Skip to content

Avoid host RPCs from event handlers#5

Closed
bryangauvin wants to merge 1 commit into
tomismeta:mainfrom
bryangauvin:codex/event-scope-safe-handlers
Closed

Avoid host RPCs from event handlers#5
bryangauvin wants to merge 1 commit into
tomismeta:mainfrom
bryangauvin:codex/event-scope-safe-handlers

Conversation

@bryangauvin

@bryangauvin bryangauvin commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • keep subscribed Paperclip event handling memory-only so event callbacks do not call host-scoped issues, state, or streams APIs
  • let read-only data handlers degrade to in-memory/empty attention state when Paperclip denies host state or reconciliation scope
  • continue applying mapped issue events to the in-memory Aperture store
  • add regression coverage with host RPC stubs that throw if called

Verification

  • node_modules/.bin/tsc --noEmit
  • node_modules/.bin/vitest run --config ./vitest.config.ts tests/events.spec.ts tests/data.spec.ts

Note

Local verification used pnpm install --frozen-lockfile --ignore-workspace --ignore-scripts because pnpm 11 required interactive build-script approval for esbuild in this clean clone.

@bryangauvin bryangauvin force-pushed the codex/event-scope-safe-handlers branch from 4463629 to 08c4c86 Compare June 10, 2026 18:12
@tomismeta

tomismeta commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Thanks for the careful report and patch. We agreed with the core intent here: subscribed Paperclip event callbacks should not call host-scoped APIs that may require an active invocation scope.

We did not merge this branch as-is because its memory-only event path removed immediate persistence and broke our restart/replay guarantees for event-derived Focus state. Instead, we shipped the fix in 0.4.7 with a slightly different shape:

  • event callbacks now avoid scoped host RPCs entirely: no issue reads, plugin state reads/writes, stream emits, or per-event config fetches from ctx.events.on
  • event-derived Aperture state is applied in memory and marked pending
  • the next scoped data/action bridge call flushes that pending state durably, so Focus refreshes still preserve ledger replay across worker restarts
  • read-only Focus data handlers degrade to the current in-memory state if the host denies state or reconciliation scope
  • regression coverage was added for event-scope safety, deferred persistence, and restart replay

Published in @tomismeta/paperclip-aperture@0.4.7 and released here:
https://github.com/tomismeta/paperclip-aperture/releases/tag/v0.4.7

To update:

paperclipai plugin uninstall tomismeta.paperclip-aperture --force
paperclipai plugin install @tomismeta/paperclip-aperture

If the host supports package updates directly, installing the package again without a version suffix should pick up the latest dist-tag, which is now 0.4.7.

Closing this PR because the issue has been addressed on main in e73c138 / v0.4.7.

@tomismeta

tomismeta commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Closed after shipping the event-scope-safe implementation in v0.4.7.

@tomismeta tomismeta closed this Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bryangauvin @tomismeta