amr/passepartout
1
0
Fork 0
Code Issues 15 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

v0.8.3: remove startup info messages from chat history

Browse Source 
Remove the add-msg :system calls that printed * Swank <port> * and
* <backend> backend WxH * — purely informational/debug messages
that cluttered the first lines of the chat window.
This commit is contained in:
Amr Gharbeia
2026-05-20 10:04:24 -04:00
parent 8eb866dee3
commit 8dd94f6d3c
2 changed files with 41 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/ROADMAP.org
View File

@@ -207,6 +207,33 @@ Every subsequent release ships with automated regression protection. The eval ha
- Task suite grows with codebase: every bug fix adds a regression task - Task suite grows with codebase: every bug fix adds a regression task
~200 lines. ~200 lines.
*** TODO Jailed-package sandbox hardening
:PROPERTIES:
:ID: id-v090-sandbox
:CREATED: [2026-05-20 Wed]
:END:
The skill loader's sandbox (~core-skills.org~) scans for ~"uiop:run-program"~ as text. This misses indirect calls:
#+begin_src lisp
(eval (read-from-string "(uiop:run-program \"rm -rf /\")"))
#+end_src
The jailed package ~:use~s ~:cl~ and ~:passepartout~, so ~eval~, ~find-symbol~, ~intern~, ~funcall~, ~read~ are all available. The post-eval ~symbol-function~ equality check is also bypassable by wrapping.
Fix: add ~eval~, ~funcall~, ~apply~, ~find-symbol~, ~intern~, ~read~, ~read-from-string~ to the text-level ~*skill-restricted-symbols*~ list, and shadow them in the jailed package at load time:
#+begin_src lisp
(dolist (sym-name '("EVAL" "READ" "READ-FROM-STRING"
"FIND-SYMBOL" "INTERN" "FUNCALL" "APPLY"))
(let ((sym (find-symbol sym-name :cl)))
(when sym (shadow sym jailed-pkg))))
#+end_src
This makes the symbols unfindable in the jailed package without an explicit ~cl:eval~ prefix, which the text scan then catches. Text scan + shadowing is the combo that closes the bypass.
~20 lines across ~core-skills.org~. Ships with the eval harness so the harness itself tests the sandbox before use.
** v0.10.0: Emacs Development Environment — Secondary Client ** v0.10.0: Emacs Development Environment — Secondary Client
cl-tty is the primary TUI (v0.8.0). The Emacs major mode is an optional secondary client for users who prefer Emacs-based workflows. Both clients communicate with the same daemon over the same TCP protocol — they are interchangeable frontends, not competing architectures. cl-tty is the primary TUI (v0.8.0). The Emacs major mode is an optional secondary client for users who prefer Emacs-based workflows. Both clients communicate with the same daemon over the same TCP protocol — they are interchangeable frontends, not competing architectures.
@@ -297,6 +324,10 @@ The Dispatcher gate stack currently prevents self-modification through pattern m
5. Add ~dispatcher-check-self-termination~: scan shell commands for patterns targeting the Passepartout process (~kill -9 <pid>~, ~rm -rf ~/.cache/passepartout/~, ~sudo apt remove sbcl~). Return ~:reject-self-termination~ with a diagnostic message explaining which command matched and why it would destroy the agent. Human override is possible via HITL — the gate does not prevent the human from issuing the command in a terminal. It prevents the /LLM/ from issuing it accidentally. ~20 lines. 5. Add ~dispatcher-check-self-termination~: scan shell commands for patterns targeting the Passepartout process (~kill -9 <pid>~, ~rm -rf ~/.cache/passepartout/~, ~sudo apt remove sbcl~). Return ~:reject-self-termination~ with a diagnostic message explaining which command matched and why it would destroy the agent. Human override is possible via HITL — the gate does not prevent the human from issuing the command in a terminal. It prevents the /LLM/ from issuing it accidentally. ~20 lines.
6. Add ~integrity-verify-core-files~: on heartbeat, hash the eight core files against known-good values stored at daemon startup. On mismatch, inject an integrity alert into the signal queue. ~25 lines, uses existing SHA-256 infrastructure from v0.2.0 Merkle memory. 6. Add ~integrity-verify-core-files~: on heartbeat, hash the eight core files against known-good values stored at daemon startup. On mismatch, inject an integrity alert into the signal queue. ~25 lines, uses existing SHA-256 infrastructure from v0.2.0 Merkle memory.
7. Add CI tangle verification: after checkout, tangle all ~.org~ files, then ~git diff --exit-code~. CI fails if committed ~.lisp~ files don't match canonical ~.org~ source. One CI step in ~.github/workflows/lint.yml~. Also stop ~.gitignore~-ing ~lisp/~ and commit tangled output — lets ~ql:quickload~ work on fresh clone without Emacs.
8. Add daemon connection thread limits: ~*max-client-connections*~ (default 32), ~*active-client-count*~ with lock, reject connections when at capacity. Add read timeout (~sb-ext:with-timeout~, default 300s) on ~read-framed-message~ to reap silent clients. ~25 lines in ~core-transport.org~.
*** Verification *** Verification
Existing FiveAM gate tests continue to pass. New test: signal at type-level 5 targeting a gate at type-level 4 returns ~:reject-type-violation~ without evaluating the gate predicate. New test: signal at type-level 1 passing through a gate at type-level 3 proceeds to predicate evaluation. New test: ~kill -9 <pid>~ returns ~:reject-self-termination~. New test: modified core file is detected by integrity hash check. Existing FiveAM gate tests continue to pass. New test: signal at type-level 5 targeting a gate at type-level 4 returns ~:reject-type-violation~ without evaluating the gate predicate. New test: signal at type-level 1 passing through a gate at type-level 3 proceeds to predicate evaluation. New test: ~kill -9 <pid>~ returns ~:reject-self-termination~. New test: modified core file is detected by integrity hash check.
@@ -543,6 +574,12 @@ Inject a system message: "Memory critical (94% of 16GB). Unloading embedding-nat
Skill shed order is determined by a new ~:preservation-priority~ slot on ~defskill~ (default ~:normal~). Core safety skills carry ~:critical~ and are never shed. Heavy skills (embedding-native with its model in memory, channel gateways with connection pools) carry ~:low~. Skill shed order is determined by a new ~:preservation-priority~ slot on ~defskill~ (default ~:normal~). Core safety skills carry ~:critical~ and are never shed. Heavy skills (embedding-native with its model in memory, channel gateways with connection pools) carry ~:low~.
**** Snapshot budget enforcement — extends ~core-memory.lisp~
The current ~snapshot-memory~ deep-copies the entire store. For stores exceeding ~MEMORY_SNAPSHOT_MAX_OBJECTS~ (default 50,000), skip full copies and switch to a journaling mode: record only the objects changed since the last snapshot. Implemented as a conditional branch in ~snapshot-memory~. ~20 lines.
Add this to the resource self-monitoring heartbeat: before each snapshot, check store size. If over threshold, use journaling path. Keeps the snapshot model viable for the claimed 10M-object use case without requiring 30GB of RAM for 20 snapshots.
**** External watchdog — extends ~passepartout~ bash entry point **** External watchdog — extends ~passepartout~ bash entry point
The bash script spawns a watchdog subprocess that polls the daemon port every ~WATCHDOG_TIMEOUT~ seconds (default 30). If the port stops responding, the watchdog snapshots the last known-good Merkle root, kills the stale process, and restarts the daemon with ~--snapshot <root-hash>~. The bash script spawns a watchdog subprocess that polls the daemon port every ~WATCHDOG_TIMEOUT~ seconds (default 30). If the port stops responding, the watchdog snapshots the last known-good Merkle root, kills the stale process, and restarts the daemon with ~--snapshot <root-hash>~.

6
org/channel-tui-main.org
View File

@@ -946,17 +946,13 @@ Returns T on success, nil on failure. Does NOT wait or retry."
(*error-output* (make-string-output-stream))) (*error-output* (make-string-output-stream)))
(funcall (find-symbol "CREATE-SERVER" "SWANK") (funcall (find-symbol "CREATE-SERVER" "SWANK")
:port swank-port :dont-close t)) :port swank-port :dont-close t))
(add-msg :system (values))
(format nil "* Swank ~d M-x slime-connect *" swank-port)))
(error () (error ()
(add-msg :system "* Swank unavailable *")))) (add-msg :system "* Swank unavailable *"))))
(cl-tty.backend:with-terminal (be w h) (cl-tty.backend:with-terminal (be w h)
;; stty -icanon -echo -ixon is set by the bash script. ;; stty -icanon -echo -ixon is set by the bash script.
;; We read directly from SBCL's stdin (fd 0) since the ;; We read directly from SBCL's stdin (fd 0) since the
;; terminal is in raw mode — no cat subprocess needed. ;; terminal is in raw mode — no cat subprocess needed.
(add-msg :system (format nil "* ~a backend ~dx~d *"
(if (typep be 'cl-tty.backend:modern-backend) "modern" "simple")
w h))
;; Initial dirty all to trigger first redraw in loop ;; Initial dirty all to trigger first redraw in loop
(setq w (or (and (numberp w) (> w 0) w) 80) (setq w (or (and (numberp w) (> w 0) w) 80)
h (or (and (numberp h) (> h 0) h) 24)) h (or (and (numberp h) (> h 0) h) 24))