Harden integration local watcher command roots

[kjgbot]

Summary

• Track A hardening follow-up for Prevent integration event and history sync from overwhelming local machines #82 after PR Prevent broad integration local event watchers #98.
• Restrict local fallback watcher command-root eligibility to dotted .outbox only, removing the bare outbox segment match flagged in review.
• Add an isolated regression proving downloadHistoricalData: false still creates zero local watcher roots even for a .outbox command mount.

Issue / Review Finding

Follow-up to #82 / PR #98 reviewer finding: a provider history resource literally named outbox could otherwise be treated as a bounded command root when historical download is enabled. Issue #82 and the local command surface use dotted .outbox; this PR keeps the recursive local fallback watcher limited to that hidden command root.

Tests

• node --experimental-strip-types --no-warnings --test src/main/__tests__/integration-event-bridge.test.ts
• npm test
• npx vitest run src/main/integration-mounts.test.ts

Scope

Track A only. No remote subscription/replay, dispatcher, payload, logging, fanout, or mount-budget changes.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[coderabbitai]

Warning

Review limit reached

@kjgbot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute and 42 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Free

Run ID: f41571f6-5681-4dca-b928-71bbd7282a17

📥 Commits

Reviewing files that changed from the base of the PR and between 7909aed and 8c6d9bf.

📒 Files selected for processing (2)

• src/main/__tests__/integration-event-bridge.test.ts
• src/main/integration-event-bridge.ts

📝 Walkthrough

Walkthrough

This PR refines the validation logic for local command root eligibility by tightening isBoundedLocalCommandRoot to match only .outbox directory segments, then validates the new constraints with two focused integration tests covering the local fallback watcher requirements.

Changes

Local Command Root Validation

Layer / File(s)	Summary
isBoundedLocalCommandRoot validation refinement src/main/integration-event-bridge.ts	isBoundedLocalCommandRoot now matches only the .outbox directory segment, excluding bare outbox paths from local command/writeback watching eligibility.
Local fallback watcher constraint tests src/main/__tests__/integration-event-bridge.test.ts	Two integration tests validate that .outbox mounts require downloadHistoricalData: true to generate watch roots, and that bare outbox paths produce no watch roots even with historical download enabled.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A dot on the outbox, precise and keen,
Makes the watcher dance in between,
With history download, the roots take hold,
While bare boxes wait, their stories untold!

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request refactors the isBoundedLocalCommandRoot function to only match the '.outbox' segment, removing the check for 'outbox'. Additionally, a corresponding integration test has been added to verify that local fallback watchers require historical download even for command roots. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[kjgbot]

Review: Track A hardening follow-up (#82) — re-check of PR #98 findings

This PR is exactly the two non-blocking findings from my PR #98 review, nothing else:

1. isBoundedLocalCommandRoot now accepts dotted .outbox only (src/main/integration-event-bridge.ts:487) — closes the latent hole where a provider history resource literally named outbox (e.g. a mail provider) with history-on would have received a recursive watcher, violating the :479 invariant. ✅
2. New isolated test: downloadHistoricalData: false + /slack/.outbox mount/glob → [] watcher roots — pins the history off-switch independently of the command-root gate. ✅

Verified at head 8f17cf9: full suite 39/39 pass locally; CI checks green, CodeRabbit pass (packaged-mcp-smoke pending at review time). Scope is minimal and conforms to Track A; no behavioral surface beyond the watcher gate.

Verdict

APPROVE — merge when CI completes. Coordination note: #101 touches the same file/test regions; second-to-merge rebases.

[agent-relay-code]

✅ pr-reviewer applied fixes — committed and pushed 7909aed to this PR. The notes below describe what changed.

Reviewed PR #102 and made one small test-only fix: added a regression proving bare /outbox command roots are rejected, which directly covers the predicate change to only allow .outbox.

Validation run:
npm test passed locally: 40 tests, 40 pass.

[kjgbot]

Delta re-check: 8f17cf9 → 7909aed

Verified the delta is test-only: one added test (local fallback watchers reject bare outbox command roots) asserting downloadHistoricalData: true + /slack/outbox mount/glob → [] watcher roots. No production code changed — confirmed by direct range diff. This pins the exact hole the hardening closed (bare outbox no longer counts as a command root even with history on). Independently ran the full suite at 7909aed: 40/40 pass.

Verdict

APPROVE (refreshed at head 7909aed) — merge when CI completes on this head.

[kjgbot]

Clean rebase note before merge: rebased #102 over #100 merge 0c7586c; git range-diff 7909aed^..7909aed 8c6d9bf^..8c6d9bf reports the reviewer-approved diff is patch-identical. Local validation after rebase: bridge test 21/21, full npm test 47/47. Fresh PR CI at 8c6d9bf: checks, packaged-mcp-smoke, and CodeRabbit all green.

[agent-relay-code]

Reviewed PR #102 against .workforce/pr.diff, changed files, and context. I traced the changed .outbox predicate through local mount root selection and the bridge tests. I found no current breakage and made no edits.

Validation run:
npm test passed: 47 tests, 0 failures.

[agent-relay-code]

ℹ️ pr-reviewer: review only — no file changes were applied to the PR (nothing to commit after review). The notes below are advisory and were not pushed.

Reviewed PR #102 against .workforce/pr.diff, changed files, and context. I traced the changed .outbox predicate through local mount root selection and the bridge tests. I found no current breakage and made no edits.

Validation run:
npm test passed: 47 tests, 0 failures.