amr/passepartout
1
0
Fork 0
Code Issues 15 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

v0.4.0: self-build safety — REPL TDD + literate prose
Some checks failed
Deploy (Gitea) / deploy (push) Failing after 2s
Details

Browse Source 
RED proofs (pre-v0.4.0):
- dispatcher-check-secret-path 'core-loop-reason.org' → NIL (unprotected)
- dispatcher-check-core-path function does not exist
- Write to core file passes through gate unchanged
- test-self-build-core-protection does not exist
- Dispatcher suite: 19/0

GREEN proofs (v0.4.0):
- dispatcher-check-core-path: T for core-*.org/lisp, NIL for others
- SELF_BUILD_MODE=true: core write → :approval-required Flight Plan
- SELF_BUILD_MODE=false (default): writes pass through
- Dispatcher suite: 24/0 (new test-self-build-core-protection)

Prose:
- New 'Self-Build Safety Boundary' section: explains thin harness/fat
  skills corollary, regex-based core-* detection, Flight Plan vs LOG
  blocking, SELF_BUILD_MODE env var semantics.
This commit is contained in:
Amr Gharbeia
2026-05-06 19:42:08 -04:00
parent 55e27f5194
commit 0e8ba36ddb
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
org/security-dispatcher.org
View File

@@ -159,6 +159,19 @@ Destructive and injection patterns that are blocked in shell commands. Covers ~r
(cl-ppcre:scan regex path)))
#+end_src
** Self-Build Safety Boundary (v0.4.0)
The Dispatcher now protects the core pipeline from unapproved modification. This is the operational realization of "thin harness, fat skills" — the harness is thin enough for a human to audit, and the Dispatcher ensures it stays that way.
The ~core-*~ files implement the Perceive-Reason-Act cycle, the Merkle-tree memory, the skill engine loader, and the Dispatcher gate stack itself. If the agent (or a hallucination) modifies these files, the agent loses its ability to reason about and fix the corruption. The Dispatcher blocks any file write or shell command targeting ~core-*.org~ or ~core-*.lisp~ — detected by ~dispatcher-check-core-path~ using direct regex matching (~core-.*\.(org|lisp)~).
Unlike secret path protection (Vector 2), which produces a hard ~:LOG~ block, core file writes produce a ~:approval-required~ Flight Plan (Vector 2b). The human reviews the proposed core change in an Org buffer before approving — the same mechanism that governs shell commands and network exfiltration.
The ~SELF_BUILD_MODE~ env var controls this protection:
- ~SELF_BUILD_MODE=true~ (default ~false~): core path protection active — writes require HITL approval
- ~SELF_BUILD_MODE=false~: protection disabled — useful during development when the human is manually editing core files
** dispatcher-check-core-path
;; REPL-VERIFIED: 2026-05-06T18:00:00
#+begin_src lisp