Skip to content

Retire the fake l0/l1 sensor + auth pre-flight (close loop loose ends)#89

Merged
broomva merged 2 commits into
mainfrom
feat/close-loop-loose-ends
Jul 5, 2026
Merged

Retire the fake l0/l1 sensor + auth pre-flight (close loop loose ends)#89
broomva merged 2 commits into
mainfrom
feat/close-loop-loose-ends

Conversation

@broomva

@broomva broomva commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Follow-up to #88 (self-improvement loop closure, v0.30.0). Closes the mechanical loose ends noted at that merge. BRO-1697.

Retire the fake l0/l1 sensor

The l0-tool-audit/l1-reflex-audit hooks were left on disk (unwired) by #88. They logged fields Claude Code never emits (latency_ms → 100% null; tool_call_count → 100% zero, then grepped the agent's own prose = h correlated with U). Now they are no-op deprecation stubs: drain stdin, exit 0, write nothing. Any workspace still wiring them from a pre-v0.30.0 install gets a clean exit instead of a missing-file error; a future release deletes them.

Re-source doctor §16 / §17

Instead of reading the retired logs (which would now show a misleading "wire the hook" nudge forever), §16 (L0 plant) and §17 (L1 reflex) now read straight from the leverage-sensor's .control/leverage-state.json:

[ok] L0 (leverage-sensor §23): tool_error_rate=0.0225 read_before_edit_rate=0.028 permission_bypass/session=0.02
[ok] L1 (leverage-sensor §23): continue_nudges/session=0.34 over 50 sessions/7d

§18 (L2 promotions, reads l2-promotions.jsonl) is unchanged. compute-lambda derives λ from static rcs-parameters.toml, never the audit logs — so it was never affected (my #88 note overstated this; corrected here).

Auth pre-flight

auth-preflight-hook.sh (SessionStart) warns — never blocks — if gh is unauthenticated, so an autonomous arc learns it up front instead of dying on the push/PR step after the work is done. Minimal (gh only) per rule-of-three; silent when authed.

Deferred (tracked, with reasons — not dropped)

  • m4 allowlist default — a proper permissions.allow default needs the bootstrap merger extended (it merges only .hooks today) and changes the user's permission posture (a call best made with the user present). Real-workspace m4 is 0.02/session — far below the 0.50 target, so not an active problem. (BRO-1697)
  • Read-before-Edit guard — redundant: Claude Code already enforces it natively (that native block is what m3 measures), and the loop already injects the m3 gap via the SessionStart wire.
  • Dither / persistent-excitation — the deepest gap; design-first (touches L3, λ₃≈0.006). Tracked as BRO-1698 + design spec.

Validation (P11)

Full tests/*.test.sh + canary green (incl. new tests/loop-retirement.test.sh); doctor self-check 99/99 exit 0; dogfooded against real ~/broomva (§16/§17 render live metrics; auth hook silent when authed). Primitive count unchanged (20). VERSION 0.30.0 → 0.31.0.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added a non-blocking session-start check that warns when GitHub CLI authentication is missing.
    • Updated status reporting to use the latest workspace state for L0/L1 health summaries.
  • Bug Fixes

    • Retired legacy L0/L1 audit outputs and replaced them with harmless deprecation stubs.
    • Improved doctor checks so they no longer rely on outdated audit logs.
  • Tests

    • Added coverage for retired hooks, updated status reporting, and the new authentication warning flow.
  • Chores

    • Bumped the release version to 0.31.0.

Follow-up to #88 (loop closure). Closes the mechanical loose ends.

- Retire the fake l0/l1 audit hooks to no-op deprecation stubs: l0 logged
  latency_ms (100% null), l1 read tool_call_count (100% zero) then grepped the
  agent's own prose (h correlated with U). Stubs drain stdin + exit 0 so any
  pre-v0.30.0 wiring gets a clean exit, not a missing-file error, and write no
  more fake rows. A future release deletes them.
- Re-source doctor §16 (L0) + §17 (L1) from the leverage-sensor's
  .control/leverage-state.json (m2/m3/m4, m1) instead of the retired logs —
  real transcript-derived numbers, no misleading "wire the hook" nudge. §18
  (L2 promotions) unchanged; compute-lambda reads static parameters.toml, so
  it is unaffected.
- Add auth-preflight-hook.sh (SessionStart): warn (never block) if gh is
  unauthenticated, so an autonomous arc learns it up front instead of dying on
  the push/PR step after the work is done. Minimal (gh only) per rule-of-three.
- tests/loop-retirement.test.sh: stubs are silent no-ops writing no audit rows;
  doctor dropped the L0_LOG/L1_LOG reads; auth pre-flight warns-without-blocking.

Deferred (tracked): m4 allowlist (needs the settings merger extended beyond
.hooks + a posture decision; real m4 is 0.02/session, not an active problem),
Read-before-Edit guard (redundant with CC's native guard), dither (BRO-1698).

Empirical (P11): full tests/*.test.sh + canary green; doctor self-check 99/99;
dogfooded vs real ~/broomva (§16/§17 render live metrics). VERSION 0.30.0→0.31.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@broomva, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 48 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5fa6d144-419c-4993-937a-0d1dd1b8bfbd

📥 Commits

Reviewing files that changed from the base of the PR and between 496d5f6 and 2b0cfa0.

📒 Files selected for processing (4)
  • CHANGELOG.md
  • references/new-workspace-flow.md
  • scripts/compute-budget-status.sh
  • scripts/doctor.sh
📝 Walkthrough

Walkthrough

Retires the L0/L1 fake audit hook scripts into no-op deprecation stubs, updates doctor.sh to re-source L0/L1 reporting from leverage-state.json, adds a non-blocking gh auth pre-flight hook wired into SessionStart, and adds regression tests plus changelog/docs/VERSION updates.

Changes

Loop Retirement and Auth Pre-flight

Layer / File(s) Summary
L0/L1 audit hook stubs
scripts/l0-tool-audit-hook.sh, scripts/l1-reflex-audit-hook.sh
Both hooks are converted to deprecated no-op stubs that drain stdin and exit cleanly, removing JSON parsing, metric computation, and JSONL append behavior.
doctor.sh re-sourcing from leverage-state.json
scripts/doctor.sh
Sections 16 and 17 now read metrics from .control/leverage-state.json instead of the retired l0-tools.jsonl/l1-reflexes.jsonl, with informational fallback when unavailable.
Auth pre-flight hook and wiring
scripts/auth-preflight-hook.sh, assets/templates/settings.json.snippet
New non-blocking script checks gh auth status and warns if unauthenticated; wired into the SessionStart hook list with timeout and purpose metadata.
Regression tests
tests/loop-retirement.test.sh
New test harness asserts stub silence and no fake audit rows, confirms doctor.sh no longer reads legacy logs, and validates auth pre-flight exit behavior and wiring.
Changelog, docs, and version bump
CHANGELOG.md, references/new-workspace-flow.md, VERSION
Adds the 0.31.0 release notes, updates workspace-flow docs to reflect retired audit logs and leverage-state.json sourcing, and bumps VERSION to 0.31.0.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant doctor_sh as doctor.sh
  participant LeverageState as leverage-state.json
  User->>doctor_sh: run bstack doctor
  doctor_sh->>LeverageState: read metrics for L0/L1
  LeverageState-->>doctor_sh: m1/m2/m3/m4 values
  doctor_sh-->>User: print report or informational message
Loading
sequenceDiagram
  participant SessionStart
  participant AuthPreflightHook as auth-preflight-hook.sh
  participant GH as gh CLI
  SessionStart->>AuthPreflightHook: invoke on session start
  AuthPreflightHook->>GH: check auth status
  GH-->>AuthPreflightHook: authenticated or not
  AuthPreflightHook-->>SessionStart: warn if unauthenticated, always exit 0
Loading

Possibly related PRs

  • broomva/bstack#46: Retires the same L0/L1 audit hook implementations and updates doctor.sh to source from leverage-state.json instead of the retired JSONL logs.
  • broomva/bstack#50: Also edits references/new-workspace-flow.md around hook/audit behavior descriptions.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: retiring fake L0/L1 sensors and adding the auth pre-flight warning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/close-loop-loose-ends

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
scripts/doctor.sh (1)

806-816: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicated python-heredoc pattern across §16/§17.

Both sections use nearly identical python3 - "$LEV_STATE" <<'PYEOF' ... except Exception: print("unreadable") boilerplate to load and parse the same JSON file. Could be factored into a single helper that loads once and prints per-section fields, but given this is informational doctor output, the duplication is low risk.

Also applies to: 832-843

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/doctor.sh` around lines 806 - 816, The Python heredoc used to read
and print metrics in the doctor output is duplicated across the L0 summary
blocks, so consolidate the repeated JSON-loading logic into a single reusable
helper and call it from the existing summary sections. Update the shell script
around the L0_SUMMARY/L1 summary generation to use that shared helper while
keeping the same output format and the existing unreadable fallback behavior.
tests/loop-retirement.test.sh (1)

42-44: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Auth pre-flight test doesn't verify the warning message content, only the wiring/exit code.

Line 42 only checks that the hook exits 0 regardless of gh state; it never asserts the actual warning text appears when gh is unauthenticated (e.g. by mocking gh in PATH to fail gh auth status). This leaves the warning-message behavior itself untested, only the non-blocking exit contract.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/loop-retirement.test.sh` around lines 42 - 44, The auth pre-flight test
only checks the exit code and hook wiring, but not the warning message content
emitted by the auth-preflight path. Update the test in
tests/loop-retirement.test.sh to simulate an unauthenticated gh by shadowing gh
in PATH so gh auth status fails, then assert the expected warning text is
printed while still exiting 0. Use the existing auth-preflight and SessionStart
wiring checks as anchors, but make the test validate both the non-blocking
behavior and the logged warning content.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/doctor.sh`:
- Around line 806-816: The Python heredoc used to read and print metrics in the
doctor output is duplicated across the L0 summary blocks, so consolidate the
repeated JSON-loading logic into a single reusable helper and call it from the
existing summary sections. Update the shell script around the L0_SUMMARY/L1
summary generation to use that shared helper while keeping the same output
format and the existing unreadable fallback behavior.

In `@tests/loop-retirement.test.sh`:
- Around line 42-44: The auth pre-flight test only checks the exit code and hook
wiring, but not the warning message content emitted by the auth-preflight path.
Update the test in tests/loop-retirement.test.sh to simulate an unauthenticated
gh by shadowing gh in PATH so gh auth status fails, then assert the expected
warning text is printed while still exiting 0. Use the existing auth-preflight
and SessionStart wiring checks as anchors, but make the test validate both the
non-blocking behavior and the logged warning content.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ee285fa9-5014-4caa-bad1-2ea2a4fbe820

📥 Commits

Reviewing files that changed from the base of the PR and between 0144731 and 496d5f6.

📒 Files selected for processing (9)
  • CHANGELOG.md
  • VERSION
  • assets/templates/settings.json.snippet
  • references/new-workspace-flow.md
  • scripts/auth-preflight-hook.sh
  • scripts/doctor.sh
  • scripts/l0-tool-audit-hook.sh
  • scripts/l1-reflex-audit-hook.sh
  • tests/loop-retirement.test.sh

… BRO-1699)

P20 review of this PR flagged that scripts/compute-budget-status.sh still reads the
now-retired l0-tools/l1-reflexes logs for doctor §19's L0/L1 observed overlay — which
read empty after the stubs, so §19's L0/L1 default to `stable` forever. Non-blocking
(graceful, exit 0, nothing in CI invokes it, composite ω from static parameters.toml
is unaffected, real L0/L1 signal is in §16/§17/§23) — but leaving it silent in a
loop-closure PR is the blind-checker smell this work exists to kill.

- compute-budget-status.sh: comment the retired-log reads + point at BRO-1699.
- doctor.sh §16/§17: fix version attribution (re-source landed v0.31.0; sensor v0.30.0).
- new-workspace-flow.md + CHANGELOG: disclose the §19 adjacency + BRO-1699 follow-up.

No logic change (comments + docs). Repoint tracked as BRO-1699.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@broomva broomva merged commit 50c7821 into main Jul 5, 2026
6 checks passed
@broomva broomva deleted the feat/close-loop-loose-ends branch July 5, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant