Harden orchestration approval and manifest state

[cursor]

Summary

• require explicit plan approval decisions and block lead manifest patches that can self-approve the planning phase
• suspend runs instead of writing through foreign/stale bundles, and reject on-disk manifest conflicts before atomic commit
• relocate orchestration bundle paths for managed and persisted sessions after lane placement changes, including active watcher restart
• restore the previous project binding when openRepo is cancelled or fails

Validation

• npx vitest run src/main/services/orchestration/patchPolicy.test.ts
• npx vitest run src/main/services/ai/tools/orchestrationTools.test.ts
• npx vitest run src/main/services/orchestration/orchestrationService.test.ts
• npx vitest run src/preload/preload.test.ts
• npx vitest run src/main/services/chat/agentChatService.test.ts -t "orchestration|lane launch directives|openRepo"
• npm --prefix apps/desktop run typecheck
• npm --prefix apps/desktop run lint (warnings only, existing repo-wide warnings)
• npm --prefix apps/desktop run build

Related

• folds validated fixes from Fix orchestration plan approval bypass and openRepo binding leak #364, Fix orchestration stale manifest writes after external bundle swap #365, Fix orchestration manifest clobber on external disk updates #375, and Fix stale orchestration bundle path after lane VM placement change #376 into this combined orchestration lane

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
ade	Ignored	Preview	May 28, 2026 11:00pm

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[cursor]

PR Review

Scope: 11 file(s), +742 / −32
Verdict: Minor issues

This PR tightens orchestration correctness: explicit plan approval (no regex or planning-phase shortcuts), lead self-approval blocked in patch policy, manifest suspend/conflict handling on external bundle changes, bundle-path repointing when lane placement/worktree moves, and preload project-binding restore on cancelled openRepo. The changes are well-tested; one edge case in cold-session repointing is worth fixing.

---

🐛 Functionality

[Medium] Cold orchestration sessions can keep a stale bundle path after lane placement changes

File: apps/desktop/src/main/services/chat/agentChatService.ts:23807-23836
Issue: When repointing persisted (non-managed) orchestration sessions, the handler scans sessionService.list({ limit: 500 }) ordered by started_at desc. Any chat session with an orchestrationRunId that is not in the newest 500 rows is skipped, so its orchestrationBundlePath stays on the pre-move path after VM detach or worktree relocation.
Repro: Create 501+ chat sessions in a project; start an orchestration lead run, dispose the session (cold), change the lane worktree or detach from Mac VM, then reopen the cold session and invoke orchestration tools — metadata still points at the old bundle directory.
Fix: Query only sessions that carry orchestration metadata (e.g. filter persisted rows / metadata files with orchestrationRunId), or pass laneId into sessionService.list and drop the fixed 500 cap for this path.

---

Notes

• Good hardening overall: requestPlanApproval requiring decision === "accept" | "accept_for_session", isOrchestrationPlanApproved no longer treating planning phase done as approval, persistManifest TOCTOU guard + suspend on runId mismatch, and watcher callbacks serialized under the run mutex.
• Bundle relocation assumes orchestration files already exist at the destination worktree (mirror sync / manual copy); that matches VM mirror behavior (.ade/orchestration is not rsync-excluded).
• VM detach still depends on mirror→lane flush before the share directory is removed; stopMirrorSyncForLane is optional on the Mac VM service — worth verifying separately if detach-related manifest loss is reported.

  

_{Sent by Cursor Automation: BUGBOT in Versic}