feat: structured-action requester (CodeWatch button-gated model)#16
Conversation
scripts/action-request.mjs - the REQUEST side of the broad-capability/ button-gated model: posts a typed action intent to the IAK daemon (POST /actions/request) and waits for the receipt. Never runs the prod command itself; the daemon validates against its registry, shows a CodeWatch approval button, verifies the human approval, runs the executor, writes the receipt. Registry: merge_pr, deploy_site, upload_play_internal, install_debug_apk, import_products (Garageland Shopify import, draft-default). Pairs with the daemon-executor (ether's lane) + docs/codewatch-control-plane.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…status ether (PR #16): (1) import_products always returns status=draft - publishing is a separate action so import can't go live; (2) add 'imported' to TERMINAL so the requester stops polling on a daemon 'imported' receipt instead of timing out. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1765e9ecac
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| try { | ||
| created = await jsonFetch(reqUrl, { | ||
| method: 'POST', | ||
| headers: { 'Content-Type': 'application/json' }, |
There was a problem hiding this comment.
When the IAK daemon is configured with mcp.confirmations.auth_token (the documented protection for its HTTP endpoints), this client always posts with only Content-Type, so an /actions/request route added to the same daemon will be rejected by the listener-level auth check before the request is created; the subsequent polling GET would need the same token as well. Please add a token option/env and send Authorization: Bearer ... for protected daemons.
Useful? React with 👍 / 👎.
1 participant
The request side of the CodeWatch control-plane / button-gated action model (agreed with Petrus + ether, 2026-06-19).
scripts/action-request.mjsposts a typed action intent to the IAK daemon (POST /actions/request) and waits for the receipt. It never runs the privileged command itself — the daemon validates the target against its registry, shows Petrus a CodeWatch approval button, verifies the approval (single-use), runs the registered executor, and writes the receipt. So nothing in ClaudeMB's harness is loosened and no deploy permission is self-granted.Registry (client-side mirror; daemon re-validates authoritatively):
merge_pr(allowlisted repos),deploy_site,upload_play_internal,install_debug_apkimport_products— Shopify catalog import (the Garageland use-case); draft-default, store + token live with the executor.Pairs with the daemon-executor (ether's lane) and
docs/codewatch-control-plane.md. Requester-only; safe to merge independently of the executor (it just 404s until/actions/requestis live).🤖 Generated with Claude Code