FEAT: Implement 5-Vector Bouncer Matrix and foundational refactor

2026-04-11 16:36:06 -04:00
parent eca6610274
commit 9fcf45d918
13 changed files with 363 additions and 490 deletions
--- a/skills/org-skill-bouncer.org
+++ b/skills/org-skill-bouncer.org
@@ -18,10 +18,86 @@ While the *Formal Prover* ensures an action is "legal" (e.g., "Yes, you are allo

 * Implementation

+** Deep Packet Inspection (DPI)
+
+*** Secret Exposure Check
+Retrieves all active secrets from the vault and scans the payload for potential leaks.
+
+#+begin_src lisp :tangle ../src/bouncer.lisp
+(defun bouncer-scan-secrets (text)
+  "Returns the name of the secret found in TEXT, or NIL if clean."
+  (when (and text (stringp text))
+    (let ((found-secret nil))
+      (maphash (lambda (key val)
+                 (when (and val (stringp val) (> (length val) 5))
+                   (when (search val text)
+                     (setf found-secret key))))
+               *vault-memory*)
+      found-secret)))
+#+end_src
+
+*** Network Exfiltration Check
+Inspects shell commands for unwhitelisted domains or IP addresses.
+
+#+begin_src lisp :tangle ../src/bouncer.lisp
+(defun bouncer-check-network-exfil (cmd)
+  "Returns T if the command appears to target an unwhitelisted external host."
+  (when (and cmd (stringp cmd))
+    ;; Basic check for common data exfiltration tools being used with IPs/URLs
+    (let ((network-whitelist '("api.telegram.org" "matrix.org" "googleapis.com" "openai.com" "anthropic.com")))
+      (when (cl-ppcre:scan "(http|https|ftp)://([\\w\\.-]+)" cmd)
+        (multiple-value-bind (match regs) 
+            (cl-ppcre:scan-to-strings "(http|https|ftp)://([\\w\\.-]+)" cmd)
+          (declare (ignore match))
+          (let ((domain (aref regs 1)))
+            (not (some (lambda (safe) (search safe domain)) network-whitelist))))))))
+#+end_src
+
+** Runtime Guard (bouncer-check)
+The primary entry point for all high-impact actions.
+
+#+begin_src lisp :tangle ../src/bouncer.lisp
+(defun bouncer-check (action context)
+  "The 5-Vector security gate. Blocks or queues actions based on risk."
+  (let* ((target (getf action :target))
+         (payload (getf action :payload))
+         (text (or (getf payload :text) (getf action :text)))
+         ;; Extract cmd from direct shell or tool-mediated shell call
+         (cmd (or (getf payload :cmd)
+                  (when (and (eq target :tool) (equal (getf payload :tool) "shell"))
+                    (getf (getf payload :args) :cmd))))
+         (approved (getf action :approved)))
+    
+    (cond
+      ;; 0. Bypass for already approved actions
+      (approved action)
+
+      ;; 1. Secret Exposure Vector (Hard Block)
+      ((and text (bouncer-scan-secrets text))
+       (let ((secret-name (bouncer-scan-secrets text)))
+         (kernel-log "SECURITY VIOLATION: Blocked leak of secret ~a" secret-name)
+         `(:type :log :payload (:level :error :text ,(format nil "Action blocked: Potential exposure of ~a" secret-name)))))
+
+      ;; 2. Network Exfiltration Vector (Authorization Required)
+      ((and (or (eq target :shell) 
+                (and (eq target :tool) (equal (getf payload :tool) "shell")))
+            (bouncer-check-network-exfil cmd))
+       (kernel-log "SECURITY WARNING: External network call detected. Queuing for approval.")
+       `(:type :EVENT :payload (:sensor :approval-required :action ,action)))
+
+      ;; 3. High-Impact Target Vector (Authorization Required)
+      ((or (member target '(:shell))
+           (and (eq target :tool) (member (getf payload :tool) '("shell" "repair-file") :test #'string=))
+           (and (eq target :emacs) (eq (getf payload :action) :eval)))
+       (kernel-log "SECURITY: High-impact action ~a requires approval." (or (getf payload :tool) target))
+       `(:type :EVENT :payload (:sensor :approval-required :action ,action)))
+
+      ;; 4. Default Pass
+      (t action))))
+#+end_src
+
 ** Approval Processing
 #+begin_src lisp :tangle ../src/bouncer.lisp
-(in-package :org-agent)
-
 (defun bouncer-process-approvals ()
  "Scans the object store for APPROVED flight plans and re-injects their actions."
  (let ((approved-nodes (list-objects-with-attribute :TODO "APPROVED"))
@@ -33,7 +109,7 @@ While the *Formal Prover* ensures an action is "legal" (e.g., "Yes, you are allo
          (kernel-log "BOUNCER: Found approved flight plan ~a. Re-injecting..." (org-object-id node))
          (let ((action (ignore-errors (read-from-string action-str))))
            (when action
-              ;; Add bypass flag
+              ;; Mark as approved to bypass the gate
              (setf (getf action :approved) t)
              (inject-stimulus action)
              ;; Mark as DONE
--- a/skills/org-skill-llm-gateway.org
+++ b/skills/org-skill-llm-gateway.org
@@ -141,21 +141,22 @@ This is the primary actuator for neural reasoning. It handles the specific JSON

 ** Cognitive Tools
 The `:ask-llm` tool exposes the gateway's power to System 1, allowing it to explicitly request reasoning from a specific provider when the default cascade is insufficient.
+** Registration: Tool
+Register the unified gateway as a cognitive tool.

 #+begin_src lisp :tangle ../src/llm-gateway.lisp
-(def-cognitive-tool :ask-llm "Queries an LLM provider via the unified gateway."
-  :parameters ((:prompt :type :string :description "The user prompt.")
-               (:system-prompt :type :string :description "The system instructions.")
-               (:provider :type :keyword :description "The provider (e.g., :gemini-api, :anthropic, :groq, :openai, :openrouter, :ollama, :gemini-web).")
-               (:model :type :string :description "Optional specific model ID."))
+(def-cognitive-tool :ask-llm 
+  "Queries an LLM provider via the unified gateway."
+  ((:prompt :type :string :description "The user prompt.")
+   (:system-prompt :type :string :description "The system instructions.")
+   (:provider :type :keyword :description "The provider (e.g., :gemini-api, :anthropic, :groq, :openai, :openrouter, :ollama, :gemini-web).")
+   (:model :type :string :description "Optional specific model ID."))
  :body (lambda (args)
          (execute-llm-request (getf args :prompt) 
                               (or (getf args :system-prompt) "You are a helpful assistant.")
                               :provider (getf args :provider)
                               :model (getf args :model))))
 #+end_src
-
-** Registration: Backends
 Register each supported provider with the kernel's neural registry.

 #+begin_src lisp :tangle ../src/llm-gateway.lisp
--- a/skills/org-skill-self-fix.org
+++ b/skills/org-skill-self-fix.org
@@ -61,12 +61,13 @@ The *Self-Fix Agent* is the system's "Repair Mechanism." It takes failure hypoth
        nil))))
 #+end_src

-** Cognitive Tools
+** Registration
 #+begin_src lisp :tangle ../src/self-fix.lisp
-(org-agent:def-cognitive-tool :repair-file "Applies a surgical code modification to a file and reloads the skill if applicable."
-  :parameters ((:file :type :string :description "Path to the target file")
-               (:old :type :string :description "The literal code block to find")
-               (:new :type :string :description "The literal code block to replace it with"))
+(def-cognitive-tool :repair-file 
+  "Applies a surgical code modification to a file and reloads the skill if applicable."
+  ((:file :type :string :description "Path to the target file")
+   (:old :type :string :description "The literal code block to find")
+   (:new :type :string :description "The literal code block to replace it with"))
  :body (lambda (args)
          (if (self-fix-apply (list :payload args) nil)
              "REPAIR SUCCESSFUL."