opensymphony 1.3.3

A Rust implementation of the OpenAI Symphony orchestration design
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235

# Deployment Modes

This document defines the supported deployment shapes for OpenSymphony and clarifies what changes across local and hosted environments.

## 1. Design goal

OpenSymphony should have one execution contract and multiple deployment modes.

Stable contract:

- Symphony orchestration stays in Rust
- OpenHands agent-server is the execution substrate
- operations use REST
- runtime events use WebSocket
- each issue owns a deterministic workspace path
- each issue owns a stable OpenHands conversation by default
- FrankenTUI talks only to the OpenSymphony control plane

The runtime adapter should not need a redesign when moving from local development to hosted execution.

## 2. Mode A: local supervised mode

This is the MVP target.

### Topology

```text
developer machine
  ├─ opensymphony run
  │   ├─ orchestrator
  │   ├─ workspace manager
  │   ├─ linear adapter
  │   ├─ openhands REST + WS client
  │   └─ control-plane API
  └─ supervised subprocess
      └─ python -m openhands.agent_server --host 127.0.0.1 --port <port>
```

### Properties

- one OpenHands server subprocess per daemon process
- one issue workspace directory per active issue
- one `workspace.working_dir` per conversation
- no Docker container per workspace
- host filesystem and host process access are expected
- loopback-only bind is required by default
- launch metadata comes from the pinned `tools/openhands-server/` source bundle,
  which `opensymphony install openhands` materializes into
  `~/.opensymphony/openhands-server`; the runtime does not rely on a globally
  installed `openhands` binary

### Best use case

- easiest self-contained setup for an individual developer
- local experimentation and debugging
- CI smoke tests on trusted repositories

### Security posture

This is a trusted-machine mode. Treat it as process-level isolation, not sandbox isolation.
`opensymphony doctor` repeats that warning during setup and warns when a local
deployment points at a non-loopback OpenHands target.

## 3. Mode B: external local server mode

This mode uses the same Rust runtime adapter but skips local subprocess supervision.

### Topology

```text
developer machine
  ├─ opensymphony run
  └─ external OpenHands agent-server
```

Examples:

- a manually started local server
- a server launched by another supervisor
- a LAN-accessible test server on a trusted network

### Why support it

- simplifies debugging against a hand-managed server
- enables protocol and load tests without daemon-owned lifecycle
- keeps local and remote code paths aligned

### Required behavior

- do not attempt to stop the external server on daemon exit
- still create issue-scoped `working_dir` values
- still apply the same REST plus WebSocket client contract
- allow absolute `http://` or `https://` base URLs with optional path prefixes
- keep authenticated loopback targets in external mode instead of auto-starting the local supervisor
- health probing is allowed, but termination remains a no-op unless the daemon
  owns the launched child process

## 4. Mode C: hosted remote agent-server mode

This is the primary follow-on after the local MVP.

### Topology

```text
developer laptop
  ├─ opensymphony run or thin client
  └─ remote OpenSymphony control plane

server side
  ├─ opensymphony run
  ├─ remote OpenHands agent-server fleet
  ├─ remote workspace isolation layer
  └─ shared observability and auth
```

### Recommended isolation posture

For hosted execution, prefer remote or container-backed workspaces over host-local process execution.

### Why this is different from local mode

Hosted mode has different requirements:

- stronger auth and transport security
- stronger tenant isolation
- predictable workspace lifecycle at scale
- centralized logs and metrics
- organization-managed upgrades and runtime limits

### What remains the same

- issue scheduling rules
- workflow rendering rules
- workspace key derivation
- retry and reconciliation semantics
- REST plus WebSocket transport model
- optional FrankenTUI operator client

## 5. Mode comparison

| Dimension | Local supervised | External local | Hosted remote |
|---|---|---|---|
| Server lifecycle | daemon-owned subprocess | external | platform-owned |
| Bind scope | loopback | local or trusted network | network-exposed |
| Per-issue Docker | not required | not required | likely yes or remote sandbox equivalent |
| Workspace isolation | process-level | depends on server | strong isolation required |
| Auth requirement | optional by default | recommended | mandatory |
| Best for | solo development | debugging and tests | organizational rollout |

## 6. Workspace strategy by mode

## 6.1 Local MVP

Use host directories rooted under the configured workspace root:

```text
<workspace_root>/<sanitized_issue_identifier>/
```

The conversation request sets:

- `workspace.kind` to the pinned local-compatible value
- `workspace.working_dir` to the issue workspace path
- `persistence_dir` to a stable directory inside `.opensymphony/openhands/`

## 6.2 Hosted follow-on

The issue workspace path should remain stable from Symphony's point of view, but the actual backing implementation may be:

- remote container filesystem
- remote VM workspace
- remote managed sandbox API

The orchestrator must treat the workspace path as a logical path contract and avoid baking in local-path assumptions outside the workspace layer.

## 7. Transport and auth by mode

## 7.1 Local supervised

Defaults:

- `http://127.0.0.1:<port>`
- no auth by default
- no TLS by default

## 7.2 External local

Defaults:

- explicit base URL required
- path prefixes supported
- auth configurable
- TLS optional but supported if present
- doctor and the runtime treat authenticated loopback targets as external; unauthenticated path-prefixed loopback targets normalize back to the origin before any managed local supervisor is started

## 7.3 Hosted remote

Requirements:

- TLS required
- `openhands.transport.session_api_key_env` required
- current default auth shape is HTTP header plus WebSocket query-param fallback, with explicit WebSocket header mode available when the pinned server supports it
- version pinning required
- structured audit logging required

The MVP code should already expose the auth configuration hooks needed later.

## 8. What the code should abstract now

The runtime adapter should separate:

- transport config
- server lifecycle ownership
- workspace request shaping
- conversation persistence
- event streaming and recovery
- auth strategy

That makes local and hosted modes configuration changes, not architectural rewrites.

## 9. Recommended roadmap

### Phase 1

Deliver local supervised mode only.

### Phase 2

Support external local server mode for debugging and CI.

### Phase 3

Harden hosted remote mode beyond the current transport/auth support, including stronger workspace isolation and broader hosted-operations concerns.

This sequencing gives the project the fastest path to a working developer-focused MVP while preserving the right long-term boundaries.