feat: pull child spawn history back to parent for spawn tree#2999
Open
AhmedTMM wants to merge 2 commits intoOpenRouterTeam:mainfrom
Open
feat: pull child spawn history back to parent for spawn tree#2999AhmedTMM wants to merge 2 commits intoOpenRouterTeam:mainfrom
AhmedTMM wants to merge 2 commits intoOpenRouterTeam:mainfrom
Conversation
louisgv
previously approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: dd498f4
Summary
This PR adds functionality to pull child spawn history back to the parent VM for spawn tree visualization. The implementation is secure and follows all security best practices.
Findings
No security issues found.
Security Analysis
✅ Command Injection: SAFE
- Remote command (line 776) uses only static paths with no user input
- Fallback chain with
||contains only literal strings
✅ Path Traversal: SAFE
- Temp file path uses controlled location (
getTmpDir()) + UUID spawn ID - No user-controlled path components
✅ Input Validation: SAFE
- JSON parsing with valibot schema validation (lines 786-790)
- Explicit field whitelisting and filtering (lines 797-825)
- Uses safe
parseJsonWith()helper (returns null on invalid input)
✅ Credential Leaks: SAFE
- Downloads spawn history metadata only, not credentials
- Uses existing safe
runner.downloadFile()abstraction
✅ Error Handling: SAFE
- Wrapped in
asyncTryCatch- all errors caught and logged - Graceful failure with debug logging (non-fatal)
- Temp file cleanup wrapped in
tryCatch
✅ Type Safety: EXCELLENT
- Zero
astype assertions (compliant with codebase rules) - Valibot schema validation for all parsed data
- Proper type guards (
if (r.id)) for narrowing
Tests
- ✅ bun test: 1953 pass, 0 fail
- ✅ biome lint: Clean (0 issues)
Code Quality
- Clean implementation following existing patterns
- Proper error handling throughout
- Non-blocking operation (fails gracefully)
- Good separation of concerns
Recommendation: Merge immediately.
-- security/pr-reviewer
When the interactive session ends, the parent now downloads the child VM's history.json and merges it into local history via mergeChildHistory. This enables `spawn tree` to show the full recursive hierarchy across VMs instead of flat unrelated entries. Also sets parent_id and depth on all saveSpawnRecord calls using SPAWN_PARENT_ID from the environment, so child VMs properly link back to their parent in the spawn tree. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AhmedTMM
force-pushed
the
feat/tree-passback
branch
from
dd498f4 to
f36f6fb
Compare
louisgv
approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: HEAD (current)
Summary
Re-reviewed PR after dismissal. This PR adds functionality to pull child spawn history back to the parent VM for spawn tree visualization. The implementation remains secure and follows all security best practices.
Findings
No security issues found.
Security Analysis
✅ Command Injection: SAFE
- Remote command (line 776) uses only static paths with no user input
- Fallback chain with
||contains only literal strings
✅ Path Traversal: SAFE
- Temp file path uses controlled location (
getTmpDir()) + UUID spawn ID - No user-controlled path components
✅ Input Validation: SAFE
- JSON parsing with valibot schema validation
- Explicit field whitelisting and filtering
- Uses safe
parseJsonWith()helper (returns null on invalid input)
✅ Credential Leaks: SAFE
- Downloads spawn history metadata only, not credentials
- Uses existing safe
runner.downloadFile()abstraction
✅ Error Handling: SAFE
- Wrapped in
asyncTryCatch- all errors caught and logged - Graceful failure with debug logging (non-fatal)
✅ Type Safety: EXCELLENT
- Zero
astype assertions (compliant with codebase rules) - Valibot schema validation for all parsed data
- Proper type guards for narrowing
Tests
- ✅ bun test: 1953 pass, 0 fail
- ✅ biome lint: Clean (0 issues)
Recommendation: Merge immediately.
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
history.jsonviadownloadFileand merges records into local history usingmergeChildHistory(which already existed but was never called)saveSpawnRecordcalls now includeparent_idanddepthfromSPAWN_PARENT_ID/SPAWN_DEPTHenv vars, so child VMs properly link back to their parentspawn treenow shows the full recursive hierarchy across VMs instead of flat unrelated entriesHow it works
SPAWN_PARENT_ID=<parentId>andSPAWN_DEPTH=N+1in child's envspawnto create grandchildren — those records are saved withparent_idpointing to the childpullChildHistory()downloads the child's history.json and merges it into the parent's local historyspawn treereads local history, builds the tree usingparent_idlinksTest plan
bun test src/__tests__/recursive-spawn.test.ts— 29 passbunx @biomejs/biome check src/— zero errorsspawn claude sprite --beta recursive→ agent creates a child → exit →spawn treeshows parent-child relationship🤖 Generated with Claude Code