Codex Mission Control: MCP Server + Next.js Control Plane + Antigravity Integration

This mission delivers a from-scratch Codex Mission Control experience: an MCP server layer plus a Next.js control plane that lets an Antigravity-compatible client inspect repositories, trigger mission workflows, generate PRDs/technical designs, and resume work with preserved execution memory. Execution starts by locking success criteria and a judge-centric demo storyboard (Task 0) so every subsequent decision supports a reliable end-to-end flow. Next, the MCP tool taxonomy is defined (Task 1) with strict schemas and predictable errors to minimize client integration friction. With tools defined, the project’s data model and local persistence are specified (Task 2) to ensure traceability: every mission run, tool call, generated document revision, and memory entry is durable and exportable. Security is treated as a first-class deliverable (Task 3): server-side-only API key usage, redaction policies, and explicit boundaries for filesystem/repository access. Transport and compatibility decisions (Task 4) align the MCP server with Antigravity expectations, including discovery, error semantics, and any streaming requirements. The operational core is a lightweight workflow engine (Task 5) that records run IDs, statuses, logs, and artifacts for replayability. Repository inspection tools (Task 6) are designed with guardrails (repo-root confinement, size limits, caching) so clients can safely query real codebases. On top of that foundation, the OpenAI document pipeline (Task 7) generates PRDs and technical designs with provenance: prompt template versions, model settings, and referenced inputs are stored alongside immutable document revisions. The execution memory system (Task 8) preserves context across sessions with scoping, redaction, and retrieval tools. The Next.js control plane (Task 9) is built around the demo flow: a project can be created, a repo inspected, a mission run initiated, documents generated and reviewed with provenance, and memory browsed to show continuity across sessions. Observability and auditability (Task 10) ensure judge confidence: structured logs, a timeline, and a downloadable demo bundle that contains all artifacts. Finally, the Antigravity integration guide and a deterministic demo script (Task 11) make the project easy to run and evaluate. The mission closes with quality gates (Task 12): schema validation, security checks, caching correctness, and UX polish to ensure the system performs reliably under live judging conditions without exposing secrets or generating direct code for users.

Goal: local-first Next.js Control Plane hosting a local MCP server with tools for repo inspection, mission/task management, doc generation (PRD + Tech Design), workflow execution, and execution-memory persistence; includes Antigravity integration guide and polished demo flow. In-scope: UI (Projects/Missions/Docs/Runs/Settings), MCP tools (project/task/doc/run/context/memory), SQLite persistence, secure OpenAI key handling, traceable/cached doc generation keyed by commit+params. Non-goals: SaaS/multitenant, CI/CD/GitHub App, default shell/code execution, mandatory file editing/PR automation, complex vector stack.

Judge-facing: Antigravity connects and lists tools; create/select project and repo path; repo inspection summary with commit hash + cache status + trace_id; generate PRD and Tech Design with stable IDs and input references; trigger workflow run producing run log + task_plan.json; reconnect and retrieve preserved execution memory; UI shows artifacts/runs with trace IDs. Targets: tool listing p95 200ms; repo inspect p95 1500ms; PRD p95 12s; Tech Design p95 15s; memory get p95 300ms; cache hit >=60% faster. Reliability: >=95% happy-path across 5 runs; 30 min crash-free; missing key returns actionable error while non-LLM tools work. Security: never return API key; refuse LLM tools without key; repo access constrained to project root. Traceability: every artifact includes id/created_at/tool/inputs hash+refs/trace_id/repo_commit_hash; run logs persisted.

6-minute flow: (1) Connect Antigravity to MCP; list tools + server info + key status. (2) Create/select project and attach repo path; confirm root scope. (3) Repo inspect (read-only); show summary JSON, commit hash, cold cache; optionally view in UI. (4) Generate PRD; show doc preview + document_id + trace_id + input refs. (5) Generate Tech Design referencing PRD + repo summary; show architecture/MCP tools/persistence/security/caching + linked metadata. (6) Trigger workflow demo.bootstrap_plan; show status transitions, run log with durations, produced task_plan.json. (7) Reconnect; fetch memory/context; show recent artifacts, key decisions, last run pointers. Fallbacks: stub/cached artifacts on OpenAI failure; reduce depth/use cache if repo scan slow; use UI as secondary invocation path if transport mismatch.

Repository/project introspection with safe local path scoping; task/workflow orchestration with runs/events/status; traceable doc generation (PRD/Tech Design/ADR) with provenance links; execution-context memory + artifacts store; local-first persistence + caching with pagination and stable identifiers; consistent MCP tool naming, schemas, and error shapes.

Tools are side-effect explicit; mutating tools are idempotent via idempotency_key; all entities return stable IDs + created_at/updated_at; cursor pagination with deterministic ordering; typed machine-readable errors with request_id; project path access sandboxed via allowlisted roots.

Artifact artifact:mcp_tool_taxonomy_v1 (application/json). Defines naming conventions (group.action), ID prefixes (proj_/repo_/task_/wf_/run_/doc_/adr_/mem_/art_/evt_), RFC3339 UTC timestamps, schema_versioning in responses. Common types: Envelope {schema_version, request_id, ok, data, error, meta{cursor_next, has_more, warnings}}, ErrorShape {type, message, details, retryable, request_id, status_code}, Pagination {cursor, limit 1-200 default 50, order asc|desc default desc}, Idempotency {idempotency_key required for mutating tools, scope tool|project}. Error catalog includes invalid_request/unauthorized/forbidden/not_found/conflict/rate_limited/timeout/provider_error/io_error/db_error/precondition_failed. Tool groups: project (list/get/create/repo.status/repo.tree/repo.read_file/repo.search), task (list/create/update/workflow.list/run.create/run.get/run.events/run.cancel), docs (list/get/generate/adr.record), context (session.open/memory.put/memory.search/artifact.put/artifact.get/run_context.get). Security: server-side OpenAI key only, allowlisted-root sandboxing with path normalization, secret redaction. Persistence/caching: SQLite entities + file cache; repo tree/file read caching keyed by sha256(path+mtime+size) with TTL and invalidation on dirty/commit change; provenance via run_id + inputs_hash and stored tool invocations/event pointers.

Entities: Project, Repo, Mission, Task, Run, RunEvent, Document, Artifact, MemoryEntry, Embedding. ID format ULID; slugs kebab-case. Document versioning is immutable (new row per regen; latest = max(version) per scope/type). RunEvents support payload offload via dataRef to artifact store.

SQLite at ./.mcp/controlplane.db stores metadata/relationships/state/indexes/provenance pointers. Artifact store at ./.mcp/artifacts/ uses content addressing sha256/<aa>/<hash> with refs like artifact://sha256/<hash>. Writes sandboxed to ./.mcp; repo roots read-only by default.

Deterministic zip: db.sqlite, artifacts/ (referenced only unless --full), index.json (entities + checksums), README.txt, documents/ (materialized latest PRD/TechDesign). Import validates checksums, refuses paths outside .mcp, supports new namespace or merge-by-ulid with dedup by sha256.

Principles: server-side secrets only; least privilege; filesystem sandbox under MCP_ALLOWED_ROOT (normalize/realpath, prevent symlink escape); default-local binding; default-deny network egress; structured redacted logs. Secret handling: env vars only; no DB/artifact/public config storage; server-side OpenAI/VCS calls; sanitize provider errors. Redaction: regex detectors + header allow/deny lists + truncation. MCP non-leak: response redaction filter; schemas avoid secret fields; TRACE_PROMPTS gated and redacted. Auth: default bearer_token_env; optional basic_auth_env and reverse_proxy_trust; no long-lived cookies; future cookie hardening noted. Multi-tenant: v1 single_user_local; project->subdir mapping; future tenant_id + per-tenant roots/keys. Threat focus: filesystem traversal/symlink/secret files; prompt injection; repo exfiltration; mitigations and residual risks documented. Demo notes for judges included.

Structured threat/mitigation/residual-risk set covering: filesystem access (path traversal, symlink escape, sensitive dotfiles, repo hook writes), prompt injection in docs (instructions to reveal secrets/exfiltrate/copy content), and repo content exfiltration (broad reads forwarded to providers, accidental large uploads, unbounded egress).

Validates required/optional secrets and runtime constraints without disclosing values (no values/hashes/prefixes/lengths; no external provider checks unless explicitly configured). Input: scopes [openai|vcs_github|vcs_gitlab|control_plane_auth], strict boolean. Output: ok, checks[] (scope/name/status/reason/remediation), runtime flags (server_side_only_enforced, redaction_enabled, mcp_response_filters_enabled).

Reports configured auth mode and tenant boundary mode without disclosing tokens. Output: mode (none_localhost_only|bearer_token_env|basic_auth_env|reverse_proxy_trust), tenant_boundary (single_user_local|multi_tenant_soft|multi_tenant_hard), notes[].

Primary transport: MCP over stdio (spawned subprocess). Secondary (optional): MCP over HTTP with SSE streaming. Strict JSON Schema for all tools (additionalProperties=false). Streaming supported via progress/log events with guaranteed final non-stream result.

Stdio: set MCP_ALLOWED_ROOT and server-only OPENAI_API_KEY; run `node <entrypoint>` via MCP client; refresh tools; call repo.inspect {repoPath:'.', depth:2} and verify artifactRef; call docs.generate.prd and verify documentId, artifactRef, provenance (runId/sourceRefs). Optional HTTP/SSE: bind localhost, use bearer (or explicit JUDGE_MODE bypass), GET /mcp/manifest, POST /mcp/call, watch /mcp/stream for progress -> terminal result.

Transport: stdio handshake; optional HTTP+SSE. Tool metadata: stable discoverable tool list with input/output schemas. Invocation: schema validation with INVALID_ARGUMENT + validationErrors; mutations accept clientRequestId for dedupe. Streaming: progress/log events with runId; terminal result includes artifact refs. Errors: canonical format with traceId; no secrets; retryable set for transient. Security: sandbox paths under MCP_ALLOWED_ROOT (PathOutsideSandbox), HTTP bearer by default, egress allowlist (EgressBlocked).

Core entities: Run (runId ULID/UUIDv7, missionId/projectId, status, timestamps, planSnapshot/configSnapshot/repoStateSnapshot hashes, promptSnapshotRefs, idempotencyKey/clientRequestId, traceId); Step (stepId, dependsOn, status, determinism fields); RunEvent append-only (types: RUN_CREATED, RUN_STATUS_CHANGED, STEP_STARTED/PROGRESS/COMPLETED, LOG_APPENDED, ARTIFACT_ATTACHED, ERROR_RECORDED; fields include eventId, ts, level, message, dataRef, optional hashPrev); Artifact (name/kind/mimeType/contentRef + provenance). Runner: orchestration-only, records intent/snapshots/events; supports replay via snapshots + CAS refs; optimistic concurrency with version/expectedVersion; strict status transition rules.

Tools (idempotent): runs.start_run (create run with plan/config/repo snapshots, returns runId + snapshot hashes + eventsCursor); runs.update_run_status (run + step updates, expectedVersion, returns version); runs.append_run_log (step-scoped optional, CAS spill for large data, returns eventId/ts/dataRef); runs.attach_artifact (CAS content, provenance links); runs.list_runs (cursor pagination + status filter); runs.get_run (include plan/config/events/artifacts, eventsCursor/eventsLimit). Persistence: tables Run/RunStep/RunEvent/Artifact; RunEvent is append-only and is the audit source of truth; status fields can be derived/updated for fast queries; CAS stores canonical JSON snapshots and large payloads/artifact content by hash.

workflow-runner-v1-spec.json: Tool specs, status transitions, event taxonomy, snapshot requirements, idempotency/concurrency guidance. run-event-taxonomy-v1.json: Canonical RunEvent types/fields; UI timeline guidance and CAS spillover approach.

Tools: repo.register (sandboxed repoId + persisted policy), repo.list_files (allow/deny + pagination + stable cursors + optional stats/hashes), repo.read_file (size/encoding caps + optional base64), repo.search_text (ripgrep-like with caps/timeout/regex safeguards), repo.summarize_structure (tree + highlights, no content reads), repo.compute_stats (counts/top extensions/bytes). Guardrails: allowed-root realpath enforcement, traversal + NUL rejection, symlink-escape prevention, denylist for secrets/heavy dirs, deterministic ordering, additionalProperties=false in schemas.

Goals: avoid repeated directory walks; stay correct under repo changes without git. Keys: RepoSnapshotKey=sha256(realRepoPath+policyHash+snapshotSalt). ListCacheKey/ReadCacheKey/SearchCacheKey derived from snapshot key + op params + fingerprints. Fingerprints: fileFingerprint=sha256(path+size+mtime); dirFingerprint=sha256(dirPath+stable child metadata for first N + childCount + dirMtime); scopeFingerprint=sha256(concat(dirFingerprints)). Storage: in-memory LRU (maxEntries=500, ~32MB, ttl=30s) + disk cache (CAS blobs + SQLite index, ttl=5m, SWR=10m). Rules: never cache large file contents; policy hash invalidates; search caches store limited match snippets only.

Path sandbox: repo must be registered under MCP_ALLOWED_ROOT; normalize repo-relative paths and reject absolute/.. /UNC/NUL; join then realpath and enforce under repo root. Resource limits: per-request time budgets (search ~1500ms; list/summary ~2000ms), file read caps (256KB default; 1MB hard), walk caps (depth/entries/files). Sensitive data: default deny globs for secrets; refused reads for denied paths; search never enumerates/returns denied paths. Output stability: deterministic ordering + stable cursors; strict schemas to reduce injection surface.

Goal: generate PRDs/Tech Designs with traceable provenance and immutable revisions for repeatability, diffing, and audit trails. Steps: resolve context refs (repo/memory/doc/run, capture hashes); assemble prompt from pinned template -> digest; call OpenAI server-only (record model/params); post-process & validate (optionally formatting pass as separate modelCall); persist immutable DocumentRevision with CAS blob refs. Immutability: content and provenance stored as CAS (sha256) and never altered; corrections create new revision with parentRevisionId.

Tools: docs.generate_prd, docs.generate_tech_design, docs.list_documents, docs.get_document, docs.diff_document_versions. Conventions: idempotency via clientRequestId (optionally forceNewRevision); concurrency via expectedDocumentLatestRevisionId returning CONFLICT on mismatch; pagination via stable cursor. get_document supports includeContent/includeProvenance and redactPrompt default true; diff supports unified/summary/json_patch.

Security rules: OpenAI API key server-only and never stored in provenance; prompt redaction by default; repo ingestion uses sandboxed read-only tools with denylist (.env/keys) and size caps; provenance stores model params not credentials/headers; optional secret-scanning heuristics emit warnings. Storage: SQLite metadata tables for Document and DocumentRevision + indexes; CAS artifacts store prompts (redacted optional), content, provenance JSON, optional metadata. Export: zip bundle with sha256 manifest including all referenced artifacts to verify provenance offline.

Entities: Document (metadata, latestRevisionId, status/tags) and DocumentRevision (monotonic index, parentRevisionId, content/provenance artifact IDs + sha256, createdBy, clientRequestId, summary, optional sectionIndex). Provenance schema links template (id/version/digest + rendered prompt artifacts), modelCalls (provider/model/endpoint/params/timestamps), inputs (repo/memory/document/run refs with hashes), and outputs (revision id + artifact list).