × 1 fail（预存在）

# 4. PR base 失败复现（证明非回归）
git worktree add .qwen/tmp/review-pr-4335-base origin/daemon_mode_b_main
cd .qwen/tmp/review-pr-4335-base/packages/core
npx vitest run src/skills/skill-manager.test.ts src/core/anthropicContentGenerator/anthropicContentGenerator.test.ts
# → 同样 3 failed | 129 passed

日志文件位于 /tmp/pr-4335-test-logs/，tmux 会话 pr4335 保留供二次校验。