Phase 1: Headless/SSH Access #11

New Issue

Closed

opened 2026-03-29 10:32:45 +02:00 by shoko · 15 comments

shoko commented 2026-03-29 10:32:45 +02:00

Owner

Copy Link

Context

Currently, to interact with the agent (assign tasks, monitor progress), a user must:

1. Have physical access to the host machine
2. SSH into the container
3. Open the TUI manually

This works well when the user is at their desk, but breaks down completely when:

• Commuting or traveling
• Working from a different location
• Any scenario without reliable local access to the hardware

Goal

Enable remote agent interaction without requiring physical access to the host.

Proposed Phases

Phase 1: Headless/SSH Access

• Keep agent running as background daemon
• Expose CLI interface over SSH or similar
• Allow task submission via command line

Enables: Remote work via SSH (e.g., ssh user@host "kugetsu assign-task --issue 5")

Phase 2: API Interface

• REST or CLI API for programmatic task assignment
• Status polling endpoints
• Webhook support for notifications

Enables: Scriptable automation, CI integration, remote toolchains

Phase 3: Chat Integration

• Telegram bot (or similar) for natural language interaction
• Submit tasks, check status, receive notifications
• Human-in-the-loop approvals via chat

Enables: True mobile access — interact from any chat app

Phase 4: Web Dashboard (Monitoring)

• Visual task board, agent status, logs
• Read-only dashboards for oversight
• Not for task submission (chat handles that)

Enables: Better visibility without needing to parse logs

Related Issues

• Issue #1: Document Hermes Setup (TUI access is part of current setup)
• Issue #4: Document Hermes Communication Patterns (may inform API design)

Open Questions

1. Which chat protocol should we prioritize first? (Telegram, Discord, Signal, Slack)
2. Should Phase 1 use SSH tunneling, a lightweight daemon, or something else?
3. Authentication strategy for remote access?

## Context Currently, to interact with the agent (assign tasks, monitor progress), a user must: 1. Have physical access to the host machine 2. SSH into the container 3. Open the TUI manually This works well when the user is at their desk, but breaks down completely when: - Commuting or traveling - Working from a different location - Any scenario without reliable local access to the hardware ## Goal Enable remote agent interaction without requiring physical access to the host. ## Proposed Phases ### Phase 1: Headless/SSH Access - [ ] Keep agent running as background daemon - [ ] Expose CLI interface over SSH or similar - [ ] Allow task submission via command line **Enables:** Remote work via SSH (e.g., `ssh user@host "kugetsu assign-task --issue 5"`) ### Phase 2: API Interface - [ ] REST or CLI API for programmatic task assignment - [ ] Status polling endpoints - [ ] Webhook support for notifications **Enables:** Scriptable automation, CI integration, remote toolchains ### Phase 3: Chat Integration - [ ] Telegram bot (or similar) for natural language interaction - [ ] Submit tasks, check status, receive notifications - [ ] Human-in-the-loop approvals via chat **Enables:** True mobile access — interact from any chat app ### Phase 4: Web Dashboard (Monitoring) - [ ] Visual task board, agent status, logs - [ ] Read-only dashboards for oversight - [ ] Not for task submission (chat handles that) **Enables:** Better visibility without needing to parse logs ## Related Issues - Issue #1: Document Hermes Setup (TUI access is part of current setup) - Issue #4: Document Hermes Communication Patterns (may inform API design) ## Open Questions 1. Which chat protocol should we prioritize first? (Telegram, Discord, Signal, Slack) 2. Should Phase 1 use SSH tunneling, a lightweight daemon, or something else? 3. Authentication strategy for remote access?

shoko commented 2026-03-29 11:01:09 +02:00

Author

Owner

Copy Link

Discussion Summary

Current Flow

User accesses agent via incus exec [container] -- bash → opencode TUI → interact → output to Gitea → exit.

This works but requires physical access to host or reliable SSH to host + incus exec.

Proposed Two-Mode Approach

Mode	Use Case	Access Method
Option A (Real-time TUI)	At a proper machine, full control	SSH + tmux/screen attach
Option B (Spawn & forget)	Phone, commuting, long tasks	SSH command + monitor via Gitea

Both needed — different tools for different situations.

Key Requirements

1. Session persistence — opencode must resume after disconnect (Option A)
2. Task discovery — opencode can find work from issues/PRs in the repository
3. Logging — If agent crashes, must be able to trace: which task, what happened, crash logs
4. SSH daemon in container — For safety, SSH should be in container, not on host

Open Questions for Research

1. Does opencode support session resumption after disconnect?
2. How does opencode discover tasks from Gitea issues/PRs?
3. What happens to background opencode if it crashes mid-task?
4. Can SSH daemon run inside incus container?

---

This is a tracking comment for our synchronous discussion.

## Discussion Summary ### Current Flow User accesses agent via `incus exec [container] -- bash` → opencode TUI → interact → output to Gitea → exit. This works but requires physical access to host or reliable SSH to host + incus exec. ### Proposed Two-Mode Approach | Mode | Use Case | Access Method | |------|----------|---------------| | **Option A** (Real-time TUI) | At a proper machine, full control | SSH + tmux/screen attach | | **Option B** (Spawn & forget) | Phone, commuting, long tasks | SSH command + monitor via Gitea | Both needed — different tools for different situations. ### Key Requirements 1. **Session persistence** — opencode must resume after disconnect (Option A) 2. **Task discovery** — opencode can find work from issues/PRs in the repository 3. **Logging** — If agent crashes, must be able to trace: which task, what happened, crash logs 4. **SSH daemon in container** — For safety, SSH should be in container, not on host ### Open Questions for Research 1. Does opencode support session resumption after disconnect? 2. How does opencode discover tasks from Gitea issues/PRs? 3. What happens to background opencode if it crashes mid-task? 4. Can SSH daemon run inside incus container? --- *This is a tracking comment for our synchronous discussion.*

shoko commented 2026-03-29 11:04:14 +02:00

Author

Owner

Copy Link

Research Findings

1. Session Persistence ✅

opencode supports session resumption via:

• opencode run --continue --session <id> — CLI session continuation
• Background TUI sessions via Hermes process() tool with session_id
• Git worktree isolation — session state preserved as branches

Recovery after disconnect: YES, but requires explicit resume — no auto-reconnection.

---

2. Task Discovery ⚠️

No automatic polling mechanism exists. Current model:

Human creates issue → PM Agent detects (when invoked) → proposes plan → Human approves → PM assigns to Coding Agent

Coding agents are assigned by PM, not self-discovering. For Option B ("agent go find work"), we would need to implement a task queue or polling mechanism.

---

3. Background Execution Safety ⚠️

Current state:

• No systemd/daemon infrastructure — agents run as child processes
• Logging is fire-and-forget (tee to files, subprocess capture_output)
• Crash detection: timeout + return codes only
• Missing: structured crash logs, watchdog, auto-restart

For Option B reliability, we need a wrapper with:

• Signal handling (trap)
• Logging to files with rotation
• PID file management
• Restart logic (systemd/supervisord as supervisor)

---

4. SSH in Incus Container ✅

Feasible:

1. Install openssh-server inside container
2. Enable via systemd
3. Use SSH key authentication only (no passwords)
4. Add incus proxy device for external access: incus config device add container sshd_proxy proxy listen=tcp:0.0.0.0:2222 connect=tcp:<container-ip>:22

Alternative: incus file mount (SFTP) for file access without full SSH daemon.

---

Implications for Option A vs Option B

	Option A (Real-time TUI)	Option B (Spawn & forget)
Session resumption	✅ Possible via --continue	✅ Possible (start new session)
Task discovery	✅ Manual issue selection	⚠️ Need to implement polling/queue
Crash handling	User sees failure immediately	Need watchdog + crash logs
SSH needed	✅ Yes	✅ Yes

Proposed Next Steps

1. Phase 1 (Option A first): Add SSH to container, test opencode run --continue for session resumption
2. Phase 1b: Implement watchdog/logging for background tasks (for Option B reliability)
3. Phase 2: Add task polling or queue mechanism for "agent find work" mode

## Research Findings ### 1. Session Persistence ✅ **opencode supports session resumption via:** - `opencode run --continue --session <id>` — CLI session continuation - Background TUI sessions via Hermes `process()` tool with session_id - Git worktree isolation — session state preserved as branches **Recovery after disconnect:** YES, but requires explicit resume — no auto-reconnection. --- ### 2. Task Discovery ⚠️ **No automatic polling mechanism exists.** Current model: ``` Human creates issue → PM Agent detects (when invoked) → proposes plan → Human approves → PM assigns to Coding Agent ``` Coding agents are **assigned by PM**, not self-discovering. For Option B ("agent go find work"), we would need to implement a task queue or polling mechanism. --- ### 3. Background Execution Safety ⚠️ **Current state:** - No systemd/daemon infrastructure — agents run as child processes - Logging is fire-and-forget (tee to files, subprocess capture_output) - Crash detection: timeout + return codes only - **Missing:** structured crash logs, watchdog, auto-restart For Option B reliability, we need a wrapper with: - Signal handling (trap) - Logging to files with rotation - PID file management - Restart logic (systemd/supervisord as supervisor) --- ### 4. SSH in Incus Container ✅ **Feasible:** 1. Install `openssh-server` inside container 2. Enable via systemd 3. Use SSH key authentication only (no passwords) 4. Add incus proxy device for external access: `incus config device add container sshd_proxy proxy listen=tcp:0.0.0.0:2222 connect=tcp:<container-ip>:22` **Alternative:** `incus file mount` (SFTP) for file access without full SSH daemon. --- ## Implications for Option A vs Option B | | Option A (Real-time TUI) | Option B (Spawn & forget) | |--|------------------------|---------------------------| | **Session resumption** | ✅ Possible via --continue | ✅ Possible (start new session) | | **Task discovery** | ✅ Manual issue selection | ⚠️ Need to implement polling/queue | | **Crash handling** | User sees failure immediately | Need watchdog + crash logs | | **SSH needed** | ✅ Yes | ✅ Yes | ## Proposed Next Steps 1. **Phase 1 (Option A first):** Add SSH to container, test `opencode run --continue` for session resumption 2. **Phase 1b:** Implement watchdog/logging for background tasks (for Option B reliability) 3. **Phase 2:** Add task polling or queue mechanism for "agent find work" mode

han commented 2026-03-29 11:42:09 +02:00

Copy Link

Background TUI sessions via Hermes process() tool with session_id

can we assume right now in this phase that we will only use Opencode only? so no Hermes and its tooling. will this change the proposed approach?

Recovery after disconnect: YES, but requires explicit resume — no auto-reconnection.

what do you plan to handle this? maybe user given option to select sessions? if session closed gracefully, it shouldn't appears on the list?

Task Discovery

I think for now, agent can choose whatever issue it want to work on. in the way that, we create a rule or mechanism how to prioritize issue selection. for example through user choice (best). but if user doesn't pick any issue, it prioritizes open PR that last activity is user feedback so best to assume that there is no agent that work on the feedback. next is based on the issues, we choose by impact/severity from critical, to high, medium, lastly low. and then we prioritize security, then bug, then feature, lastly is research. we should document this rule so in case in the fresh install, we always have the exact same issue choice rule.

> Background TUI sessions via Hermes process() tool with session_id can we assume right now in this phase that we will only use Opencode only? so no Hermes and its tooling. will this change the proposed approach? > Recovery after disconnect: YES, but requires explicit resume — no auto-reconnection. what do you plan to handle this? maybe user given option to select sessions? if session closed gracefully, it shouldn't appears on the list? > Task Discovery I think for now, agent can choose whatever issue it want to work on. in the way that, we create a rule or mechanism how to prioritize issue selection. for example through user choice (best). but if user doesn't pick any issue, it prioritizes open PR that last activity is user feedback so best to assume that there is no agent that work on the feedback. next is based on the issues, we choose by impact/severity from critical, to high, medium, lastly low. and then we prioritize security, then bug, then feature, lastly is research. we should document this rule so in case in the fresh install, we always have the exact same issue choice rule.

shoko commented 2026-03-29 11:49:32 +02:00

Author

Owner

Copy Link

Response to Questions

1. OpenCode Only (No Hermes)

Yes, for Phase 1 we should assume OpenCode only — no Hermes, no process() tool. This simplifies things:

• Session management via opencode run --continue --session <id> only
• No background TUI sessions via Hermes
• We need to implement our own session tracking (list active sessions, their workdirs, last activity)

This does not change the overall approach significantly — we just need to build the session management layer ourselves instead of relying on Hermes.

2. Session Resumption UX

Agree with your proposal:

• List active sessions with: opencode sessions list (we implement this)
• User selects session to resume
• Gracefully closed sessions should NOT appear in the list — only interrupted/crashed ones that are recoverable
• Session state stored in ~/.kugetsu/sessions/ with metadata (created_at, last_activity, workdir, status)

3. Task Discovery Rules

Agree with the prioritization:

1. User choice — best, user explicitly picks
2. PRs with user feedback — last activity is user, no agent working
3. Issues by severity — critical > high > medium > low
4. By type — security > bug > feature > research

We should document this as TASK_DISCOVERY_RULES.md in the repo so behavior is consistent across fresh installs.

---

Will post the test plan for session resumption as a separate comment.

## Response to Questions ### 1. OpenCode Only (No Hermes) Yes, for Phase 1 we should assume **OpenCode only** — no Hermes, no `process()` tool. This simplifies things: - Session management via `opencode run --continue --session <id>` only - No background TUI sessions via Hermes - We need to implement our own session tracking (list active sessions, their workdirs, last activity) This **does not change** the overall approach significantly — we just need to build the session management layer ourselves instead of relying on Hermes. ### 2. Session Resumption UX Agree with your proposal: - List active sessions with: `opencode sessions list` (we implement this) - User selects session to resume - **Gracefully closed sessions** should NOT appear in the list — only interrupted/crashed ones that are recoverable - Session state stored in `~/.kugetsu/sessions/` with metadata (created_at, last_activity, workdir, status) ### 3. Task Discovery Rules Agree with the prioritization: 1. **User choice** — best, user explicitly picks 2. **PRs with user feedback** — last activity is user, no agent working 3. **Issues by severity** — critical > high > medium > low 4. **By type** — security > bug > feature > research We should document this as `TASK_DISCOVERY_RULES.md` in the repo so behavior is consistent across fresh installs. --- Will post the test plan for session resumption as a separate comment.

shoko commented 2026-03-29 11:49:58 +02:00

Author

Owner

Copy Link

Test Plan: Session Resumption

Test Cases

TC1: Duplicate Session ID — Two Instances Same Session

Step	Action	Expected	Actual	Status
1	opencode run --session test-1 "echo phase1"	Runs normally, exits	?	?
2	opencode run --session test-1 "echo phase2" (while 1 is running)	Error: session locked	?	?

TC2: Session Lock Handling

Step	Action	Expected	Actual	Status
1	Start opencode run --session test-2 "sleep 30"	Runs, holds lock	?	?
2	In parallel: opencode run --session test-2 "echo hi"	Fails with lock error	?	?
3	Kill first process	Lock released	?	?

TC3: Resume After Graceful Exit

Step	Action	Expected	Actual	Status
1	opencode run --session test-3 "echo done"	Completes, exit 0	?	?
2	opencode run --continue --session test-3	Should NOT appear in recoverable list	?	?

TC4: Resume After Interrupt (Ctrl+C)

Step	Action	Expected	Actual	Status
1	opencode run --session test-4 "sleep 100"	Runs	?	?
2	Send SIGINT	Interrupted	?	?
3	opencode run --continue --session test-4	Resumes from checkpoint	?	?

TC5: Resume After SIGKILL (Hard Kill)

Step	Action	Expected	Actual	Status
1	opencode run --session test-5 "sleep 100"	Runs	?	?
2	kill -9 <pid>	Process killed	?	?
3	opencode run --continue --session test-5	Behavior? (resume or start fresh?)	?	?

TC6: Concurrent Resume Attempts

Step	Action	Expected	Actual	Status
1	Start opencode run --session test-6 "sleep 60", interrupt	Session left in recoverable state	?	?
2	Two parallel opencode run --continue --session test-6	One wins, one gets lock error	?	?

TC7: Session List Filtering

Step	Action	Expected	Actual	Status
1	Create 3 sessions: test-a (complete), test-b (interrupted), test-c (complete)
2	opencode sessions list	Only test-b shown	?	?
3	Resume test-b	Works	?	?
4	List again	test-b gone	?	?

---

Phase 1 Implementation Plan

Goal: Enable SSH access to container + basic session management

1. Add SSH to container

   • Install openssh-server in container
   • Add SSH key authentication
   • Configure incus proxy device

2. Session management layer

   • ~/.kugetsu/sessions/<session_id>/ — store state
   • kugetsu session list — show recoverable sessions
   • kugetsu session resume <id> — resume with opencode
   • Session status: active, interrupted, completed

3. Task discovery

   • Document TASK_DISCOVERY_RULES.md
   • Implement issue/PR polling (simple cron or on-demand)

4. Watchdog for background tasks

   • Wrapper script with signal handling
   • Log rotation
   • PID file management

## Test Plan: Session Resumption ### Test Cases #### TC1: Duplicate Session ID — Two Instances Same Session | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session test-1 "echo phase1"` | Runs normally, exits | ? | ? | | 2 | `opencode run --session test-1 "echo phase2"` (while 1 is running) | Error: session locked | ? | ? | #### TC2: Session Lock Handling | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | Start `opencode run --session test-2 "sleep 30"` | Runs, holds lock | ? | ? | | 2 | In parallel: `opencode run --session test-2 "echo hi"` | Fails with lock error | ? | ? | | 3 | Kill first process | Lock released | ? | ? | #### TC3: Resume After Graceful Exit | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session test-3 "echo done"` | Completes, exit 0 | ? | ? | | 2 | `opencode run --continue --session test-3` | Should NOT appear in recoverable list | ? | ? | #### TC4: Resume After Interrupt (Ctrl+C) | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session test-4 "sleep 100"` | Runs | ? | ? | | 2 | Send SIGINT | Interrupted | ? | ? | | 3 | `opencode run --continue --session test-4` | Resumes from checkpoint | ? | ? | #### TC5: Resume After SIGKILL (Hard Kill) | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session test-5 "sleep 100"` | Runs | ? | ? | | 2 | `kill -9 <pid>` | Process killed | ? | ? | | 3 | `opencode run --continue --session test-5` | Behavior? (resume or start fresh?) | ? | ? | #### TC6: Concurrent Resume Attempts | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | Start `opencode run --session test-6 "sleep 60"`, interrupt | Session left in recoverable state | ? | ? | | 2 | Two parallel `opencode run --continue --session test-6` | One wins, one gets lock error | ? | ? | #### TC7: Session List Filtering | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | Create 3 sessions: test-a (complete), test-b (interrupted), test-c (complete) | | | | | 2 | `opencode sessions list` | Only test-b shown | ? | ? | | 3 | Resume test-b | Works | ? | ? | | 4 | List again | test-b gone | ? | ? | --- ### Phase 1 Implementation Plan **Goal:** Enable SSH access to container + basic session management 1. **Add SSH to container** - Install openssh-server in container - Add SSH key authentication - Configure incus proxy device 2. **Session management layer** - `~/.kugetsu/sessions/<session_id>/` — store state - `kugetsu session list` — show recoverable sessions - `kugetsu session resume <id>` — resume with opencode - Session status: `active`, `interrupted`, `completed` 3. **Task discovery** - Document `TASK_DISCOVERY_RULES.md` - Implement issue/PR polling (simple cron or on-demand) 4. **Watchdog for background tasks** - Wrapper script with signal handling - Log rotation - PID file management

shoko commented 2026-03-29 11:52:14 +02:00

Author

Owner

Copy Link

Session Resumption Test Results

Test Results

TC1: Duplicate Session ID — Two Instances Same Session

Step	Action	Expected	Actual	Status
1	opencode run --session dup-test "sleep 5 && echo done"	Runs normally, exits	Ran normally	✅
2	opencode run --session dup-test "echo second" (while 1 is running)	Error: session locked	Returned exit code 0 (no error shown)	⚠️ UNEXPECTED

Finding: No lock mechanism — both ran with exit 0.

TC2: Session Lock Handling

Step	Action	Expected	Actual	Status
1	opencode run --session tc2a "sleep 30"	Runs, holds lock	Ran, held for 30s	✅
2	opencode run --session tc2a "echo hi" (while tc2a running)	Fails with lock error	Returned exit 0	⚠️ NO LOCK

Finding: No session locking — multiple sessions with same ID can run simultaneously.

TC3: Resume After Graceful Exit

Step	Action	Expected	Actual	Status
1	opencode run --session grace-test "echo graceful"	Completes, exit 0	Completed with exit 0	✅
2	opencode run --continue --session grace-test	Should NOT appear in recoverable list	Error: "You must provide a message or a command"	✅ CORRECT BEHAVIOR

Finding: --continue requires a message — session was not resumable (correct for completed session).

TC4: Resume After SIGINT (Ctrl+C)

Step	Action	Expected	Actual	Status
1	opencode run --session sigint-test "sleep 100"	Runs	Ran in background	✅
2	Send SIGINT	Interrupted	Sent signal	✅
3	opencode run --continue --session sigint-test	Resumes from checkpoint	Error: "You must provide a message or a command"	⚠️ NEEDS TEST

TC5: Resume After SIGKILL (Hard Kill)

Step	Action	Expected	Actual	Status
1	opencode run --session sigkill-test "sleep 30"	Runs	Ran	✅
2	kill -9 <pid>	Process killed	Process killed	✅
3	opencode run --continue --session sigkill-test	Behavior?	Error: "You must provide a message or a command"	⚠️ NEEDS MESSAGE

Finding: --continue always requires a message argument. To resume, you must provide both --continue and a message.

TC6: Concurrent Resume Attempts

Step	Action	Expected	Actual	Status
1	Start opencode run --session tc6 "sleep 60", interrupt	Session left in recoverable state	Interruption worked	✅
2	Two parallel opencode run --continue --session tc6	One wins, one gets lock error	Both returned 0	⚠️ NO LOCK

Finding: No concurrency control on sessions.

TC7: Session List Filtering

Step	Action	Expected	Actual	Status
1	Create sessions: test-a (complete), test-b (interrupted), test-c (complete)
2	opencode session list	Only recoverable sessions shown	All sessions shown (including old ones from 3/27)	⚠️ LISTS ALL
3	List shows worktree sessions from previous days	Sessions not cleaned up	Confirmed	⚠️ NO CLEANUP

Finding: opencode session list shows ALL sessions including completed ones. No automatic cleanup.

---

Key Findings

1. No session locking — multiple runs with same session ID can run concurrently
2. --continue requires message — you must do opencode run --continue --session <id> <message>, not just --continue --session <id>
3. No automatic session cleanup — old sessions persist in list forever
4. Session state is per-worktree — sessions are tied to git worktrees, not global
5. No "recoverable" distinction — all sessions appear in list regardless of state

Implications for Phase 1

We need to implement:

1. Session locking — prevent concurrent access to same session
2. Session state tracking — mark sessions as active, interrupted, completed
3. Automatic cleanup — remove completed sessions from list (or filter them out)
4. Resume wrapper — kugetsu session resume <id> [--last] that handles the message requirement

---

Updated Phase 1 Implementation Plan

1. Add SSH to container (unchanged)
2. Session management layer:
   • ~/.kugetsu/sessions/<session_id>/state — active/interrupted/completed
   • ~/.kugetsu/sessions/<session_id>/lock — PID file for locking
   • kugetsu session list — filter out completed sessions
   • kugetsu session resume <id> — wrapper that does --continue --session <id> -- <last-message>
   • On start: acquire lock, mark active
   • On exit (0): mark completed, release lock
   • On signal: mark interrupted, release lock
3. Task discovery (unchanged)
4. Watchdog (unchanged)

## Session Resumption Test Results ### Test Results #### TC1: Duplicate Session ID — Two Instances Same Session | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session dup-test "sleep 5 && echo done"` | Runs normally, exits | Ran normally | ✅ | | 2 | `opencode run --session dup-test "echo second"` (while 1 is running) | Error: session locked | Returned exit code 0 (no error shown) | ⚠️ UNEXPECTED | **Finding:** No lock mechanism — both ran with exit 0. #### TC2: Session Lock Handling | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session tc2a "sleep 30"` | Runs, holds lock | Ran, held for 30s | ✅ | | 2 | `opencode run --session tc2a "echo hi"` (while tc2a running) | Fails with lock error | Returned exit 0 | ⚠️ NO LOCK | **Finding:** No session locking — multiple sessions with same ID can run simultaneously. #### TC3: Resume After Graceful Exit | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session grace-test "echo graceful"` | Completes, exit 0 | Completed with exit 0 | ✅ | | 2 | `opencode run --continue --session grace-test` | Should NOT appear in recoverable list | Error: "You must provide a message or a command" | ✅ CORRECT BEHAVIOR | **Finding:** `--continue` requires a message — session was not resumable (correct for completed session). #### TC4: Resume After SIGINT (Ctrl+C) | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session sigint-test "sleep 100"` | Runs | Ran in background | ✅ | | 2 | Send SIGINT | Interrupted | Sent signal | ✅ | | 3 | `opencode run --continue --session sigint-test` | Resumes from checkpoint | Error: "You must provide a message or a command" | ⚠️ NEEDS TEST | #### TC5: Resume After SIGKILL (Hard Kill) | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | `opencode run --session sigkill-test "sleep 30"` | Runs | Ran | ✅ | | 2 | `kill -9 <pid>` | Process killed | Process killed | ✅ | | 3 | `opencode run --continue --session sigkill-test` | Behavior? | Error: "You must provide a message or a command" | ⚠️ NEEDS MESSAGE | **Finding:** `--continue` always requires a message argument. To resume, you must provide both `--continue` and a message. #### TC6: Concurrent Resume Attempts | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | Start `opencode run --session tc6 "sleep 60"`, interrupt | Session left in recoverable state | Interruption worked | ✅ | | 2 | Two parallel `opencode run --continue --session tc6` | One wins, one gets lock error | Both returned 0 | ⚠️ NO LOCK | **Finding:** No concurrency control on sessions. #### TC7: Session List Filtering | Step | Action | Expected | Actual | Status | |------|--------|----------|--------|--------| | 1 | Create sessions: test-a (complete), test-b (interrupted), test-c (complete) | | | | | 2 | `opencode session list` | Only recoverable sessions shown | All sessions shown (including old ones from 3/27) | ⚠️ LISTS ALL | | 3 | List shows worktree sessions from previous days | Sessions not cleaned up | Confirmed | ⚠️ NO CLEANUP | **Finding:** `opencode session list` shows ALL sessions including completed ones. No automatic cleanup. --- ### Key Findings 1. **No session locking** — multiple runs with same session ID can run concurrently 2. **`--continue` requires message** — you must do `opencode run --continue --session <id> <message>`, not just `--continue --session <id>` 3. **No automatic session cleanup** — old sessions persist in list forever 4. **Session state is per-worktree** — sessions are tied to git worktrees, not global 5. **No "recoverable" distinction** — all sessions appear in list regardless of state ### Implications for Phase 1 We need to implement: 1. **Session locking** — prevent concurrent access to same session 2. **Session state tracking** — mark sessions as `active`, `interrupted`, `completed` 3. **Automatic cleanup** — remove completed sessions from list (or filter them out) 4. **Resume wrapper** — `kugetsu session resume <id> [--last]` that handles the message requirement --- ### Updated Phase 1 Implementation Plan 1. **Add SSH to container** (unchanged) 2. **Session management layer**: - `~/.kugetsu/sessions/<session_id>/state` — active/interrupted/completed - `~/.kugetsu/sessions/<session_id>/lock` — PID file for locking - `kugetsu session list` — filter out completed sessions - `kugetsu session resume <id>` — wrapper that does `--continue --session <id> -- <last-message>` - On start: acquire lock, mark active - On exit (0): mark completed, release lock - On signal: mark interrupted, release lock 3. **Task discovery** (unchanged) 4. **Watchdog** (unchanged)

shoko commented 2026-03-29 12:27:47 +02:00

Author

Owner

Copy Link

Implementation Plan: kugetsu Shell Wrapper

Branch

feat/kugetsu-wrapper (new branch from main)

Location

tools/kugetsu/ in repo:

tools/kugetsu/
├── bin/
│   └── kugetsu           # Main wrapper script
├── kugetsu-install.sh    # Installation script
└── README.md             # Documentation (what it is, installs, what without install means)

Installed structure in user home (~/.kugetsu/):

~/.kugetsu/
├── bin/
│   └── kugetsu           # Wrapper (copied from tools/kugetsu/bin/)
├── sessions/
│   └── <session_id>/
│       ├── state         # used|idle|left|invalid
│       ├── message       # last user message (for auto-fill)
│       └── pid           # active process PID
├── config               # (future) config
└── logs/                # (future) session logs

Commands

Command	Description
kugetsu start <session_id> <message>	Start new session, store message, mark used
kugetsu list [--all]	List sessions (default: left only, --all: all states)
kugetsu resume <session_id> [message]	Resume session. Auto-fill message if not provided
kugetsu stop <session_id>	Send SIGTERM to process, mark idle
kugetsu help	Show usage help

State Machine

• start → state=used, store PID, store message
• stop (SIGTERM) → state=idle
• kill/interrupt (detected on check) → state=left
• resume if state=used → prompt confirmation before proceeding

Install Script: tools/kugetsu-install.sh

1. Create ~/.kugetsu/ structure
2. Copy bin/kugetsu to ~/.kugetsu/bin/
3. Add export PATH="$HOME/.kugetsu/bin:$PATH" to .bashrc and .zshrc
4. Make wrapper executable

What Without Install Means

• User must run opencode commands manually with full flags
• No session state tracking, no auto-fill, no filtered list
• Everything still works — wrapper is enhancement, not requirement

Tradeoff vs OpenCode CLI Direct

	OpenCode CLI	kugetsu wrapper
Commands	Long flags	Short, intuitive
Session state	Unknown	Tracked (used/idle/left)
Locking	None	Confirmation on used
Resume message	Must re-type	Auto-filled
Extra dependency	None	Must install

Why Wrapper Is Better for Phase 1

1. Safety — confirmation prevents corrupting sessions when resuming
2. UX — short commands + auto-fill reduce friction for mobile/remote
3. Extensible — future phases (logs, watch, web dashboard) can plug into same structure

---

Ready to implement. Will post implementation details + test results as separate comments.

## Implementation Plan: kugetsu Shell Wrapper ### Branch `feat/kugetsu-wrapper` (new branch from `main`) ### Location `tools/kugetsu/` in repo: ``` tools/kugetsu/ ├── bin/ │ └── kugetsu # Main wrapper script ├── kugetsu-install.sh # Installation script └── README.md # Documentation (what it is, installs, what without install means) ``` Installed structure in user home (`~/.kugetsu/`): ``` ~/.kugetsu/ ├── bin/ │ └── kugetsu # Wrapper (copied from tools/kugetsu/bin/) ├── sessions/ │ └── <session_id>/ │ ├── state # used|idle|left|invalid │ ├── message # last user message (for auto-fill) │ └── pid # active process PID ├── config # (future) config └── logs/ # (future) session logs ``` ### Commands | Command | Description | |---------|-------------| | `kugetsu start <session_id> <message>` | Start new session, store message, mark `used` | | `kugetsu list [--all]` | List sessions (default: `left` only, `--all`: all states) | | `kugetsu resume <session_id> [message]` | Resume session. Auto-fill message if not provided | | `kugetsu stop <session_id>` | Send SIGTERM to process, mark `idle` | | `kugetsu help` | Show usage help | ### State Machine - `start` → state=`used`, store PID, store message - `stop` (SIGTERM) → state=`idle` - `kill/interrupt` (detected on check) → state=`left` - `resume` if state=`used` → prompt confirmation before proceeding ### Install Script: `tools/kugetsu-install.sh` 1. Create `~/.kugetsu/` structure 2. Copy `bin/kugetsu` to `~/.kugetsu/bin/` 3. Add `export PATH="$HOME/.kugetsu/bin:$PATH"` to `.bashrc` and `.zshrc` 4. Make wrapper executable ### What Without Install Means - User must run opencode commands manually with full flags - No session state tracking, no auto-fill, no filtered list - Everything still works — wrapper is enhancement, not requirement ### Tradeoff vs OpenCode CLI Direct | | OpenCode CLI | kugetsu wrapper | |---|---|---| | Commands | Long flags | Short, intuitive | | Session state | Unknown | Tracked (`used`/`idle`/`left`) | | Locking | None | Confirmation on `used` | | Resume message | Must re-type | Auto-filled | | Extra dependency | None | Must install | ### Why Wrapper Is Better for Phase 1 1. **Safety** — confirmation prevents corrupting sessions when resuming 2. **UX** — short commands + auto-fill reduce friction for mobile/remote 3. **Extensible** — future phases (logs, watch, web dashboard) can plug into same structure --- Ready to implement. Will post implementation details + test results as separate comments.

shoko commented 2026-03-29 12:34:03 +02:00

Author

Owner

Copy Link

Updated Implementation Plan: kugetsu as Skill

Branch

feat/kugetsu-wrapper (new branch from main)

Location

skills/kugetsu/ (following skills/opencode-worktree/ pattern):

skills/kugetsu/
├── SKILL.md              # Skill documentation (how to install, how to use)
├── script/
│   ├── kugetsu           # Main wrapper script
│   └── kugetsu-install.sh # Installation script
└── README.md             # (optional) additional docs

How Agents Use It

1. Agent reads skills/kugetsu/SKILL.md
2. Agent self-installs: copies script/kugetsu to own PATH or sources it directly
3. Agent runs: kugetsu start <session> <message>, kugetsu list, kugetsu resume <session>, etc.

Installed Structure (user home)

~/.kugetsu/
├── bin/
│   └── kugetsu           # (copied from script/)
├── sessions/
│   └── <session_id>/
│       ├── state         # used|idle|left|invalid
│       ├── message       # last user message
│       └── pid          # active process PID
├── config               # (future)
└── logs/                # (future)

Commands

Command	Description
kugetsu start <session_id> <message>	Start new session, store message, mark used
kugetsu list [--all]	List sessions (default: left only, --all: all states)
kugetsu resume <session_id> [message]	Resume. Auto-fill message if not provided
kugetsu stop <session_id>	Send SIGTERM to process, mark idle
kugetsu help	Show usage help

State Machine

• start → state=used, store PID, store message
• stop (SIGTERM) → state=idle
• kill/interrupt (detected on check) → state=left
• resume if state=used → prompt confirmation before proceeding
• resume if state=idle → error (not resumable)
• resume if state=left → proceed with auto-filled message

Install Script (kugetsu-install.sh)

For human users (run once when setting up on new host):

1. Create ~/.kugetsu/ structure
2. Copy script/kugetsu to ~/.kugetsu/bin/
3. Add export PATH="$HOME/.kugetsu/bin:$PATH" to .bashrc/.zshrc

What Without Install Means

• User/agent must run opencode commands manually with full flags
• No session state tracking, no auto-fill, no filtered list
• Everything still works — kugetsu is enhancement, not requirement

Agent Self-Installation

Agents reading the SKILL.md will:

1. Learn how kugetsu works
2. Either copy script/kugetsu to their own PATH, or source it when needed
3. Can manage their own sessions independently

---

Ready to implement. Will post implementation details + test results as separate comments.

## Updated Implementation Plan: kugetsu as Skill ### Branch `feat/kugetsu-wrapper` (new branch from `main`) ### Location `skills/kugetsu/` (following `skills/opencode-worktree/` pattern): ``` skills/kugetsu/ ├── SKILL.md # Skill documentation (how to install, how to use) ├── script/ │ ├── kugetsu # Main wrapper script │ └── kugetsu-install.sh # Installation script └── README.md # (optional) additional docs ``` ### How Agents Use It 1. Agent reads `skills/kugetsu/SKILL.md` 2. Agent self-installs: copies `script/kugetsu` to own PATH or sources it directly 3. Agent runs: `kugetsu start <session> <message>`, `kugetsu list`, `kugetsu resume <session>`, etc. ### Installed Structure (user home) ``` ~/.kugetsu/ ├── bin/ │ └── kugetsu # (copied from script/) ├── sessions/ │ └── <session_id>/ │ ├── state # used|idle|left|invalid │ ├── message # last user message │ └── pid # active process PID ├── config # (future) └── logs/ # (future) ``` ### Commands | Command | Description | |---------|-------------| | `kugetsu start <session_id> <message>` | Start new session, store message, mark `used` | | `kugetsu list [--all]` | List sessions (default: `left` only, `--all`: all states) | | `kugetsu resume <session_id> [message]` | Resume. Auto-fill message if not provided | | `kugetsu stop <session_id>` | Send SIGTERM to process, mark `idle` | | `kugetsu help` | Show usage help | ### State Machine - `start` → state=`used`, store PID, store message - `stop` (SIGTERM) → state=`idle` - `kill/interrupt` (detected on check) → state=`left` - `resume` if state=`used` → prompt confirmation before proceeding - `resume` if state=`idle` → error (not resumable) - `resume` if state=`left` → proceed with auto-filled message ### Install Script (`kugetsu-install.sh`) For human users (run once when setting up on new host): 1. Create `~/.kugetsu/` structure 2. Copy `script/kugetsu` to `~/.kugetsu/bin/` 3. Add `export PATH="$HOME/.kugetsu/bin:$PATH"` to `.bashrc`/`.zshrc` ### What Without Install Means - User/agent must run opencode commands manually with full flags - No session state tracking, no auto-fill, no filtered list - Everything still works — kugetsu is enhancement, not requirement ### Agent Self-Installation Agents reading the SKILL.md will: 1. Learn how kugetsu works 2. Either copy `script/kugetsu` to their own PATH, or source it when needed 3. Can manage their own sessions independently --- Ready to implement. Will post implementation details + test results as separate comments.

shoko commented 2026-03-29 12:50:02 +02:00

Author

Owner

Copy Link

Test Report: kugetsu Session Manager

Environment

• opencode v1.3.3
• Platform: linux
• Test date: 2026-03-29

Test Cases & Results

Test	Command	Expected	Actual	Status
Help	kugetsu help	Show usage	Showed usage	✅
List (empty)	kugetsu list	Empty table	Empty table	✅
List (--all empty)	kugetsu list --all	Empty table	Empty table	✅
Start	kugetsu start test "echo hello"	Session created, opencode runs	opencode ran, state=idle	✅
List after start	kugetsu list (default)	Only left sessions	No output (test was idle)	✅
List --all	kugetsu list --all	All states shown	Shows all sessions	✅
Auto-fill	kugetsu resume test-resume (state=left)	Auto-fills stored message	Showed "Auto-filled message: continue this task"	✅
Resume runs opencode	kugetsu resume test-resume	Runs opencode --continue	opencode resumed	✅
State after resume	After graceful exit	state=idle	Gone from default list	✅

Known Issues

1. Signal handling: When opencode process is killed (SIGKILL), kugetsu wrapper may not detect the non-zero exit. This is due to opencode's own signal handling. Workaround: user can manually check session state.

2. Session state after interrupt: Due to opencode's internal handling, interrupted sessions may show as idle instead of left. The check_and_update_state() function relies on PID file + process check.

Manual Test Commands Used

# Start session
bash skills/kugetsu/scripts/kugetsu start test-session "echo hello"

# List all
bash skills/kugetsu/scripts/kugetsu list --all

# List only left
bash skills/kugetsu/scripts/kugetsu list

# Resume with auto-fill
bash skills/kugetsu/scripts/kugetsu resume test-session

# Resume with custom message
bash skills/kugetsu/scripts/kugetsu resume test-session "continue working"

## Test Report: kugetsu Session Manager ### Environment - opencode v1.3.3 - Platform: linux - Test date: 2026-03-29 ### Test Cases & Results | Test | Command | Expected | Actual | Status | |------|---------|----------|--------|--------| | Help | `kugetsu help` | Show usage | Showed usage | ✅ | | List (empty) | `kugetsu list` | Empty table | Empty table | ✅ | | List (--all empty) | `kugetsu list --all` | Empty table | Empty table | ✅ | | Start | `kugetsu start test "echo hello"` | Session created, opencode runs | opencode ran, state=idle | ✅ | | List after start | `kugetsu list` (default) | Only `left` sessions | No output (test was `idle`) | ✅ | | List --all | `kugetsu list --all` | All states shown | Shows all sessions | ✅ | | Auto-fill | `kugetsu resume test-resume` (state=left) | Auto-fills stored message | Showed "Auto-filled message: continue this task" | ✅ | | Resume runs opencode | `kugetsu resume test-resume` | Runs opencode --continue | opencode resumed | ✅ | | State after resume | After graceful exit | state=idle | Gone from default list | ✅ | ### Known Issues 1. **Signal handling**: When opencode process is killed (SIGKILL), kugetsu wrapper may not detect the non-zero exit. This is due to opencode's own signal handling. Workaround: user can manually check session state. 2. **Session state after interrupt**: Due to opencode's internal handling, interrupted sessions may show as `idle` instead of `left`. The `check_and_update_state()` function relies on PID file + process check. ### Manual Test Commands Used ```bash # Start session bash skills/kugetsu/scripts/kugetsu start test-session "echo hello" # List all bash skills/kugetsu/scripts/kugetsu list --all # List only left bash skills/kugetsu/scripts/kugetsu list # Resume with auto-fill bash skills/kugetsu/scripts/kugetsu resume test-session # Resume with custom message bash skills/kugetsu/scripts/kugetsu resume test-session "continue working" ```

shoko referenced this issue from a commit 2026-03-29 12:50:21 +02:00

feat: add kugetsu session manager skill

shoko referenced this issue 2026-03-29 12:50:31 +02:00

feat: add kugetsu session manager skill #12

shoko commented 2026-03-29 14:32:22 +02:00

Author

Owner

Copy Link

Memory Limiting Options for Test Suite

When running the test suite (test-kugetsu.sh) which spawns opencode (TUI) instances, memory exhaustion can occur. Each opencode TUI uses ~600MB-1GB RSS. We evaluated four approaches:

---

Comparison Table

Feature	ulimit -v	cgroups v2	libcgroup	systemd-run
What it limits	Virtual address space	RSS + more	RSS + more	Per-service resource limits
Enforcement	Kernel (via rlimit)	Kernel cgroup	Kernel cgroup via tools	systemd + cgroups
Granularity	Process + children	Process + children	Process + children	Service/scope level
Installation	Built-in to bash	Built-in kernel	dnf install libcgroup	Built-in (systemd)
Root required	No	Yes (usually)	Yes	No (user sessions work)
Reliability	⚠️ Virtual only	✅ Full RSS	✅ Full RSS	✅ Full RSS

---

1. ulimit -v (Virtual Memory)

Installation: Built into bash - no installation needed

Usage: ulimit -v 1572864 (1.5GB virtual)

Pros:

• No installation
• Simple one-liner
• Works for limiting address space

Cons:

• Limits virtual address space, not physical RSS
• May not prevent OOM if virtual/RSS ratio is high
• May cause unexpected failures if limit is too tight

---

2. cgroups v2 (Linux Kernel Built-in)

Installation: Built into kernel

Usage:

echo 1.5G > /sys/fs/cgroup/memory.max

Pros:

• True RSS limiting
• Native kernel feature
• No installation

Cons:

• Requires writing to cgroupfs
• More complex for transient use

---

3. libcgroup (Tools + Kernel)

Installation: dnf install libcgroup-tools

Usage:

cgcreate -g memory:/testlimit
echo 1.5G > /sys/fs/cgroup/memory/testlimit/memory.limit_in_bytes
cgexec -g memory:/testlimit opencode run "task"

Pros:

• Full RSS limiting
• Clean tool interface

Cons:

• Requires installation
• Root privileges needed

---

4. systemd-run (Systemd + cgroups)

Installation: Built into systemd

Usage:

systemd-run --user -p MemoryMax=1536M opencode run "task"

Pros:

• ✅ Uses cgroups v2 under the hood (true RSS limiting)
• ✅ No installation needed
• ✅ Works with --user (no root required)
• ✅ Simple one-liner

Cons:

• Requires systemd (not on all distros)
• Creates transient systemd scope

---

System Status (Fedora 43)

Option	Available?	Installation Needed?
ulimit -v	✅ Yes	No
cgroups v2	✅ Yes (mounted)	No
libcgroup	❌ No	Yes
systemd-run	✅ Yes	No

---

Chosen Approach: systemd-run with ulimit -v fallback

Primary: systemd-run --user -p MemoryMax=1536M <command>

Fallback: ulimit -v 1572864 <command>

Rationale: Layered approach - try modern cgroups-based solution first, graceful degradation to built-in rlimit if unavailable.

## Memory Limiting Options for Test Suite When running the test suite (`test-kugetsu.sh`) which spawns `opencode` (TUI) instances, memory exhaustion can occur. Each opencode TUI uses ~600MB-1GB RSS. We evaluated four approaches: --- ## Comparison Table | Feature | ulimit -v | cgroups v2 | libcgroup | systemd-run | |---------|-----------|------------|-----------|-------------| | **What it limits** | Virtual address space | RSS + more | RSS + more | Per-service resource limits | | **Enforcement** | Kernel (via rlimit) | Kernel cgroup | Kernel cgroup via tools | systemd + cgroups | | **Granularity** | Process + children | Process + children | Process + children | Service/scope level | | **Installation** | Built-in to bash | Built-in kernel | `dnf install libcgroup` | Built-in (systemd) | | **Root required** | No | Yes (usually) | Yes | No (user sessions work) | | **Reliability** | ⚠️ Virtual only | ✅ Full RSS | ✅ Full RSS | ✅ Full RSS | --- ## 1. ulimit -v (Virtual Memory) **Installation**: Built into bash - no installation needed **Usage**: `ulimit -v 1572864` (1.5GB virtual) **Pros**: - No installation - Simple one-liner - Works for limiting address space **Cons**: - Limits **virtual** address space, not physical RSS - May not prevent OOM if virtual/RSS ratio is high - May cause unexpected failures if limit is too tight --- ## 2. cgroups v2 (Linux Kernel Built-in) **Installation**: Built into kernel **Usage**: ```bash echo 1.5G > /sys/fs/cgroup/memory.max ``` **Pros**: - True RSS limiting - Native kernel feature - No installation **Cons**: - Requires writing to cgroupfs - More complex for transient use --- ## 3. libcgroup (Tools + Kernel) **Installation**: `dnf install libcgroup-tools` **Usage**: ```bash cgcreate -g memory:/testlimit echo 1.5G > /sys/fs/cgroup/memory/testlimit/memory.limit_in_bytes cgexec -g memory:/testlimit opencode run "task" ``` **Pros**: - Full RSS limiting - Clean tool interface **Cons**: - **Requires installation** - Root privileges needed --- ## 4. systemd-run (Systemd + cgroups) **Installation**: Built into systemd **Usage**: ```bash systemd-run --user -p MemoryMax=1536M opencode run "task" ``` **Pros**: - ✅ Uses cgroups v2 under the hood (true RSS limiting) - ✅ No installation needed - ✅ Works with `--user` (no root required) - ✅ Simple one-liner **Cons**: - Requires systemd (not on all distros) - Creates transient systemd scope --- ## System Status (Fedora 43) | Option | Available? | Installation Needed? | |--------|-----------|---------------------| | ulimit -v | ✅ Yes | No | | cgroups v2 | ✅ Yes (mounted) | No | | libcgroup | ❌ No | Yes | | systemd-run | ✅ Yes | No | --- ## Chosen Approach: systemd-run with ulimit -v fallback **Primary**: `systemd-run --user -p MemoryMax=1536M <command>` **Fallback**: `ulimit -v 1572864 <command>` **Rationale**: Layered approach - try modern cgroups-based solution first, graceful degradation to built-in rlimit if unavailable.

shoko commented 2026-03-29 14:53:31 +02:00

Author

Owner

Copy Link

Decision: Skip Memory Limiting via ulimit

Date: 2026-03-29

Investigation Findings

We tested four approaches for memory limiting in the test suite:

Approach	Result
ulimit -m (RSS)	Not enforced on kernel
ulimit -v (virtual)	Bun crashes with Illegal instruction
systemd-run --user	Access denied in container
cgroups v2 directly	Container restrictions prevent it

Why ulimit -v Fails with Bun

opencode is built on Bun runtime. When we tested:

ulimit -v 1536
opencode run "echo hello"

Result:

RSS: 1.11GB
panic(main thread): Illegal instruction at address 0x420C304
oh no: Bun has crashed.

Root cause: ulimit -v limits virtual address space, but Bun JIT compiler and memory-mapped regions require more virtual space than physical RSS. When constrained, CPU instruction errors occur (not OOM).

Chosen Approach

Skip memory limiting entirely and rely on:

1. Sequential test execution - tests run one at a time
2. Cleanup between tests - kill opencode processes and free memory
3. Hard cap as no-op - wrapper exists but cannot enforce due to environmental constraints

Rationale

• The hard cap cannot work reliably in this environment
• Sequential + cleanup keeps memory usage controlled in practice
• If OOM occurs, it is a known failure mode to monitor
• Revisit when container/system limitations are resolved

## Decision: Skip Memory Limiting via ulimit **Date:** 2026-03-29 ### Investigation Findings We tested four approaches for memory limiting in the test suite: | Approach | Result | |----------|--------| | ulimit -m (RSS) | Not enforced on kernel | | ulimit -v (virtual) | Bun crashes with Illegal instruction | | systemd-run --user | Access denied in container | | cgroups v2 directly | Container restrictions prevent it | ### Why ulimit -v Fails with Bun opencode is built on Bun runtime. When we tested: ``` ulimit -v 1536 opencode run "echo hello" ``` Result: ``` RSS: 1.11GB panic(main thread): Illegal instruction at address 0x420C304 oh no: Bun has crashed. ``` Root cause: ulimit -v limits virtual address space, but Bun JIT compiler and memory-mapped regions require more virtual space than physical RSS. When constrained, CPU instruction errors occur (not OOM). ### Chosen Approach Skip memory limiting entirely and rely on: 1. Sequential test execution - tests run one at a time 2. Cleanup between tests - kill opencode processes and free memory 3. Hard cap as no-op - wrapper exists but cannot enforce due to environmental constraints ### Rationale - The hard cap cannot work reliably in this environment - Sequential + cleanup keeps memory usage controlled in practice - If OOM occurs, it is a known failure mode to monitor - Revisit when container/system limitations are resolved

shoko commented 2026-03-29 16:50:03 +02:00

Author

Owner

Copy Link

Phase 1 SSH Setup Plan

With kugetsu merged, Phase 1 remaining item is SSH access to the container.

Current State

• kugetsu session manager: ✅ Done
• SSH daemon in container: ⬜ Pending

SSH Setup Implementation Plan

1. Container-Side Setup (inside incus container)

# Install openssh-server
apt-get update && apt-get install -y openssh-server

# Configure SSH
# Disable password auth, enable key-only
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config

# Create sshd dir for key auth
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Start sshd (will be systemd later)
sshd

2. Host-Side Setup (incus proxy device)

# Add proxy device to forward external port to container ssh
incus config device add <container> sshd proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22

3. Authentication

• SSH key authentication only (no passwords)
• User adds their public key to ~/.ssh/authorized_keys inside container

4. Usage Flow

# Remote user connects
ssh -p 2222 user@<host-ip> "kugetsu list"
ssh -p 2222 user@<host-ip> "kugetsu start mytask fix #1"

# Or spawn and forget
ssh -p 2222 user@<host-ip> "kugetsu start longtask implement feature X && echo done"

5. Documentation

Add to docs/hermes-setup.md:

• How to enable SSH in container
• How to configure incus proxy
• How to add SSH keys
• Usage examples for remote access

Questions for Review

1. Should SSH setup be a script (tools/ssh-setup.sh) or manual steps in docs?
2. Should sshd run via systemd inside container, or via wrapper script?
3. Should we use a dedicated non-root user for SSH, or root with key-only?

---

Status: Ready for implementation once questions are answered.

## Phase 1 SSH Setup Plan With kugetsu merged, Phase 1 remaining item is SSH access to the container. ### Current State - kugetsu session manager: ✅ Done - SSH daemon in container: ⬜ Pending ### SSH Setup Implementation Plan #### 1. Container-Side Setup (inside incus container) ```bash # Install openssh-server apt-get update && apt-get install -y openssh-server # Configure SSH # Disable password auth, enable key-only sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config # Create sshd dir for key auth mkdir -p ~/.ssh chmod 700 ~/.ssh # Start sshd (will be systemd later) sshd ``` #### 2. Host-Side Setup (incus proxy device) ```bash # Add proxy device to forward external port to container ssh incus config device add <container> sshd proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22 ``` #### 3. Authentication - SSH key authentication only (no passwords) - User adds their public key to `~/.ssh/authorized_keys` inside container #### 4. Usage Flow ```bash # Remote user connects ssh -p 2222 user@<host-ip> "kugetsu list" ssh -p 2222 user@<host-ip> "kugetsu start mytask fix #1" # Or spawn and forget ssh -p 2222 user@<host-ip> "kugetsu start longtask implement feature X && echo done" ``` #### 5. Documentation Add to `docs/hermes-setup.md`: - How to enable SSH in container - How to configure incus proxy - How to add SSH keys - Usage examples for remote access ### Questions for Review 1. Should SSH setup be a script (`tools/ssh-setup.sh`) or manual steps in docs? 2. Should sshd run via systemd inside container, or via wrapper script? 3. Should we use a dedicated non-root user for SSH, or root with key-only? --- *Status: Ready for implementation once questions are answered.*

shoko referenced this issue 2026-03-29 18:16:10 +02:00

Research: OpenCode Headless CLI Patterns for Agent Orchestration #14

shoko commented 2026-03-29 18:16:40 +02:00

Author

Owner

Copy Link

Research Complete: Issue #14

Deep-dived opencode v1.3.5 headless CLI patterns for programmatic agent orchestration. Key finding: opencode run -s <session-id> --continue is the recommended workflow for CLI-based multi-agent task assignment.

Bottom Line

• opencode run is truly one-shot (prompt -> complete -> exit)
• opencode serve/acp are web UI servers only — no messaging API
• --continue attaches to existing session but each call is still a fresh process
• Sessions persist in SQLite, targeted by auto-generated session ID

Recommended Workflow

Step 1: Start task, capture session ID
SESSION=$(opencode run 'task' --format json | jq -r '.sessionID')

Step 2+: Continue with explicit session ID (no collision risk)
opencode run -s $SESSION --continue 'next task'

Full research: Issue #14

---

This comment was added by Hermes Agent after opencode headless CLI research.

## Research Complete: Issue #14 Deep-dived opencode v1.3.5 headless CLI patterns for programmatic agent orchestration. Key finding: **`opencode run -s <session-id> --continue`** is the recommended workflow for CLI-based multi-agent task assignment. ### Bottom Line - `opencode run` is truly one-shot (prompt -> complete -> exit) - `opencode serve/acp` are web UI servers only — no messaging API - `--continue` attaches to existing session but each call is still a fresh process - Sessions persist in SQLite, targeted by auto-generated session ID ### Recommended Workflow Step 1: Start task, capture session ID SESSION=$(opencode run 'task' --format json | jq -r '.sessionID') Step 2+: Continue with explicit session ID (no collision risk) opencode run -s $SESSION --continue 'next task' Full research: Issue #14 --- *This comment was added by Hermes Agent after opencode headless CLI research.*

shoko referenced a pull request that will close this issue 2026-03-30 05:40:09 +02:00

feat(issue-11): add SSH setup script and remote access documentation #16

shoko commented 2026-03-30 05:49:13 +02:00

Author

Owner

Copy Link

Phase 1 SSH Setup - PR #16

SSH setup for Phase 1 is now ready for review.

What was added

1. sshd-setup.sh (skills/kugetsu/scripts/sshd-setup.sh)

   • Automated SSH setup inside container
   • Checks systemd prerequisite
   • Creates non-root user (configurable via argument, fallback: kugetsu)
   • Configures sshd for key-only authentication
   • Enables passwordless sudo for the user
   • Starts sshd via systemd

2. docs/kugetsu-setup.md

   • Unified setup documentation (container + SSH + kugetsu)
   • Automated setup via script
   • Manual step-by-step instructions
   • Host-side port forwarding and firewall
   • Remote access usage examples

3. SKILL.md updated

   • Added "Remote Access via SSH (Optional)" section
   • Documents sshd-setup.sh usage

Security notes

• Script requires user to run chmod +x explicitly before executing (no hidden executable bits)
• Key-only SSH authentication (no password auth)
• Non-root user with passwordless sudo
• Host-side setup (port forwarding, firewall) remains manual for safety

PR

#16

Testing needed

• Run sshd-setup.sh in container with systemd
• Verify SSH connection from host
• Verify sudo access works

## Phase 1 SSH Setup - PR #16 SSH setup for Phase 1 is now ready for review. ### What was added 1. **sshd-setup.sh** (`skills/kugetsu/scripts/sshd-setup.sh`) - Automated SSH setup inside container - Checks systemd prerequisite - Creates non-root user (configurable via argument, fallback: `kugetsu`) - Configures sshd for key-only authentication - Enables passwordless sudo for the user - Starts sshd via systemd 2. **docs/kugetsu-setup.md** - Unified setup documentation (container + SSH + kugetsu) - Automated setup via script - Manual step-by-step instructions - Host-side port forwarding and firewall - Remote access usage examples 3. **SKILL.md** updated - Added "Remote Access via SSH (Optional)" section - Documents sshd-setup.sh usage ### Security notes - Script requires user to run `chmod +x` explicitly before executing (no hidden executable bits) - Key-only SSH authentication (no password auth) - Non-root user with passwordless sudo - Host-side setup (port forwarding, firewall) remains manual for safety ### PR https://git.fbrns.co/shoko/kugetsu/pulls/16 ### Testing needed - [ ] Run sshd-setup.sh in container with systemd - [ ] Verify SSH connection from host - [ ] Verify sudo access works

shoko referenced this issue 2026-03-30 07:00:32 +02:00

feat(kugetsu): Add Tailscale VPN support for container remote access #17

shoko commented 2026-03-30 07:00:43 +02:00

Author

Owner

Copy Link

Phase 1 Status Update

Phase 1a: SSH Setup ✅

• PR #16: sshd-setup.sh + kugetsu-setup.md
• SSH access via port forwarding from host

Phase 1b: Tailscale VPN (See Issue #17)

For cases where host does not have public IP or user wants easier cross-network access, Tailscale provides:

• No public IP required
• Unique Tailscale IP per container
• Access from anywhere via Tailscale network
• Normal internet still accessible

Issue #17: #17

Implementation planned:

• tailscale-setup.sh script
• Multi-distro support (Debian/Ubuntu, Fedora)
• AUTHKEY or headless login options
• Integration with existing SSH setup

## Phase 1 Status Update ### Phase 1a: SSH Setup ✅ - PR #16: sshd-setup.sh + kugetsu-setup.md - SSH access via port forwarding from host ### Phase 1b: Tailscale VPN (See Issue #17) For cases where host does not have public IP or user wants easier cross-network access, Tailscale provides: - No public IP required - Unique Tailscale IP per container - Access from anywhere via Tailscale network - Normal internet still accessible **Issue #17:** https://git.fbrns.co/shoko/kugetsu/issues/17 Implementation planned: - `tailscale-setup.sh` script - Multi-distro support (Debian/Ubuntu, Fedora) - AUTHKEY or headless login options - Integration with existing SSH setup

shoko closed this issue 2026-03-30 07:03:32 +02:00

shoko changed title from Support remote agent control: headless → API → chat interface to Phase 1: Headless/SSH Access 2026-03-30 07:11:29 +02:00

shoko referenced this issue 2026-03-30 07:11:32 +02:00

Phase 2: API Interface #18

shoko referenced this issue 2026-03-30 07:11:38 +02:00

Phase 3: Chat Integration (Telegram) #19

shoko referenced this issue 2026-03-30 07:11:42 +02:00

Phase 4: Web Dashboard (Monitoring) #20

shoko reopened this issue 2026-03-30 07:12:09 +02:00

shoko referenced this issue 2026-03-30 07:14:39 +02:00

feat(issue-17): add Tailscale VPN setup for container remote access #21

shoko closed this issue 2026-03-30 09:27:47 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/issue-254

fix/issue-252

fix/issue-248

fix/issue-246

fix/issue-165

fix/issue-158

fix/issue-244

fix/issue-121

fix/issue-119

fix/issue-166

fix/issue-229-pr-conflict-check

fix/issue-212

fix/issue-229-user-message-with-base-workflow

fix/issue-229-ensure-session-worktree-bug

fix/issue-168

fix/issue-225-cmd-continue-message-truncation

fix/issue-223-pr-creation-instructions

fix/issue-220-pm-context-enhancement

fix/issue-210-msg-file-race-condition

fix/issue-207-queue-daemon-set-debug-mode

fix/issue-message-encoding

fix/issue-118

fix/issue-daemon-worktree-session-handling

fix/issue-write-index-quoting

fix/issue-cmd-destroy-unbound-var

fix/issue-daemon-worktree-path-fix

fix/issue-syntax-error-372

fix/issue-187-start-forks-agent

fix/issue-185-worktree-wrong-directory

fix/issue-183-destroy-base-requires-target

fix/issue-181-get-repo-url-strips-user-org

fix/issue-179-worktree-path-doubled

fix/issue-176-extract-issue-ref

fix/issue-174-queue-daemon-crashes

fix/issue-172-init-script-wrong-session-ids

fix/issue-170-duplicate-update-queue

fix/issue-167-notification-bash

fix/issue-156-queue-fixes

fix/issue-155-queue-list-json

fix/issue-160-gitea-token-from-pm-agent

fix/issue-156

fix/issue-150

fix/issue-116-modularize-script

fix/issue-120

fix/issue-144-parse-issue-ref-format-v2

fix/issue-queue-daemon-excess-agents

fix/issue-142-process-queue-missing-parens

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.1

v0.1.13

v0.2.0

v0.1.12

v0.1.11

v0.1.10

v0.1.9

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

0.2.x-only

Available only in 0.2.x, not backportable

0.3.x-only

Available only in 0.3.x, not backportable

backport

Backport compatible - can merge to 0.1.x

blocked

Issue needs clarification/discussion before it can be worked on

bug

Bug report

critical

Critical - blocking parallel work

feature

New feature

foundation

Foundation work for 0.2.x

high

High priority - workflow improvements

meta

Meta issue tracking multiple issues

need-review

PR needs review before merge

parallelization

Issues related to parallelization

ready

Issue is clear and ready to be implemented/delegated

ready-to-merge

PR approved and ready to merge

task-delegation

Issues related to task-delegation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

shoko

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shoko/kugetsu#11