Skip to content

Infra: verifier/env reliability fixes + offline reshard override#40

Merged
workofart merged 6 commits into
mainfrom
infra-verifier-env-fixes
Jun 5, 2026
Merged

Infra: verifier/env reliability fixes + offline reshard override#40
workofart merged 6 commits into
mainfrom
infra-verifier-env-fixes

Conversation

@workofart

@workofart workofart commented Jun 5, 2026

Copy link
Copy Markdown
Owner

Summary

Collects the trustworthy infra work off exp-0601 onto a clean branch off main, dropping the auto-generated candidate exp-* commits and the unrelated concurrency bump, and adds two new container-environment fixes. Goal: a stable harness so uv run auto results can be trusted.

Commits

  1. verifier env: share context across exp, route through caches, restore apt-get shim — three separate-verifier fixes squashed: cache the built verifier context across trials; route the verifier container through the apt/pip caches with the agent's retry/timeout policy; and restore the real apt-get on images shipping a hermetic no-op shim (real binary kept at apt-get.real) so offline verifies can install packages the image didn't pre-bake (e.g. git-multibranch's expect). No-op on images without the shim.
  2. env: strip httpx-breaking IPv6 entries from injected no_proxy — OrbStack injects a no_proxy listing its internal IPv6 ULA range (::1, fd07:...::/64); httpx can't parse a bare IPv6 entry and raises InvalidURL at Client() construction, so any task using httpx (e.g. huggingface_hub v1 via datasets) crashes and silently falls back to the offline cache. OrbStack rewrites ~/.docker/config.json on every restart, so a host edit doesn't stick — instead we probe the container's injected no_proxy and pin a cleaned override into the exec env. Best-effort; no-op without IPv6. Refs Fix no_proxy to support IPV6 CIDR format encode/httpx#3741, requests ignores no_proxy which contains a IPv6 CIDR  psf/requests#6313, Orbstack 2.1.2 🔥 bug: HTTP_PROXY env vars injected into containers despite network_proxy: none, breaking any inter-container HTTP(S) on user-defined Docker networks orbstack/orbstack#2449.
  3. supervisor: rerun a fresh baseline when the active one was interrupted — carried over unchanged.
  4. config: document and expand the shared-verifier task list — annotate each entry with why it needs the agent's live container, and add the tasks that fail for the same reasons.
  5. agent: raise default turn timeout to 3600s — the old 600s ceiling truncated long build/verify steps.
  6. exclude reshard-c4-data from the eval panel — remove it from the train panel and add it to a contamination_risk excluded group instead of carrying a local task override. Running it offline (to avoid re-downloading the held-out HF c4 shard every trial) would require an override that commits the canonical solution and verifier oracle into this repo, which the self-improvement loop could read; excluding it removes that risk (the task also exceeds the train task_timeout_sec).

Verification

  • apt shim restore: oracle A/B on git-multibranch (reward 0→1 with only the restore toggled); no regression on regex-log / log-summary-date-ranges; no-op on a non-shim control.
  • no_proxy strip: reproduced the real httpx 0.28.1 crash (InvalidURL: Invalid port: 'b51a:cc66:f0::') on OrbStack's actual injected no_proxy, and confirmed the stripped value lets httpx.Client() construct while preserving every *.orb.internal / host.docker.internal / IPv4 entry.
  • config: HarnessConfig validates (panels/excluded disjoint); tests/adapters/test_env.py + tests/control/test_supervisor.py + tests/harness/ — 167 passed; ruff clean.

workofart added 6 commits June 4, 2026 23:34
… apt-get shim

Three container-environment fixes for the separate verifier, grouped:
- share a built verifier context across runs of the same task to avoid
  rebuilding it every trial
- route the separate-verifier container through the apt/pip caches with the
  same retry/timeout policy the agent container already gets, so a flaky
  mirror cannot stall the grade
- restore the real apt-get on images that ship a hermetic no-op `apt-get`
  shim (keeping the real binary at apt-get.real), so offline verifies can
  install packages the image did not pre-bake (e.g. git-multibranch's
  `expect`). No-op on images without the shim.
OrbStack injects a no_proxy/NO_PROXY into every container that lists its
internal IPv6 ULA range (e.g. ::1, fd07:...::/64). httpx cannot parse a bare
IPv6 entry in no_proxy -- it splits on ':' and reads the address bytes as a
port, raising InvalidURL at Client construction -- so any task that builds an
httpx client (notably huggingface_hub v1.x via datasets) crashes before its
first request and silently falls back to the offline cache. The injection is
regenerated on every OrbStack restart, so a host-side edit does not stick.

Probe the container's injected no_proxy once and pin a cleaned override (IPv6
entries dropped, everything else preserved) into the exec env so every agent
action and the in-container verifier inherit it. Best-effort and a no-op on
hosts that inject no IPv6.

Refs: encode/httpx#3741, psf/requests#6313, orbstack/orbstack#2449
A baseline run killed mid-flight leaves state.json pointing the active
baseline at a record that never finalized as a keep. _ensure_baseline_at_head
trusted that pointer on commit+panels alone, so on restart it short-circuited
(returned False) and let the loop compare candidates against partial, ungraded
evidence instead of measuring a fresh baseline.

Discard a non-keep/unconcluded active baseline before the short-circuit:
finalize the stale record as a crash and fall back to its parent keep (or seed
fresh when there is none), so an interrupted baseline reliably restarts fresh.

Adds a regression test reproducing the short-circuit.
Annotate shared_verifier_task_names with the concrete reason each task needs
to reuse the agent's live container instead of a fresh separate verifier
(running daemon the verifier connects to / build artifacts or installed deps
the agent produced / git over the agent's working tree / local-only image),
and add the tasks that fail for those same reasons: git-multibranch, mailman,
adaptive-rejection-sampler, git-leak-recovery, merge-diff-arc-agi-task,
sanitize-git-repo, reshard-c4-data.
The previous 600s ceiling truncated long-running build/verify steps. Raise the
default per-turn timeout so slow tasks are bounded by the trial budget rather
than cut off mid-action.
Drop reshard-c4-data from the train panel and add it to a contamination_risk
excluded group instead of carrying a local task override for it. Running the
task offline (to avoid re-downloading the held-out HF c4 shard every trial)
would require an override that commits the canonical solution and verifier
oracle into this repo, which the self-improvement loop could read. Excluding
it removes that risk; the task also exceeds the train task_timeout_sec.
@workofart workofart force-pushed the infra-verifier-env-fixes branch from 10cb5c1 to e593dce Compare June 5, 2026 06:38
@workofart workofart merged commit bae8228 into main Jun 5, 2026
@workofart workofart deleted the infra-verifier-env-fixes branch June 5, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant