Skip to content

feat(ai): skip already-shipped agent activity via a local cursor#1261

Draft
amascia-gg wants to merge 2 commits into
mainfrom
amascia/agent-activity-offset
Draft

feat(ai): skip already-shipped agent activity via a local cursor#1261
amascia-gg wants to merge 2 commits into
mainfrom
amascia/agent-activity-offset

Conversation

@amascia-gg

Copy link
Copy Markdown
Member

What

Stacked on #1259. ggshield ai discover --history re-read every agent transcript on each run and re-sent every record (which GitGuardian then re-scans and deduplicates server-side). This adds a local cursor so append-only transcripts only ship records added since the last run.

How

  • A JSON cursor file in the cache dir (agent_activity_cursors.json) holds a per-source line-index high-water mark, keyed scope → agent → source_kind → source_path.
  • Scope = sha256(base_uri + api_key)[:16] — switching instance/credential starts clean; the raw key is never stored.
  • Best-effort / fail-open: a missing, corrupt, or unwritable cursor just causes a full re-scan (the server deduplicates), never incorrect data. Delete the file to force one.
  • A source's mark advances only over the contiguous successfully-ingested prefix; a failed batch freezes its sources so the next run resends the gap rather than skipping past it.
  • Only append-only JSONL transcripts resume (supports_resume=True); database-backed sources (Cursor state.vscdb) keep full re-scan, since rows are edited in place.

Tests

  • New test_cursors.py (store: roundtrip, scope isolation, never-backwards, fail-open load/save) and resume tests in test_sources.py / test_orchestrator.py (advance-on-success, freeze-on-failure-gap, non-resumable-not-tracked, plus a real-chain integration test: Claude source + cursor across two runs ships only the appended line).
  • cursors.py and orchestrator.py at 100% line coverage; 409 AI tests pass.

🤖 Generated with Claude Code

@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (amascia/agent-activity-metadata@a29f94b). Learn more about missing BASE report.

Additional details and impacted files
@@                        Coverage Diff                         @@
##             amascia/agent-activity-metadata    #1261   +/-   ##
==================================================================
  Coverage                                   ?   93.38%           
==================================================================
  Files                                      ?      190           
  Lines                                      ?    10700           
  Branches                                   ?        0           
==================================================================
  Hits                                       ?     9992           
  Misses                                     ?      708           
  Partials                                   ?        0           
Flag Coverage Δ
unittests 93.38% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Ship full AI-agent session activity to GitGuardian, not just MCP tool calls.
ggshield discovers each agent's on-disk transcripts / databases and sends the
raw records verbatim; GitGuardian scans them and strips secrets server-side
before storing them, so the client stays "dumb" and the data shape never
depends on the ggshield version.

Sources cover Claude Code, Codex, Cursor, Copilot CLI and VSCode (Copilot
Chat). Records are batched (by count and by bytes) and posted to the
agent-activity endpoint; the server deduplicates per record.

Issue: NHI-1628

Co-Authored-By: Paul Beslin <paul.beslin-ext@gitguardian.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@amascia-gg amascia-gg force-pushed the amascia/agent-activity-metadata branch from 44898bb to a29f94b Compare June 3, 2026 08:57
`ggshield ai discover --history` re-read every agent transcript on each run and
re-sent every record (which the server then re-scans and deduplicates). It now
keeps a per-source high-water mark in a JSON cursor file under the cache dir, so
append-only transcripts only ship records added since the last run.

- Cursor is scoped to the (instance, API key) pair; the raw key is never stored.
- Best-effort and fail-open: a missing/corrupt/unwritable cursor just causes a
  full re-scan (the server deduplicates), never incorrect data. Delete the file
  to force one.
- A source's mark only advances over the contiguous successfully-ingested
  prefix; a failed batch freezes its sources so the next run resends the gap.
- Only append-only JSONL transcripts resume; database-backed sources (Cursor)
  keep full re-scan, since rows are edited in place.

Issue: NHI-1628

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@amascia-gg amascia-gg force-pushed the amascia/agent-activity-offset branch from 650e508 to 4ebdff6 Compare June 3, 2026 08:58
@amascia-gg amascia-gg force-pushed the amascia/agent-activity-metadata branch from 1170e1f to 52f4a66 Compare June 3, 2026 20:22
@paulpetit-gg-ext paulpetit-gg-ext force-pushed the amascia/agent-activity-metadata branch 4 times, most recently from e6d19e6 to e3443bb Compare June 16, 2026 07:05
@paulpetit-gg-ext paulpetit-gg-ext force-pushed the amascia/agent-activity-metadata branch 8 times, most recently from f44db2d to 96484ae Compare July 2, 2026 12:30
Base automatically changed from amascia/agent-activity-metadata to main July 2, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant