{"quest":{"id":"q-5570b9a683c6","name":"Analysis Sandboxing","description":"Run all analyses in isolated environments (containers, cgroups, or sandboxed subprocesses) so a runaway analysis cannot corrupt the database, filesystem, or other running services. Each analysis gets its own temp directory, restricted filesystem access, and resource budget. Design for future migration to external container runtimes (Docker, AWS Batch, K8s) while running locally today.","layer":"Forge","priority":90,"status":"active","created_at":"2026-04-03T22:28:49.997411+00:00","updated_at":"2026-04-03T22:28:49.997411+00:00"},"tasks":[{"id":"f1e7a44b4b98","title":"[Forge] Add analysis environment health checks and corruption detection","description":"","status":"open","priority":3,"task_type":"one_shot","frequency":"","assigned_slot":"","started_at":null,"completed_at":null,"updated_at":"2026-04-23T06:51:21.985344+00:00","summary":"","completion_notes":"","last_error":"cli-reopen-manual: reopened — task was marked 'done' but has no task_runs row in (done/completed/success)","time_estimate_hours":0.0,"completion_count":0,"spec_path":"docs/planning/specs/f1e7a44b4b98_forge_add_analysis_environment_health_c_spec.md","provider":"any","payload_json":"{\"requirements\": {\"coding\": 7, \"reasoning\": 7, \"analysis\": 8}}"},{"id":"e49c36408077","title":"[Forge] Implement cgroup-based process isolation for analysis execution","description":"\n\n\n## REOPENED TASK — CRITICAL CONTEXT\n\nThis task was previously marked 'done' but the audit could not verify\nthe work actually landed on main. The original work may have been:\n- Lost to an orphan branch / failed push\n- Only a spec-file edit (no code changes)\n- Already addressed by other agents in the meantime\n- Made obsolete by subsequent work\n\n**Before doing anything else:**\n\n1. **Re-evaluate the task in light of CURRENT main state.** Read the\n   spec and the relevant files on origin/main NOW. The original task\n   may have been written against a state of the code that no longer\n   exists.\n\n2. **Verify the task still advances SciDEX's aims.** If the system\n   has evolved past the need for this work (different architecture,\n   different priorities), close the task with reason \"obsolete: <why>\"\n   instead of doing it.\n\n3. **Check if it's already done.** Run `git log --grep='<task-id>'`\n   and read the related commits. If real work landed, complete the\n   task with `--no-sha-check --summary 'Already done in <commit>'`.\n\n4. **Make sure your changes don't regress recent functionality.** Many\n   agents have been working on this codebase. Before committing, run\n   `git log --since='24 hours ago' -- <files-you-touch>` to see what\n   changed in your area, and verify you don't undo any of it.\n\n5. **Stay scoped.** Only do what this specific task asks for. Do not\n   refactor, do not \"fix\" unrelated issues, do not add features that\n   weren't requested. Scope creep at this point is regression risk.\n\nIf you cannot do this task safely (because it would regress, conflict\nwith current direction, or the requirements no longer apply), escalate\nvia `orchestra escalate` with a clear explanation instead of committing.\n","status":"done","priority":5,"task_type":"one_shot","frequency":"","assigned_slot":"","started_at":null,"completed_at":"2026-04-20T21:56:03.476682+00:00","updated_at":"2026-04-20T21:56:03.476682+00:00","summary":"","completion_notes":"Auto-completed by supervisor after successful deploy to main","last_error":"","time_estimate_hours":0.0,"completion_count":0,"spec_path":"docs/planning/specs/e49c36408077_forge_implement_cgroup_based_process_is_spec.md","provider":"any","payload_json":"{\"requirements\": {\"coding\": 7, \"reasoning\": 6}}"},{"id":"acbc9649372d","title":"[Forge] Create per-analysis temp directories with restricted filesystem access","description":"\n\n\n## REOPENED TASK — CRITICAL CONTEXT\n\nThis task was previously marked 'done' but the audit could not verify\nthe work actually landed on main. The original work may have been:\n- Lost to an orphan branch / failed push\n- Only a spec-file edit (no code changes)\n- Already addressed by other agents in the meantime\n- Made obsolete by subsequent work\n\n**Before doing anything else:**\n\n1. **Re-evaluate the task in light of CURRENT main state.** Read the\n   spec and the relevant files on origin/main NOW. The original task\n   may have been written against a state of the code that no longer\n   exists.\n\n2. **Verify the task still advances SciDEX's aims.** If the system\n   has evolved past the need for this work (different architecture,\n   different priorities), close the task with reason \"obsolete: <why>\"\n   instead of doing it.\n\n3. **Check if it's already done.** Run `git log --grep='<task-id>'`\n   and read the related commits. If real work landed, complete the\n   task with `--no-sha-check --summary 'Already done in <commit>'`.\n\n4. **Make sure your changes don't regress recent functionality.** Many\n   agents have been working on this codebase. Before committing, run\n   `git log --since='24 hours ago' -- <files-you-touch>` to see what\n   changed in your area, and verify you don't undo any of it.\n\n5. **Stay scoped.** Only do what this specific task asks for. Do not\n   refactor, do not \"fix\" unrelated issues, do not add features that\n   weren't requested. Scope creep at this point is regression risk.\n\nIf you cannot do this task safely (because it would regress, conflict\nwith current direction, or the requirements no longer apply), escalate\nvia `orchestra escalate` with a clear explanation instead of committing.\n","status":"done","priority":4,"task_type":"one_shot","frequency":"","assigned_slot":"","started_at":null,"completed_at":"2026-04-20T22:11:12.569360+00:00","updated_at":"2026-04-20T22:11:12.569360+00:00","summary":"","completion_notes":"Auto-completed by supervisor after successful deploy to main","last_error":"","time_estimate_hours":0.0,"completion_count":0,"spec_path":"docs/planning/specs/acbc9649372d_forge_create_per_analysis_temp_director_spec.md","provider":"any","payload_json":"{\"requirements\": {\"coding\": 7, \"reasoning\": 7, \"analysis\": 8}}"},{"id":"603329ebdcb3","title":"[Forge] Design pluggable executor interface for future container/cloud migration","description":"\n\n\n## REOPENED TASK — CRITICAL CONTEXT\n\nThis task was previously marked 'done' but the audit could not verify\nthe work actually landed on main. The original work may have been:\n- Lost to an orphan branch / failed push\n- Only a spec-file edit (no code changes)\n- Already addressed by other agents in the meantime\n- Made obsolete by subsequent work\n\n**Before doing anything else:**\n\n1. **Re-evaluate the task in light of CURRENT main state.** Read the\n   spec and the relevant files on origin/main NOW. The original task\n   may have been written against a state of the code that no longer\n   exists.\n\n2. **Verify the task still advances SciDEX's aims.** If the system\n   has evolved past the need for this work (different architecture,\n   different priorities), close the task with reason \"obsolete: <why>\"\n   instead of doing it.\n\n3. **Check if it's already done.** Run `git log --grep='<task-id>'`\n   and read the related commits. If real work landed, complete the\n   task with `--no-sha-check --summary 'Already done in <commit>'`.\n\n4. **Make sure your changes don't regress recent functionality.** Many\n   agents have been working on this codebase. Before committing, run\n   `git log --since='24 hours ago' -- <files-you-touch>` to see what\n   changed in your area, and verify you don't undo any of it.\n\n5. **Stay scoped.** Only do what this specific task asks for. Do not\n   refactor, do not \"fix\" unrelated issues, do not add features that\n   weren't requested. Scope creep at this point is regression risk.\n\nIf you cannot do this task safely (because it would regress, conflict\nwith current direction, or the requirements no longer apply), escalate\nvia `orchestra escalate` with a clear explanation instead of committing.\n","status":"done","priority":4,"task_type":"one_shot","frequency":"","assigned_slot":"","started_at":null,"completed_at":"2026-04-20T21:37:11.556567+00:00","updated_at":"2026-04-20T21:37:11.556567+00:00","summary":"","completion_notes":"Auto-completed by supervisor after successful deploy to main","last_error":"","time_estimate_hours":0.0,"completion_count":0,"spec_path":"docs/planning/specs/603329ebdcb3_forge_design_pluggable_executor_interfa_spec.md","provider":"any","payload_json":"{\"requirements\": {\"coding\": 8, \"safety\": 9}}"},{"id":"5e9e7f2e18dc","title":"[Forge] Implement conda environment activation for analysis tool execution","description":"\n\n\n## REOPENED TASK — CRITICAL CONTEXT\n\nThis task was previously marked 'done' but the audit could not verify\nthe work actually landed on main. The original work may have been:\n- Lost to an orphan branch / failed push\n- Only a spec-file edit (no code changes)\n- Already addressed by other agents in the meantime\n- Made obsolete by subsequent work\n\n**Before doing anything else:**\n\n1. **Re-evaluate the task in light of CURRENT main state.** Read the\n   spec and the relevant files on origin/main NOW. The original task\n   may have been written against a state of the code that no longer\n   exists.\n\n2. **Verify the task still advances SciDEX's aims.** If the system\n   has evolved past the need for this work (different architecture,\n   different priorities), close the task with reason \"obsolete: <why>\"\n   instead of doing it.\n\n3. **Check if it's already done.** Run `git log --grep='<task-id>'`\n   and read the related commits. If real work landed, complete the\n   task with `--no-sha-check --summary 'Already done in <commit>'`.\n\n4. **Make sure your changes don't regress recent functionality.** Many\n   agents have been working on this codebase. Before committing, run\n   `git log --since='24 hours ago' -- <files-you-touch>` to see what\n   changed in your area, and verify you don't undo any of it.\n\n5. **Stay scoped.** Only do what this specific task asks for. Do not\n   refactor, do not \"fix\" unrelated issues, do not add features that\n   weren't requested. Scope creep at this point is regression risk.\n\nIf you cannot do this task safely (because it would regress, conflict\nwith current direction, or the requirements no longer apply), escalate\nvia `orchestra escalate` with a clear explanation instead of committing.\n","status":"done","priority":3,"task_type":"one_shot","frequency":"","assigned_slot":"","started_at":null,"completed_at":"2026-04-20T22:15:54.510113+00:00","updated_at":"2026-04-20T22:15:54.510113+00:00","summary":"","completion_notes":"Auto-completed by supervisor after successful deploy to main","last_error":"","time_estimate_hours":0.0,"completion_count":0,"spec_path":"docs/planning/specs/5e9e7f2e18dc_forge_implement_conda_environment_activ_spec.md","provider":"any","payload_json":"{\"requirements\": {\"coding\": 7, \"reasoning\": 6}}"}],"reviews":[],"effectiveness":{},"spec_content":"---\ntitle: \"Quest: Analysis Sandboxing\"\ndescription: \"Run all analyses in isolated environments (containers, cgroups, or sandboxed subprocesses) so a runaway analysis cannot corrupt the database, filesystem, or other running services. Each analysis gets \"\ntype: quest\nlayer: Forge\npriority: 90\nstatus: active\nquest_id: q-5570b9a683c6\nspec_path: docs/planning/specs/quest_analysis_sandboxing_spec.md\n---\n\n# Quest: Analysis Sandboxing\n\n**Layer:** Forge\n**Priority:** P90\n**Status:** active\n**Tasks:** 5 total (0 done, 5 open)\n\n## Vision\n\nRun all analyses in isolated environments (containers, cgroups, or sandboxed subprocesses) so a runaway analysis cannot corrupt the database, filesystem, or other running services. Each analysis gets its own temp directory, restricted filesystem access, and resource budget. Design for future migration to external container runtimes (Docker, AWS Batch, K8s) while running locally today.\n\nThe immediate requirement is not heavyweight orchestration. It is reliable,\nnamed execution environments that SciDEX analyses actually use today, with\nauditable runtime selection, tempdir isolation, and explicit DB/provenance\npaths, so single-cell/genomics/data-ML workflows stop conflicting with one\nanother on the shared host.\n\n## Tasks\n\n- [ ] [Forge] Implement cgroup-based process isolation for analysis execution (P5)\n- [ ] [Forge] Create per-analysis temp directories with restricted filesystem access (P4)\n- [ ] [Forge] Design pluggable executor interface for future container/cloud migration (P4)\n- [ ] [Forge] Add analysis environment health checks and corruption detection (P3)\n- [ ] [Forge] Implement conda environment activation for analysis tool execution (P3)\n- [ ] [Forge] Standardize runtime catalog and per-analysis execution logging (P4)\n- [ ] [Forge] Add resumable runtime-backed analysis entrypoints for real-data pipelines (P4)\n\n## Success Criteria\n\n- [ ] All tasks completed and verified\n- [ ] Integration tested end-to-end\n- [ ] Metrics visible on Senate/Quests dashboards\n- [ ] Design supports future scaling to external compute\n- [ ] A representative analysis can be launched in a named Forge runtime and\n  leaves behind execution logs, isolated temp state, and reproducible outputs\n\n## Quality Requirements\n\n> All new analyses must run in named Forge runtimes with visible execution logs. Stub runtimes (named but non-functional) are prohibited. Executor interface must be non-mock — real isolation, real resource limits, auditable temp cleanup.\n\n## Architecture Notes\n\nThis quest is designed with a **local-first, cloud-ready** philosophy:\n- All implementations must work on the current single VM\n- All interfaces must support future migration to containers/cloud\n- Resource limits are configurable, not hardcoded\n- Executor/sandbox abstractions allow swapping implementations\n\n## Work Log\n\n_No entries yet._\n","spec_html":"<div style=\"font-size:0.85rem\"><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h2 style=\"color:#4fc3f7;margin:1.5rem 0 0.6rem;font-size:1.2rem;font-weight:700\">Quest: Analysis Sandboxing</h2></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><strong style=\"color:#e0e0e0\">Layer:</strong> Forge\n<strong style=\"color:#e0e0e0\">Priority:</strong> P90\n<strong style=\"color:#e0e0e0\">Status:</strong> active\n<strong style=\"color:#e0e0e0\">Tasks:</strong> 5 total (0 done, 5 open)</p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Vision</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\">Run all analyses in isolated environments (containers, cgroups, or sandboxed subprocesses) so a runaway analysis cannot corrupt the database, filesystem, or other running services. Each analysis gets its own temp directory, restricted filesystem access, and resource budget. Design for future migration to external container runtimes (Docker, AWS Batch, K8s) while running locally today.</p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\">The immediate requirement is not heavyweight orchestration. It is reliable,<br>named execution environments that SciDEX analyses actually use today, with<br>auditable runtime selection, tempdir isolation, and explicit DB/provenance<br>paths, so single-cell/genomics/data-ML workflows stop conflicting with one<br>another on the shared host.</p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Tasks</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Implement cgroup-based process isolation for analysis execution (P5)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Create per-analysis temp directories with restricted filesystem access (P4)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Design pluggable executor interface for future container/cloud migration (P4)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Add analysis environment health checks and corruption detection (P3)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Implement conda environment activation for analysis tool execution (P3)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Standardize runtime catalog and per-analysis execution logging (P4)</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; [Forge] Add resumable runtime-backed analysis entrypoints for real-data pipelines (P4)</div></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Success Criteria</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><div style=\"margin:0.2rem 0;color:#bbb\">&#9744; All tasks completed and verified</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; Integration tested end-to-end</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; Metrics visible on Senate/Quests dashboards</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; Design supports future scaling to external compute</div>\n<div style=\"margin:0.2rem 0;color:#bbb\">&#9744; A representative analysis can be launched in a named Forge runtime and</div>\n  leaves behind execution logs, isolated temp state, and reproducible outputs</p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Quality Requirements</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\">&gt; All new analyses must run in named Forge runtimes with visible execution logs. Stub runtimes (named but non-functional) are prohibited. Executor interface must be non-mock — real isolation, real resource limits, auditable temp cleanup.</p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\"><h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Architecture Notes</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\">This quest is designed with a <strong style=\"color:#e0e0e0\">local-first, cloud-ready</strong> philosophy:\n<ul style=\"padding-left:1.5rem;margin:0.4rem 0\"><li style=\"margin:0.15rem 0;color:#bbb\">All implementations must work on the current single VM</li>\n<li style=\"margin:0.15rem 0;color:#bbb\">All interfaces must support future migration to containers/cloud</li>\n<li style=\"margin:0.15rem 0;color:#bbb\">Resource limits are configurable, not hardcoded</li>\n<li style=\"margin:0.15rem 0;color:#bbb\">Executor/sandbox abstractions allow swapping implementations</li>\n</ul>\n<h3 style=\"color:#4fc3f7;margin:1.4rem 0 0.5rem;font-size:1.1rem;font-weight:700;border-bottom:2px solid rgba(79,195,247,0.3);padding-bottom:0.2rem\">Work Log</h3></p><p style=\"color:#bbb;line-height:1.6;margin:0.4rem 0\">_No entries yet._<br></p></div>","spec_file":"quest_analysis_sandboxing_spec.md","commits":[{"hash":"59405c7c5","message":"docs: AGENTS.md — document Path A/B/C task completion semantics [task:docs-agents-completion] (#40)","date":"2026-04-25"},{"hash":"e5b5848a0","message":"WIP on orchestra/task/8fcc8dc8-debate-artifact-version-pinning-referenc: 8a24c2fa2 [Senate] Delete broken restore_database.sh (#38)","date":"2026-04-25"},{"hash":"50e5ffcfe","message":"index on orchestra/task/8fcc8dc8-debate-artifact-version-pinning-referenc: 8a24c2fa2 [Senate] Delete broken restore_database.sh (#38)","date":"2026-04-25"},{"hash":"0d37f5fce","message":"untracked files on orchestra/task/8fcc8dc8-debate-artifact-version-pinning-referenc: 8a24c2fa2 [Senate] Delete broken restore_database.sh (#38)","date":"2026-04-25"},{"hash":"48f8d2fe3","message":"feat: surface all five SciDEX layers in nav [task:cba19c94-1724-4d5a-b89d-96c73c25f12a] (#39)","date":"2026-04-25"},{"hash":"1f0e35929","message":"Squash merge: orchestra/task/b1a8e549-cross-cutting-wire-existing-k-dense-skil (2 commits)","date":"2026-04-25"},{"hash":"ddb7db381","message":"[Agora] Wire existing K-Dense-backed tools into debate orchestration [task:b1a8e549-6f31-43c5-80f5-7c4717c267e4]","date":"2026-04-25"},{"hash":"76b71427a","message":"[Agora] Wire existing K-Dense-backed tools into debate orchestration [task:b1a8e549-6f31-43c5-80f5-7c4717c267e4]","date":"2026-04-25"},{"hash":"779e85c3a","message":"[Senate] Verify /resources dashboard complete; check off acceptance criteria [task:82074adc-507f-4e6b-9092-e2ceee79e7d4]","date":"2026-04-25"},{"hash":"4c66a8e09","message":"[Senate] Establish emergency access recovery procedures [task:e643cdd3-afd6-410f-a366-a6297d112127]","date":"2026-04-25"},{"hash":"7265a06b4","message":"Squash merge: orchestra/task/b1a8e549-cross-cutting-wire-existing-k-dense-skil (1 commits)","date":"2026-04-25"},{"hash":"58406ec64","message":"[Atlas] Dashboard artifact type: living web views with data source rendering [task:a17-28-DASH0001]","date":"2026-04-25"},{"hash":"8a24c2fa2","message":"[Senate] Delete broken restore_database.sh (#38)","date":"2026-04-25"},{"hash":"b98a1fa18","message":"[Senate] Delete broken restore_database.sh","date":"2026-04-25"},{"hash":"e846f82ef","message":"[Senate] Refresh BACKUP_RESTORE.md + docs/runbooks/emergency_restore.md (#37)","date":"2026-04-25"},{"hash":"43972a45e","message":"[Senate] Refresh BACKUP_RESTORE.md + docs/runbooks/emergency_restore.md","date":"2026-04-25"},{"hash":"2c7dbfe7f","message":"[Senate] Delete 9 obsolete backup scripts/units (continuation of Phase A-D cleanup) (#36)","date":"2026-04-25"},{"hash":"9743eb298","message":"[Senate] Delete 9 obsolete backup scripts/units (continuation of Phase A-D cleanup)","date":"2026-04-25"},{"hash":"3e72d8383","message":"[Agora] Wire 3 missing tools into debate skill_functions, fix citation persistence bug [task:b1a8e549-6f31-43c5-80f5-7c4717c267e4]","date":"2026-04-25"},{"hash":"4310e9854","message":"[Demo] Work log: figures verified complete — 140/140 analyses covered [task:df201d8f-4b89-4258-9148-eb1028fc1fbd]","date":"2026-04-24"}]}