feat(codemode): add pluggable runtime validators

[mattzcarey]

Summary

• add named, pluggable validators to the runtime-first Codemode API
• let applications validate the exact generated code string before an execution is created or the executor starts
• optionally validate concrete connector calls immediately before real execution
• require explicit { valid: true } / { valid: false } results from configured hooks and fail closed on malformed results or validator failures
• return bounded, attributed diagnostics that models can use to correct generated code

Runtime semantics

• validation is opt-in; runtimes without validators are unchanged
• code validation runs before runtime.begin(), so rejected programs create no execution or side effects
• call validation runs only when the durable runtime returns an execute decision
• applied durable calls replay without revalidation; ephemeral calls validate again before re-execution
• approval-required calls validate after approval and immediately before execution
• required call-validator names are recorded on executions, preventing approval resume from silently dropping policy
• a rejected call marks the durable execution failed before returning the sandbox error, so generated code cannot catch it and continue to later side effects

API

const runtime = createCodemodeRuntime({
  ctx: this.ctx,
  executor,
  connectors,
  validators: [
    {
      name: "organization-policy",
      async validateCode({ code }) {
        const result = await policyEngine.evaluate(code);
        return result.allowed
          ? { valid: true }
          : {
              valid: false,
              issues: [{ code: result.code, message: result.reason }]
            };
      }
    }
  ]
});

Validators can implement validateCode, validateToolCall, or both. A validator that omits a hook does not participate at that validation point.

Verification

• pnpm run build
• pnpm run check — all 104 projects typecheck
• pnpm --filter @cloudflare/codemode test
  • 305 unit tests
  • 44 durable runtime tests
  • 33 browser tests

[changeset-bot]

🦋 Changeset detected

Latest commit: 9cf9a30

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@cloudflare/codemode	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR