Skip to content

feat: ship provider-neutral SCC runtime with Claude and Codex support#98

Merged
CCimen merged 121 commits intomainfrom
gsd/scc-v1
Apr 6, 2026
Merged

feat: ship provider-neutral SCC runtime with Claude and Codex support#98
CCimen merged 121 commits intomainfrom
gsd/scc-v1

Conversation

@CCimen
Copy link
Copy Markdown
Owner

@CCimen CCimen commented Apr 6, 2026

Summary

This PR turns SCC into a provider-neutral governed runtime for AI coding agents instead of a Claude-only wrapper.

It brings Claude Code and Codex onto the same core launch model, hardens the OCI runtime and network-control path, improves setup/start/provider UX, and refreshes the product surface so SCC reads and behaves like a multi-provider platform.

What changed

  • add first-class Codex support alongside Claude Code
  • replace remaining Claude-shaped launch paths with provider-neutral contracts and runtime specs
  • harden the OCI/container runtime path and remove active Docker Desktop assumptions from user-facing flows
  • ship SCC-owned images for scc-base, scc-agent-claude, scc-agent-codex, and scc-egress-proxy
  • enforce truthful network vocabulary and web-egress controls: open, web-egress-enforced, locked-down-web
  • add a shared provider-neutral safety engine with fail-closed runtime wrappers
  • unify provider readiness, image bootstrap, auth bootstrap, and preflight handling across start, wizard, worktree, dashboard, and resume flows
  • add provider onboarding and selection UX (scc setup, scc provider show/set, scc start --provider ...)
  • improve doctor/status/setup truthfulness with three-tier readiness reporting
  • clean up generated .gsd branch noise and keep only durable project documentation in Git
  • refresh the root README for the new product story and improve package discovery metadata

Why it matters

SCC now supports a more realistic organizational rollout model:

  • one central org configuration
  • delegated team ownership within governed boundaries
  • repeatable onboarding for new developers
  • safer agent execution in isolated containers
  • clearer network-control semantics for security reviewers
  • the ability to standardize on Claude, Codex, or both depending on team needs

Validation

  • uv run ruff check
  • uv run mypy src/scc_cli
  • uv run pytest -q
  • final branch baseline reported green at 5117 passed, 23 skipped, 2 xfailed
  • focused Docker-backed smoke coverage was also exercised during the milestone work for provider image/auth/bootstrap flows

Notes

  • The version in this branch remains 1.7.3.
  • From a semver perspective, this work is a strong candidate for the next major release because it changes the product framing and shipped capability substantially.
  • The actual version bump and release packaging are better handled on the later release/... branch rather than inside this merge PR.

Companion docs

A matching docs refresh was prepared in the docs repo to align the public documentation with the multi-provider SCC product story.

CCimen added 30 commits April 3, 2026 16:33
@CCimen
docs: add GSD2 planning baseline for SCC v1 architecture
7adb7ad
@CCimen
docs: stabilize m005 roadmap and gsd isolation
b5f784b
@CCimen
feat: adopt provider-neutral launch boundary
7fb0a59
@CCimen
docs: register runtime and safety milestones
d6c352e
@CCimen
test: Added RuntimeProbe protocol, DockerRuntimeProbe adapter, FakeRunt…
9705dca 
- src/scc_cli/core/contracts.py
- src/scc_cli/ports/runtime_probe.py
- src/scc_cli/adapters/docker_runtime_probe.py
- tests/fakes/fake_runtime_probe.py
- tests/fakes/__init__.py
- src/scc_cli/bootstrap.py
- tests/test_runtime_probe.py

GSD-Task: S01/T01
@CCimen
feat: Replaced three docker.check_docker_available() calls with probe-b…
589f99e 
- src/scc_cli/adapters/docker_sandbox_runtime.py
- src/scc_cli/bootstrap.py
- src/scc_cli/ui/dashboard/orchestrator.py

GSD-Task: S01/T02
@CCimen
test: Added tokenizer-based guardrail test preventing stale docker.chec…
cda11ad 
- tests/test_runtime_detection_hotspots.py

GSD-Task: S01/T03
@CCimen
test: Add preferred_backend field to RuntimeInfo and rootless detection…
6a2d9cf 
- src/scc_cli/core/contracts.py
- src/scc_cli/adapters/docker_runtime_probe.py
- tests/test_runtime_probe.py
- tests/fakes/fake_runtime_probe.py

GSD-Task: S02/T01
@CCimen
feat: Added frozen ImageRef dataclass with full_ref()/image_ref() round…
93d22a9 
- src/scc_cli/core/image_contracts.py
- images/scc-base/Dockerfile
- images/scc-agent-claude/Dockerfile
- tests/test_image_contracts.py

GSD-Task: S02/T02
@CCimen
test: Implemented OciSandboxRuntime adapter using docker create/start/e…
9945383 
- src/scc_cli/adapters/oci_sandbox_runtime.py
- tests/test_oci_sandbox_runtime.py

GSD-Task: S02/T03
@CCimen
feat: Wire bootstrap backend selection and start_session image routing…
a538a98 
- src/scc_cli/bootstrap.py
- src/scc_cli/application/start_session.py
- tests/test_bootstrap_backend_selection.py
- tests/test_start_session_image_routing.py
- tests/test_bootstrap.py

GSD-Task: S02/T04
@CCimen
test: Added build_egress_plan() and compile_squid_acl() pure functions…
85e3060 
- src/scc_cli/core/egress_policy.py
- tests/test_egress_policy.py

GSD-Task: S03/T01
@CCimen
test: Created Squid proxy sidecar image definition, NetworkTopologyMana…
a824489 
- src/scc_cli/adapters/egress_topology.py
- tests/test_egress_topology.py
- images/scc-egress-proxy/Dockerfile
- images/scc-egress-proxy/squid.conf.template
- images/scc-egress-proxy/entrypoint.sh

GSD-Task: S03/T02
@CCimen
test: Wire egress topology into OciSandboxRuntime with network-enforcem…
35a8825 
- src/scc_cli/adapters/oci_sandbox_runtime.py
- tests/test_oci_sandbox_runtime.py
- tests/test_oci_egress_integration.py

GSD-Task: S03/T03
@CCimen
test: Added provider destination registry with anthropic-core/openai-co…
fd2a347 
- src/scc_cli/core/destination_registry.py
- tests/test_destination_registry.py

GSD-Task: S04/T01
@CCimen
feat: Wired provider destination sets from SandboxSpec through OCI adap…
7327cc1 
- src/scc_cli/ports/models.py
- src/scc_cli/application/start_session.py
- src/scc_cli/adapters/oci_sandbox_runtime.py
- src/scc_cli/application/launch/preflight.py
- tests/test_oci_egress_integration.py
- tests/test_launch_preflight.py

GSD-Task: S04/T02
@CCimen
feat: Added check_runtime_backend() doctor check and effective_egress s…
8dc43c8 
- src/scc_cli/doctor/checks/environment.py
- src/scc_cli/doctor/checks/__init__.py
- src/scc_cli/doctor/__init__.py
- src/scc_cli/doctor/core.py
- src/scc_cli/application/support_bundle.py
- tests/test_doctor_checks.py
- tests/test_support_bundle.py

GSD-Task: S04/T03
@CCimen
docs: Updated all stale network-mode vocabulary (isolated→locked-down-w…
b5339c2 
- src/scc_cli/application/compute_effective_config.py
- src/scc_cli/commands/config.py
- tests/test_config_explain.py
- README.md

GSD-Task: S05/T01
@CCimen
docs: Added 5 guardrail tests in test_docs_truthfulness.py preventing s…
160b8ce 
- tests/test_docs_truthfulness.py

GSD-Task: S05/T02
@CCimen
chore: auto-commit after complete-milestone
2fdf54a 
GSD-Unit: M003
@CCimen
feat: Added CommandFamily enum, lifted shell tokenizer from plugin into…
c7f5920 
- src/scc_cli/core/enums.py
- src/scc_cli/core/shell_tokenizer.py
- src/scc_cli/ports/safety_engine.py
- tests/test_shell_tokenizer.py

GSD-Task: S01/T01
@CCimen
feat: Lifted all git safety analyzers from plugin into core with typed…
38da211 
- src/scc_cli/core/git_safety_rules.py
- src/scc_cli/core/network_tool_rules.py
- tests/test_git_safety_rules.py
- tests/test_network_tool_rules.py

GSD-Task: S01/T02
@CCimen
test: Implemented DefaultSafetyEngine orchestrating shell tokenization…
f0d0b69 
- src/scc_cli/core/safety_engine.py
- src/scc_cli/bootstrap.py
- tests/fakes/fake_safety_engine.py
- tests/fakes/__init__.py
- tests/test_safety_engine.py
- tests/test_safety_engine_boundary.py

GSD-Task: S01/T03
@CCimen
test: Created standalone scc_safety_eval package (9 files, stdlib-only)…
ac92ec0 
- images/scc-base/wrappers/scc_safety_eval/engine.py
- images/scc-base/wrappers/scc_safety_eval/policy.py
- images/scc-base/wrappers/scc_safety_eval/__main__.py
- images/scc-base/wrappers/scc_safety_eval/contracts.py
- images/scc-base/wrappers/scc_safety_eval/enums.py
- images/scc-base/wrappers/scc_safety_eval/shell_tokenizer.py
- images/scc-base/wrappers/scc_safety_eval/git_safety_rules.py
- images/scc-base/wrappers/scc_safety_eval/network_tool_rules.py

GSD-Task: S02/T01
@CCimen
test: Created 7 shell wrappers, updated scc-base Dockerfile with python…
a2debb1 
- images/scc-base/wrappers/bin/git
- images/scc-base/wrappers/bin/curl
- images/scc-base/wrappers/bin/wget
- images/scc-base/wrappers/bin/ssh
- images/scc-base/wrappers/bin/scp
- images/scc-base/wrappers/bin/sftp
- images/scc-base/wrappers/bin/rsync
- images/scc-base/Dockerfile

GSD-Task: S02/T02
@CCimen
test: Added SafetyCheckResult dataclass, SafetyAdapter protocol, and Cl…
5ab8282 
- src/scc_cli/core/contracts.py
- src/scc_cli/ports/safety_adapter.py
- src/scc_cli/adapters/claude_safety_adapter.py
- src/scc_cli/adapters/codex_safety_adapter.py
- tests/test_claude_safety_adapter.py
- tests/test_codex_safety_adapter.py

GSD-Task: S03/T01
@CCimen
test: Wired ClaudeSafetyAdapter and CodexSafetyAdapter into DefaultAdap…
6fe0f88 
- tests/fakes/fake_safety_adapter.py
- src/scc_cli/bootstrap.py
- tests/fakes/__init__.py
- tests/test_safety_adapter_audit.py

GSD-Task: S03/T02
@CCimen
test: Added fail-closed typed SafetyPolicy loader in core, doctor safet…
d1fc728 
- src/scc_cli/core/safety_policy_loader.py
- src/scc_cli/doctor/checks/safety.py
- src/scc_cli/doctor/checks/__init__.py
- src/scc_cli/doctor/core.py
- tests/test_safety_policy_loader.py
- tests/test_safety_doctor_check.py

GSD-Task: S04/T01
@CCimen
test: Added safety audit reader filtering safety.check events from JSON…
9871672 
- src/scc_cli/application/safety_audit.py
- src/scc_cli/presentation/json/safety_audit_json.py
- src/scc_cli/commands/support.py
- src/scc_cli/application/support_bundle.py
- src/scc_cli/kinds.py
- tests/test_safety_audit.py

GSD-Task: S04/T02
@CCimen
feat: Produced ranked maintainability audit with 184 table rows coverin…
9f73f72 
- .gsd/milestones/M005/slices/S01/MAINTAINABILITY-AUDIT.md

GSD-Task: S01/T01
CCimen added 29 commits April 5, 2026 17:50
@CCimen
test: Added 7 OCI runtime-layer tests proving config persistence is det…
8d326ff 
- tests/test_oci_sandbox_runtime.py

GSD-Task: S05/T11
@CCimen
test: Added 10 decision-reconciliation guardrail tests (D033/D035/D037/…
236e80d 
- tests/test_docs_truthfulness.py
- .gsd/DECISIONS.md

GSD-Task: S05/T12
@CCimen
chore: auto-commit after complete-milestone
1cab7f3 
GSD-Unit: M007-cqttot
@CCimen
test: 43 characterization tests capture provider resolution behavior ac…
e5a7def 
- tests/test_launch_preflight_characterization.py

GSD-Task: S01/T01
@CCimen
test: Created commands/launch/preflight.py with typed LaunchReadiness m…
99bd3fb 
- src/scc_cli/commands/launch/preflight.py
- tests/test_launch_preflight.py

GSD-Task: S01/T02
@CCimen
feat: Replaced inline _resolve_provider() and _allowed_provider_ids() i…
72fff1a 
- src/scc_cli/commands/launch/flow.py
- src/scc_cli/commands/launch/flow_interactive.py
- src/scc_cli/ui/dashboard/orchestrator_handlers.py
- tests/test_cli.py
- tests/test_start_live_conflict.py
- tests/test_start_codex_auth_bootstrap.py
- tests/test_launch_preflight.py

GSD-Task: S01/T03
@CCimen
fix: Fixed 26 pre-existing test failures across guardrail, mock compati…
50dc21e 
- src/scc_cli/commands/launch/flow.py
- tests/test_cli_setup.py
- tests/test_setup_wizard.py
- tests/test_start_dryrun.py
- tests/test_integration.py
- tests/test_oci_egress_integration.py
- tests/test_import_boundaries.py
- tests/test_no_root_sprawl.py

GSD-Task: S01/T04
@CCimen
test: Created structural guardrail tests preventing inline provider res…
ed3d1ea 
- tests/test_launch_preflight_guardrail.py

GSD-Task: S01/T05
@CCimen
fix: Fixed 6 misleading auth-status strings across provider_choice.py,…
cc70fc7 
- src/scc_cli/commands/launch/provider_choice.py
- src/scc_cli/setup.py
- src/scc_cli/doctor/checks/environment.py
- tests/test_auth_vocabulary_guardrail.py

GSD-Task: S02/T01
@CCimen
feat: Removed Docker Desktop from active user-facing paths; added lifec…
60c6274 
- src/scc_cli/commands/admin.py
- src/scc_cli/commands/worktree/container_commands.py
- tests/test_doctor_provider_errors.py
- tests/test_docs_truthfulness.py
- tests/test_lifecycle_inventory_consistency.py

GSD-Task: S02/T02
@CCimen
test: Consolidated provider adapter dispatch into shared get_agent_prov…
1b4c5f0 
- src/scc_cli/commands/launch/dependencies.py
- src/scc_cli/commands/launch/provider_choice.py
- src/scc_cli/setup.py
- tests/test_docs_truthfulness.py

GSD-Task: S02/T03
@CCimen
test: All 6 verification checks pass: ruff clean, mypy clean, 5008 test…
e355676 
- (none)

GSD-Task: S02/T04
@CCimen
test: Added 17 tests verifying workspace provider persistence edge case…
5844834 
- tests/test_workspace_provider_persistence.py

GSD-Task: S03/T01
@CCimen
test: Added 22 resume-after-drift edge case tests and auth bootstrap ex…
391ac94 
- tests/test_resume_after_drift.py
- src/scc_cli/commands/launch/auth_bootstrap.py

GSD-Task: S03/T02
@CCimen
test: Added 67 tests verifying setup idempotency and error message qual…
3ccef53 
- tests/test_setup_idempotency.py
- tests/test_error_message_quality.py

GSD-Task: S03/T03
@CCimen
docs: Added legacy-path documentation to all Docker Desktop sandbox mod…
386cba1 
- src/scc_cli/docker/core.py
- src/scc_cli/docker/launch.py
- src/scc_cli/docker/sandbox.py
- src/scc_cli/adapters/docker_sandbox_runtime.py

GSD-Task: S03/T04
@CCimen
chore: auto-commit after complete-milestone
f002f70 
GSD-Unit: M008-g7jk8d
@CCimen
chore: auto-commit after complete-milestone
1f36cee 
GSD-Unit: M008-g7jk8d
@CCimen
feat: ensure_launch_ready() now calls provider.bootstrap_auth() after s…
31397bc 
- src/scc_cli/commands/launch/preflight.py
- src/scc_cli/commands/worktree/worktree_commands.py
- src/scc_cli/ui/dashboard/orchestrator_handlers.py
- tests/test_launch_preflight.py
- tests/test_resume_after_drift.py

GSD-Task: S01/T01
@CCimen
feat: Replaced inline ensure_provider_image + ensure_provider_auth call…
3c9f8d9 
- src/scc_cli/commands/launch/flow.py
- src/scc_cli/commands/launch/flow_interactive.py
- tests/test_launch_preflight_guardrail.py
- tests/test_start_codex_auth_bootstrap.py
- tests/test_workspace_provider_persistence.py
- tests/test_cli.py
- tests/test_launch_preflight_characterization.py

GSD-Task: S01/T02
@CCimen
feat: Reduced auth_bootstrap.py to a deprecated redirect delegating to…
eeee4ce 
- src/scc_cli/commands/launch/auth_bootstrap.py
- src/scc_cli/commands/launch/preflight.py
- tests/test_auth_vocabulary_guardrail.py

GSD-Task: S01/T03
@CCimen
feat: Replaced inline two-tier status in _render_provider_status with _…
f8872b3 
- src/scc_cli/setup.py

GSD-Task: S02/T01
@CCimen
chore: auto-commit after complete-milestone
2ba7252 
GSD-Unit: M009-xwi4bt
@CCimen
chore: ignore and untrack ephemeral GSD state
d3145f7 
Keep the durable .gsd project and milestone docs in Git while removing runtime churn from normal feature diffs.

This updates .gitignore to exclude GSD state files, event logs, databases, local preference/override files, completed-unit manifests, reports, and recovery snapshots. It also removes the currently tracked runtime and recovery artifacts from the index only, so local GSD functionality continues to work unchanged while future commits stay focused on product code and durable documentation.
@CCimen
chore: trim generated GSD artifacts from branch
1094ac6 
Remove milestone slice/task churn, generated reports, and local helper artifacts from the branch so the PR stays focused on product code, tests, images, and durable project docs.

Keep the AGENTS-referenced M001 milestone docs, preserve local copies of the removed GSD artifacts under ignored runtime backup storage, and ignore local-only files such as .bg-shell, coverage.json, and READMEGSD.md going forward.
@CCimen
docs: refresh README and ignore generated workspace state
8e941f0
@CCimen
docs: tighten README and improve package discovery metadata
555aa02
@CCimen
fix: repair PR lint and test regressions
251379f
@CCimen
test: make launch preflight tests hermetic
2658657
@CCimen CCimen merged commit 1bd0f18 into main Apr 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CCimen