nexo-driver-loop 0.1.9

Goal orchestrator + LlmDecider + Unix socket bridge for the nexo-rs driver subsystem. Phase 67.4.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

# nexo-driver-loop

The brain of the programmer agent. Owns `DriverOrchestrator`,
the long-running async runtime that drives one `Goal` end-to-end
through Claude Code, gates every tool call through MCP, runs the
acceptance criteria, and emits events that downstream subscribers
(EventForwarder, registry, hooks) consume.

## Where it sits

```
nexo-driver-types       ← contract
   ↑
nexo-driver-claude      ← subprocess + bindings
   ↑
nexo-driver-permission  ← MCP gate
   ↑
nexo-driver-loop        ← THIS crate (orchestrator)
   ↑
nexo-dispatch-tools     ← tool surface for the LLM
   ↑
nexo-core               ← agent runtime
   ↑
src/main.rs             ← boot wiring
```

## Public surface (`DriverOrchestrator`)

### Construction

`DriverOrchestrator::builder()` — typed builder that requires
`claude_config`, `binding_store`, `decider`, `workspace_manager`,
`bin_path`, `socket_path` and accepts optional `acceptance`,
`event_sink`, `replay_policy`, `compact_policy`,
`compact_context_window`, `progress_every_turns`, `cancel_root`.

`build()` binds the Unix socket the MCP bin connects to (Phase
67.3) and returns the orchestrator.

### Per-goal lifecycle

| Method | Behaviour |
|---|---|
| `spawn_goal(self: Arc<Self>, goal) -> JoinHandle` | Phase 67.C.1 — fire-and-forget. The runner registers per-goal cancel + pause tokens, walks the loop, persists bindings, drains events. |
| `run_goal(&self, goal)` | The actual loop. Used by tests; production goes through `spawn_goal`. |
| `cancel_goal(GoalId)` / `is_cancelled(GoalId)` | Phase 67.G.2 — child token signals the loop to exit at the next safe point. |
| `pause_goal(GoalId)` / `resume_goal(GoalId)` / `is_paused(GoalId)` | Phase 67.C.2 — hold the loop between turns without killing the in-flight Claude turn. |
| `pre_register_goal(GoalId)` | B11 — wires cancel + pause tokens before `run_goal` starts so reattach paths can target them. |
| `interrupt_goal(GoalId, message)` | New — push an operator note that the next turn's Claude prompt sees as `[OPERATOR INTERRUPT]`. FIFO across multiple pushes. |
| `set_goal_max_turns(GoalId, new_max)` | B2 — only-grow override of the live budget. Other axes stay at the original goal's `BudgetGuards`. |
| `shutdown(self)` | Cancel root, drain socket server, await tasks. |

### Per-goal state (DashMap'd)

- `pause_signals: DashMap<GoalId, watch::Sender<bool>>`
- `cancel_tokens: DashMap<GoalId, CancellationToken>`
- `budget_overrides: DashMap<GoalId, BudgetGuards>`
- `pending_interrupts: DashMap<GoalId, VecDeque<String>>`

All four are wiped at goal exit — no leaks.

## The loop in one screen

```
loop {
    drain pause signal — block while paused
    if cancel_root or per-goal cancel → break
    if budget exhausted (with B2 override) → break
    publish AttemptStarted
    build extras: prior_failures + budget_meta + operator_messages
    checkpoint pre-attempt (Phase 67.6 git worktree)
    result = run_attempt(ctx, params)  // see attempt.rs
    publish AttemptCompleted
    if last_was_compact → continue (compact turn doesn't bump turn_index)
    apply diff_stat to extras
    every N turns → publish Progress (Phase 67.C.1)
    classify outcome via replay policy:
      Done → break
      NeedsRetry → feed failures into next prompt, continue
      Continue/Escalate → ask replay-policy: FreshSessionRetry /
                          NextTurn / Escalate
    classify with compact-policy: schedule /compact for next turn
}
```

`attempt.rs` does the actual `spawn_turn` plumbing: builds the
`ClaudeCommand`, drains events, handles `compact_turn` /
`operator_messages` extras, persists the binding with origin +
dispatcher (B1), runs the acceptance evaluator on Claude-claimed
done.

## Subsidiary subsystems in this crate

| Module | Phase | Purpose |
|---|---|---|
| `events` || `DriverEvent` enum + `DriverEventSink` trait. NATS subjects: `agent.driver.{goal,attempt}.{started,completed}`, `decision`, `acceptance`, `budget.exhausted`, `escalate`, `replay`, `compact`, `progress`. `NoopEventSink` for tests; `NatsEventSink` is the production wire. |
| `replay` | 67.8 | `ReplayPolicy` trait + `DefaultReplayPolicy`. Classifies mid-turn errors as `FreshSessionRetry` / `NextTurn` / `Escalate`. Reads recent `Decision` rows for deny-shortcut grounding. |
| `compact` | 67.9 | `CompactPolicy` trait + `DefaultCompactPolicy`. Schedules `/compact <focus>` slash commands when token pressure crosses threshold. |
| `acceptance` | 67.5 | `AcceptanceEvaluator` trait + `DefaultAcceptanceEvaluator`. Runs `Shell` / `FileMatch` / `Custom` criteria post-Claude-claimed-done. Two built-in custom verifiers: `no_paths_touched`, `git_clean`. |
| `workspace` | 67.6 | `WorkspaceManager` — git-worktree-per-goal sandbox. Per-turn checkpoints + rollback. |
| `socket` | 67.3 | `DriverSocketServer` — Unix socket the MCP bin in `nexo-driver-permission` connects to. |
| `mcp_config` | 67.3 | Writes the per-goal MCP config JSON Claude reads. |
| `config` | 67.4 | YAML schema (`DriverConfig`). |
| `bin/nexo_driver.rs` || Standalone `nexo-driver` CLI. `run <goal-yaml>`, `list-active`, `list-worktrees`, `rollback`. The agent-bin (`nexo-rs`) calls into this crate directly via `boot_dispatch_ctx_if_enabled`. |

## See also

- `architecture/project-tracker.md` — programmer agent overview.
- `architecture/driver-subsystem.md` — full Phase 67 walkthrough.