passepartout: v0.4.1 Design Cleanup
Some checks failed
Deploy (Gitea) / deploy (push) Failing after 2s
Some checks failed
Deploy (Gitea) / deploy (push) Failing after 2s
- Remove system-prompt-augment mechanism, introduce *standing-mandates* - Fix false token-overhead claims in DESIGN_DECISIONS + ROADMAP - Update security vector count 9-10 across all docs and dispatcher docstring - Rewrite README with agent section, soften aspirational claims - Register 10 cognitive tools in programming-tools.org with test suite - Enforce NO-HARDCODED-CONSTANTS in .env.example - ROADMAP: mark v0.3.x patches DONE, add LOGBOOKs, mark releases - AGENTS.md: rewrite compact (180 to 50 lines), move refs to CONTRIBUTING - Normalize org tangle directives to file-level PROPERTY inheritance
This commit is contained in:
@@ -9,16 +9,19 @@ The Dispatcher is the physical security layer of Passepartout. While the Policy
|
||||
|
||||
Every action that reaches the Dispatcher has already been approved by the Reasoning pipeline. The LLM generated it, the deterministic gates verified it, and the Act stage is about to execute it. The Dispatcher is the last gate before the action touches the physical world.
|
||||
|
||||
The Dispatcher inspects nine vectors:
|
||||
1. **REPL verification** — warns if a defun is written without REPL prototyping
|
||||
The Dispatcher runs ten blocking checks (eleven including the warn-only REPL lint):
|
||||
|
||||
1. **REPL verification** — warns if a ~defun~ is written without REPL prototyping (warn only, doesn't block)
|
||||
2. **Lisp syntax** — blocks writes with unbalanced parens
|
||||
3. **Secret paths** — blocks reads to ~.env~, SSH keys, PEM files, etc.
|
||||
4. **Content exposure** — scans for API keys, PGP blocks, tokens
|
||||
5. **Vault secrets** — matches against stored credentials
|
||||
6. **Privacy tags** — blocks ~@personal~ tagged content
|
||||
7. **Privacy text** — warns if text references privacy tag names
|
||||
8. **Shell safety** — blocks destructive commands and injection patterns
|
||||
9. **Network exfil** — blocks unwhitelisted outbound connections
|
||||
4. **Self-build safety** — blocks writes to ~core-*~ files unless HITL approved (active when ~SELF_BUILD_MODE=true~)
|
||||
5. **Content exposure** — scans for API keys, PGP blocks, tokens
|
||||
6. **Vault secrets** — matches against stored credentials
|
||||
7. **Privacy tags** — blocks ~@personal~ tagged content
|
||||
8. **Privacy text** — warns if text references privacy tag names
|
||||
9. **Shell safety** — blocks destructive commands and injection patterns
|
||||
10. **Network exfil** — blocks unwhitelisted outbound connections
|
||||
11. **High-impact approval** — requires HITL for ~:shell~, ~:system :eval~, and ~:emacs :eval~
|
||||
|
||||
The Dispatcher also handles the **Flight Plan** system: when a high-risk action is blocked, it creates a Flight Plan node in the Org files that the user can manually approve.
|
||||
|
||||
@@ -357,8 +360,9 @@ Returns a list of matched pattern names or nil if safe."
|
||||
#+begin_src lisp
|
||||
(defun dispatcher-check (action context)
|
||||
"Security gate for high-risk actions.
|
||||
Vectors: lisp validation, secret path, secret content, vault secrets,
|
||||
privacy tags, privacy text, shell safety, network exfil, high-impact approval."
|
||||
Eleven checks: 0=REPL-lint (warn-only), 1=lisp-validation, 2=secret-path,
|
||||
2b=self-build-core, 3=secret-content, 4=vault-secrets, 5=privacy-tags,
|
||||
6=privacy-text, 7=shell-safety, 8=network-exfil, 8b=high-impact-approval."
|
||||
(declare (ignore context))
|
||||
(let* ((target (proto-get action :target))
|
||||
(payload (proto-get action :payload))
|
||||
|
||||
Reference in New Issue
Block a user