Prod Readiness · Waterbrother

Source of Truth

Release gate

The current release gate comes from Umair's test plan. P0 failures on process interrupts, approvals, session durability, cwd sandboxing, dangerous shell gating, terminal corruption, or cross-platform shell behavior are release blockers.

Target environments: macOS Terminal/iTerm2, Linux, PowerShell, WSL, VS Code terminal, and tmux.
Required evidence: command transcript, doctor output, terminal/OS version, and session artifacts for failures.
Current approach: fix the objective runtime issues first, then run the manual matrix.

Current Status

First pass

P0-1 interrupt handling: locally validated for one-shot exec with a spawned child process.
P0-2 approval prompt stability: locally validated for one-shot deny flow with clean process exit.
P0-3 forced-kill recovery: locally validated with kill -9 followed by resume --last.
P0-4 cwd sandbox / symlink escape: hardened and locally validated.
P0-5 dangerous shell commands: locally verified as blocked under on-request without approval.
P0-7 session isolation: locally validated with concurrent one-shot sessions preserving distinct prompts and outputs.
P0-6 large stdout containment: locally validated with the exact 200000-line stress payload.
P0-10 ANSI/spoof hardening: renderer now strips ANSI/control sequences before terminal display, direct spoof prompts are refused, and hostile shell-output attempts remain gated before rendering.
P0-8 long-session durability: session listing now uses metadata sidecars instead of parsing full transcripts, and a scripted 360-message / 2.76 MB resume now pre-compacts and completes in about 9 seconds locally.

P0 Checklist

Release blockers

Case	Status	Notes
P0-1 Hard interrupt kills full process tree	In progress	Local one-shot `exec` validation passes: one `Ctrl+C` aborts the turn, no child process remains, and the session is saved as `error/interrupted`. Cross-terminal matrix still required.
P0-2 Approval prompt never deadlocks UI	Pass (local)	One-shot deny flow now renders the blocked result and exits cleanly after approval input cleanup. Cross-terminal matrix still required.
P0-3 Crash-safe session recovery	Pass (local)	Session writes are atomic and the submitted user turn is persisted before execution starts, so a manual `kill -9` + `resume --last` recovery now restores the last prompt coherently.
P0-4 CWD sandbox escape resistance	Pass (local)	Sandbox path resolution now canonicalizes real paths, which blocks symlink traversal by default.
P0-5 Dangerous shell commands gated correctly	In progress	Local runtime checks show destructive shell commands are blocked under `on-request` without approval. Interactive prompt transcript coverage is still required.
P0-6 Large-output containment	In progress	The exact 200000-line stress payload completed locally without freezing the CLI and the response was summarized cleanly. Memory observation and cross-terminal coverage are still required.
P0-7 Multi-session integrity	Pass (local)	Concurrent one-shot sessions now preserve distinct session ids, prompts, tool outputs, and assistant replies. Multi-terminal manual matrix is still desirable.
P0-8 Long-session degradation	Pass (local scripted)	Session listing now uses lightweight metadata sidecars, non-TTY resume no longer blocks on stdin, and a scripted 360-message / 2.76 MB session pre-compacts from 360 messages to the last 24 and resumes in about 9 seconds. A full 60-minute manual run is still desirable.
P0-9 Windows and WSL shell correctness	Pending	No coverage yet in this repo.
P0-10 ANSI and terminal corruption resistance	In progress	Assistant output and live traces now sanitize ANSI/control sequences and carriage-return overwrite. Broader hostile-output matrix across interactive shells is still required.

Validated Fixes

What changed

src/path-utils.js: sandbox checks now use canonicalized real paths, not only path.resolve.
src/session-store.js: session saves now write to a temp file and rename into place atomically.
src/cli.js: one-shot mode now installs an interrupt listener, aborts the active turn on Ctrl+C, saves session state as interrupted, and exits with code 130.
src/cli.js: submitted user turns are now saved to the session before execution begins, which makes forced-kill recovery resumable.
src/agent.js: blocked tool results now short-circuit into a direct assistant reply instead of re-entering the tool loop.
src/prompt.js: approval input cleanup now pauses stdin, which prevents one-shot processes from hanging after a denied approval.
src/cli.js: terminal renderer now strips ANSI escapes, carriage-return overwrite, and control characters from assistant output and live trace labels.
src/session-store.js: session saves now also write lightweight metadata sidecars so session listing and latest-session lookups stay fast as transcript files grow.
src/cli.js: non-TTY one-shot runs now only read stdin when stdin can actually supply the prompt, which prevents supervised resume runs from stalling before they start.
src/cli.js + src/agent.js: resumed sessions now pre-compact more aggressively, and oversized compaction requests fall back to a deterministic local summary instead of timing out inside the compactor.
src/cli.js: active turns now install a raw-key escape listener so Esc interrupts live responses instead of requiring Ctrl+C.

Next Runs

Immediate focus

P0-5 dangerous shell gating under --approval on-request
P0-2 approval prompt stability during live interactive use
P0-6 huge stdout containment
P0-1 process-tree interrupt behavior

Command Set

Starter commands for the next pass