Mental Model
Architecture
Understand the runtime control-plane boundary, core crates, provider adapters, sidecars, persistence, events, and recovery model.
Gooselake is a host-side control plane for machine agents. The core architectural decision is that clients talk to the runtime, not directly to provider CLIs or provider SDKs.
flowchart LR
Client[Desktop UI / Web UI / CLI / Ops Console]
API[HTTP + SSE API]
Server[gg-runtime-server]
Core[runtime-core]
Store[(SQLite store)]
Providers[Provider adapters]
Tools[Runtime tools]
Sidecars[Sidecars]
Host[Host filesystem / processes / git worktrees]
Client --> API --> Server --> Core
Core <--> Store
Core --> Providers
Core --> Tools
Providers --> Sidecars
Tools --> Host
Providers --> Host
Sidecars --> Host
The frontend is a remote control. The runtime is the engine room.
Composition root
crates/runtime-server/src/bootstrap.rs wires the runtime together:
- load config and ensure data directories
- bootstrap bearer auth
- initialize SQLite store
- create Codex, Claude, and ACP provider adapters based on config
- stage Codex auth if host auth exists
- build Claude bridge/MCP sidecar configuration
- register enabled providers
- hydrate runtime state and run startup recovery
- create process manager, team comms, worktree service, and tool gateway
- expose everything through
RuntimeAppand Axum routes
The result is a single BootstrappedRuntime containing the app, session manager, auth token, bind address, public base URL, and startup recovery summary.
Crate responsibilities
| Crate | Responsibility |
|---|---|
runtime-core |
Provider trait, provider registry, runtime session manager, event model, shared records, service traits, team comms implementation. |
runtime-server |
Config, bootstrap, HTTP/SSE routes, auth middleware, diagnostics, OpenAPI generation, binary CLI. |
runtime-store-sqlite |
Durable state implementation. |
runtime-provider-codex |
Codex adapter, model catalog, auth status, session/turn execution. |
runtime-provider-claude |
Claude adapter, bridge lifecycle, auth import/status, model catalog, GG MCP injection. |
runtime-provider-acp |
ACP stdio adapter, agent-managed auth status, session/turn mapping. |
runtime-tools |
Process manager, MCP tool gateway, worktree service, team member spawn workflow. |
Runtime data model
Durable runtime records include:
SessionRecordTurnRecordApprovalRecordRuntimeEventRecordTeamRecordTeamMemberRecordTeamMessageRecordTeamDeliveryRecordManagedWorktreeRecordManagedWorktreeClaimRecordProcessRecordTeamOperationJournalRecordTeamOperationDiagnosticRecordCredentialRecord
The runtime keeps provider-native references, but client-facing identity is runtime-owned. For example, SessionRecord.id is the API identity, while provider_session_ref and canonical_provider_session_ref are adapter details.
Session lifecycle
sequenceDiagram
participant Client
participant HTTP as runtime-server HTTP
participant Runtime as RuntimeSessionManager
participant Provider
participant Store as SQLite
participant SSE as SSE consumers
Client->>HTTP: POST /v1/sessions
HTTP->>Runtime: create_session(input)
Runtime->>Provider: create_session(provider request)
Provider-->>Runtime: provider_session_ref
Runtime->>Store: upsert SessionRecord + append session.created
Runtime-->>HTTP: SessionRecord
HTTP-->>Client: JSON
Runtime-->>SSE: runtime event
Client->>HTTP: POST /v1/sessions/:id/turns
HTTP->>Runtime: send_turn(input)
Runtime->>Store: upsert TurnRecord
Runtime->>Provider: send_turn(provider request)
Provider-->>Runtime: ProviderTurnAck
Runtime->>Store: append turn.started
Runtime-->>HTTP: SendTurnAccepted
Runtime-->>SSE: turn/event updates
Terminal turn state is applied centrally. Providers report completed, failed, or interrupted; the runtime updates turn/session records and emits durable events.
Event model
Events are persisted as RuntimeEventRecord and scoped to one of:
sessionteamprocessworktreesystem
Each event has:
- global row ID
- scoped sequence number
- event kind
- criticality (
criticalordroppable) - payload
- optional provider/provider sequence
- optional session/team/turn references
SSE streams are replay-first. Stream handlers subscribe before replay handoff for session/process streams to reduce lost events during reconnect windows.
Cursor behavior:
after_seqquery param takes precedence.- otherwise
Last-Event-IDis used when present. - invalid
Last-Event-IDreturns400. - replay page limits clamp to protect the server.
- keepalive pings are sent every 10 seconds.
Startup recovery
Startup recovery is intentionally part of the runtime, not an operator script.
At boot, the session manager hydrates SQLite state and reconciles:
- sessions that were active before restart
- active turns
- waiting approvals
- provider resume status
- stale active turn pointers
- deferred team deliveries
- previously running process records
Provider health is recorded in the recovery summary. Sessions can be marked failed when provider resume fails or when required provider refs are missing. This is better than silently presenting stale active work to clients.
Providers
Providers are adapters behind one contract.
flowchart TD
Runtime[RuntimeSessionManager]
Trait[RuntimeProvider trait]
Codex[CodexProvider]
Claude[ClaudeProvider]
ACP[AcpProvider]
Runtime --> Trait
Trait --> Codex
Trait --> Claude
Trait --> ACP
The runtime currently supports:
- Codex: host-machine CLI/auth, staged provider home, Codex model catalog.
- Claude: bridge sidecar, host or runtime-managed auth, Claude model catalog, GG MCP injection.
- ACP: configured external stdio agent, agent-managed auth, session-scoped model behavior.
Provider-specific differences should stay inside provider crates unless they are intentional runtime contract changes.
Team communication
Team comms turn multi-agent coordination into runtime state rather than prompt theater.
Core concepts:
- teams have a lead agent and members
- messages can be direct or broadcast
- deliveries are explicit records
- delivery policy controls interruption/defer behavior
- messages can be retried or cancelled
- snapshots combine team, messages, delivery map, and cursors
- team events are replayable and streamable
This makes coordination auditable. Clients can render the state without inventing hidden delivery rules.
Worktrees
The worktree service manages git worktree lifecycle for sessions and spawned teammates.
It records:
- source repo root
- managed worktree root/path
- branch name
- worktree name
- unified workspace path
- deletion policy
- claims by session
Claims are separate from creation. Cleanup respects active claims and deletion policy. Team member removal performs best-effort worktree release/cleanup while preserving the membership removal outcome.
Processes
The process manager provides runtime-owned background process execution:
- command string execution
- optional cwd and timeout
- concurrency limiting
- stdout/stderr log files
- sampled output events
- authoritative log reads
- process status and kill APIs
- startup recovery that marks pre-restart running records failed
Process tools exposed through MCP still call this same runtime process manager, so host process work remains durable and inspectable.
Sidecars
Sidecars are integration boundaries, not separate sources of truth.
- Claude bridge isolates Claude SDK/CLI behavior from the Rust server.
- GG MCP server exposes tools to providers, then calls back into the runtime gateway.
- ACP does not ship a runtime-owned sidecar; the configured ACP command is launched directly over stdio.
For details, see MCP and Sidecars.
API server
crates/runtime-server/src/http/ exposes:
- public health/OpenAPI routes
- protected
/v1routes - bearer auth middleware
- provider/model/auth endpoints
- sessions, turns, approvals
- global/session/team/process event replay and streams
- teams and deliveries
- processes and logs
- worktrees
- diagnostics
- MCP gateway
OpenAPI is generated by source parsing in crates/runtime-server/src/openapi.rs. It is reliable for route/method/content-type coverage but intentionally broad for many JSON object schemas.
Deployment boundary
The deployable product boundary is the release bundle plus durable state root:
release bundle, replaceable:
bin/gg-runtime-server
sidecars/claude-bridge/claude-bridge
sidecars/gg-mcp-server/gg-mcp-server
deploy/systemd/*
durable state, not replaceable:
runtime-server.toml
runtime.env
data.root_dir
generated token file or configured token secret
That split enables staged upgrades and rollback without moving SQLite state, logs, provider directories, or managed worktrees.