Skip to content

[codex] Fix ROS selling pipeline and A2A compatibility issues#140

Merged
guima-why merged 12 commits into
mainfrom
codex/fix-misc-issues
Jul 6, 2026
Merged

[codex] Fix ROS selling pipeline and A2A compatibility issues#140
guima-why merged 12 commits into
mainfrom
codex/fix-misc-issues

Conversation

@guima-why

Copy link
Copy Markdown
Collaborator

Summary

This PR collects a set of fixes for IaC Code pipeline/runtime behavior, with the main focus on making the Alibaba Cloud ROS selling pipeline more deterministic and easier for LLMs to drive safely.

The branch addresses several production-facing issues found during interactive testing:

  • IaC Code identity and runtime provider/model information were not consistently present in the system prompt.
  • ROS selling-pipeline steps could still drift into TemplateBody or raw ROS stack APIs even when the intended flow required TemplateURL.
  • The deployment step repeated validation work after a successful preview, and recovery after failed stack creation was not deterministic enough.
  • A2A public events could expose absolute local paths, while the debugger did not surface enough normal-chat event detail for review.
  • Pipeline bundled skills needed to share Alibaba Cloud references without duplicating most files, while still allowing a selling-specific parameter recommendation reference.
  • VSwitch CIDR defaults could overlap when a generated template was later bound to an existing VPC.
  • grep behavior differed between environments with and without ripgrep when symlinked directories were present.

Major Changes

Runtime Prompt Context

  • Adds runtime provider/model metadata to the current-time system prompt section so the model can identify the active provider/model without adding a large prompt block.
  • Adds explicit IaC Code identity text so the assistant identifies itself as IaC Code rather than another model/vendor.
  • Covers prompt rendering in normal, pipeline, A2A, ACP, headless, and REPL paths through the shared agent factory/system prompt refresh logic.

ROS TemplateURL Enforcement and Dedicated Pipeline Tools

  • Adds dedicated ROS template tools for the selling pipeline:
    • ros_validate_template
    • ros_preview_stack
    • ros_get_template_parameter_constraints
  • Restricts these tools to the intended selling-pipeline steps, instead of exposing them globally.
  • Blocks direct pipeline use of ROS APIs that should go through the dedicated tools, while leaving generic aliyun_api available for other cloud-product calls.
  • Updates prompts and bundled selling skills to explicitly pass the rendered selected template URL and avoid TemplateBody for ROS selling-pipeline calls.

Selling Pipeline Deployment Flow

  • Adds ros_deploy for the selling deployment step and removes direct ros_stack usage from that step.
  • Encapsulates stack deployment actions with rule-level permission checks:
    • continue_create:<stack_id> for continuing a failed stack create.
    • delete_and_create:<stack_id> for deleting/recreating a stack created by the current selling deployment step.
  • Prefers ContinueCreateStack with RecreatingOptions: ["AutoRecreatingResources"], while still allowing delete-and-create fallback for owned stacks when needed.
  • Blocks delete/continue/update/create bypasses through raw ROS stack APIs in the selling pipeline deployment step.
  • Preserves stack ownership metadata when a stack was created but later polling failed, so recovery can safely continue the same owned stack.
  • Preserves ros_deploy_owned_stack_ids during fresh complete-step recovery, preventing recovered deployment attempts from losing stack ownership state.

Deployment Fast Path After Preview

  • Records successful preview validation state from the cost/preview step.
  • Allows the deployment step to skip redundant ValidateTemplate/preview calls when the selected template has already passed preview validation.
  • Keeps validation required for current sessions, while avoiding over-supporting old session formats.

Template Generation and CIDR Guardrails

  • Avoids prompting the model to create the templates/ directory manually during template generation.
  • Adds template validation hooks that detect fixed VSwitch CIDR values which may overlap with existing VPC CIDR inputs.
  • Adds local guards for both default and fixed VSwitch CidrBlock values when an existing VPC is selected.

A2A Path Redaction and Debugging

  • Adds public path sanitization for A2A/public-facing event payloads so workspace/config/trusted-root paths are represented relative to public roots rather than leaking full absolute paths.
  • Keeps internal tool arguments, transcript state, and diagnostic state intact so observability and recovery still have real paths where needed.
  • Improves the A2A debugger timeline so normal chat can display merged text, thinking deltas, tool calls, and tool results instead of only text deltas.
  • Ensures text_delta streaming is not rewritten in a way that would break streaming output.

Bundled Skill References and Packaging

  • Adds a selling-specific references/ directory that mostly uses symlinks to existing bundled Alibaba Cloud references, with only template-parameter-recommendation.md customized for the selling pipeline.
  • Updates packaging logic to preserve or expand these bundled references correctly in source distributions and wheels, including environments where symlink support is unavailable.
  • Updates read_file, glob, grep, and list_files behavior/tests around symlinked references and trusted roots.
  • Fixes grep to fall back to the Python implementation when the search tree contains directory symlinks, avoiding inconsistent ripgrep behavior and preserving allowed-root filtering.

i18n and UI Labels

  • Extracts and translates newly user-visible strings across the supported locales.
  • Adds localized labels for the new ROS template/deploy tools and permission rule descriptions.
  • Improves display names for ROS template parameter recommendation tooling.

Compatibility Notes

  • The selling pipeline now uses dedicated ROS tools for template validation, preview, parameter constraints, and deployment, while normal mode continues to support the broader ROS/Alibaba Cloud tools.
  • Generic Alibaba Cloud API access remains available for non-stack-management operations, such as querying product metadata or checking existing VPC state.
  • The public path sanitizer is applied to public-facing events and outputs, not to internal state required for recovery, auditing, or diagnostics.
  • The deployment ownership guard only allows continuing or deleting stacks created by the current selling deployment step.

Validation

Local validation completed before opening this PR:

  • make lint
  • make test (7997 passed, 1 skipped)
  • Targeted regression tests for:
    • A2A path sanitization and debugger rendering
    • ROS template tools and pipeline step scoping
    • ROS deploy ownership, permissions, continue/delete-create behavior, and recovery state
    • Deployment preview validation fast path
    • VSwitch CIDR overlap guardrails
    • Symlinked bundled references and packaging behavior
    • i18n extraction/translation coverage

The pre-push hook also completed AK leak detection without finding data to scan.

Review Focus

Please pay special attention to:

  • Selling-pipeline step tool registration and whether each ROS tool is scoped to the intended step.
  • Recovery behavior around failed CreateStack / ContinueCreateStack flows.
  • Public A2A path redaction versus internal observability/recovery data preservation.
  • Windows and no-symlink packaging behavior for bundled selling references.
  • i18n coverage for newly visible tool names, permission prompts, and error messages.

@guima-why guima-why marked this pull request as ready for review July 6, 2026 07:20
@guima-why guima-why merged commit 8f8b200 into main Jul 6, 2026
19 of 20 checks passed
@guima-why guima-why deleted the codex/fix-misc-issues branch July 6, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant