Viktor wants a Claude-driven web UI on the agent service to act as a
breakglass: when the devvm is down he can open it, have Claude SSH in to
diagnose/repair, and power-cycle the VM via the Proxmox host if needed.
Grilling settled the design. Recording it now as the design record before
implementation:
- CONTEXT.md: glossary for the breakglass language (breakglass agent,
warm/cold case, forced-command verb, cycle vs reset, forensics).
- ADR 0001: the security architecture — isolated deployment in its own
namespace + narrow Vault policy (the existing claude-agent namespace's
terraform-state policy grants secret/data/* to Bash-wielding agents that
ingest untrusted input, so co-locating root-on-devvm keys would be
exfiltratable); warm-case-only scope (devvm wedged, cluster healthy —
the in-cluster UI can't survive the shared PVE host going down, which
stays the separate cold-path SSH design); and bounded-but-broad host
capability (full sudo on devvm, autonomous forced-command PVE power
verbs, forensics-first).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Multiple agent calls now run concurrently, each in its own isolated git
checkout (local clone of the warm base, hardlinked objects, git-crypt
re-unlocked), so concurrent jobs never share a working tree.
- execution_lock (asyncio.Lock) -> execution_semaphore (default MAX_CONCURRENCY=10);
excess calls queue FIFO instead of 409/503. MAX_QUEUE_DEPTH safety valve.
- /execute never returns 409; jobs go queued -> running. Timeout covers
execution only, not queue wait.
- /v1/chat/completions queues for a slot instead of 503-busy.
- /health: busy = at-capacity, plus active/queued/capacity fields.
- per-job workspace prepare/cleanup under a short git lock; the agent run holds none.
- in-memory job registry evicted past JOB_TTL_SECONDS.
Design: docs/2026-06-02-parallel-execution-design.md
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
