From 0e8ba36ddb1ca50f5b056f1b5a5da426f786143a Mon Sep 17 00:00:00 2001 From: Amr Gharbeia Date: Wed, 6 May 2026 19:42:08 -0400 Subject: [PATCH] =?UTF-8?q?v0.4.0:=20self-build=20safety=20=E2=80=94=20REP?= =?UTF-8?q?L=20TDD=20+=20literate=20prose?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RED proofs (pre-v0.4.0): - dispatcher-check-secret-path 'core-loop-reason.org' → NIL (unprotected) - dispatcher-check-core-path function does not exist - Write to core file passes through gate unchanged - test-self-build-core-protection does not exist - Dispatcher suite: 19/0 GREEN proofs (v0.4.0): - dispatcher-check-core-path: T for core-*.org/lisp, NIL for others - SELF_BUILD_MODE=true: core write → :approval-required Flight Plan - SELF_BUILD_MODE=false (default): writes pass through - Dispatcher suite: 24/0 (new test-self-build-core-protection) Prose: - New 'Self-Build Safety Boundary' section: explains thin harness/fat skills corollary, regex-based core-* detection, Flight Plan vs LOG blocking, SELF_BUILD_MODE env var semantics. --- org/security-dispatcher.org | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/org/security-dispatcher.org b/org/security-dispatcher.org index f0d15ec..f1719f0 100644 --- a/org/security-dispatcher.org +++ b/org/security-dispatcher.org @@ -159,6 +159,19 @@ Destructive and injection patterns that are blocked in shell commands. Covers ~r (cl-ppcre:scan regex path))) #+end_src + +** Self-Build Safety Boundary (v0.4.0) + +The Dispatcher now protects the core pipeline from unapproved modification. This is the operational realization of "thin harness, fat skills" — the harness is thin enough for a human to audit, and the Dispatcher ensures it stays that way. + +The ~core-*~ files implement the Perceive-Reason-Act cycle, the Merkle-tree memory, the skill engine loader, and the Dispatcher gate stack itself. If the agent (or a hallucination) modifies these files, the agent loses its ability to reason about and fix the corruption. The Dispatcher blocks any file write or shell command targeting ~core-*.org~ or ~core-*.lisp~ — detected by ~dispatcher-check-core-path~ using direct regex matching (~core-.*\.(org|lisp)~). + +Unlike secret path protection (Vector 2), which produces a hard ~:LOG~ block, core file writes produce a ~:approval-required~ Flight Plan (Vector 2b). The human reviews the proposed core change in an Org buffer before approving — the same mechanism that governs shell commands and network exfiltration. + +The ~SELF_BUILD_MODE~ env var controls this protection: +- ~SELF_BUILD_MODE=true~ (default ~false~): core path protection active — writes require HITL approval +- ~SELF_BUILD_MODE=false~: protection disabled — useful during development when the human is manually editing core files + ** dispatcher-check-core-path ;; REPL-VERIFIED: 2026-05-06T18:00:00 #+begin_src lisp