v0.7.2: safe-tool read-only allowlist — TDD

Read-only cognitive tools auto-pass dispatcher-check unconditionally. Added :read-only-p slot to cognitive-tool struct, :read-only-p keyword to def-cognitive-tool macro, tool-read-only-p registry lookup. - core-package: struct + macro + tool-read-only-p function - security-dispatcher: early auto-pass in dispatcher-check, 2 new tests - programming-tools: 7 tools marked :read-only-p t (search-files, find-files, read-file, list-directory, eval-form, run-tests, org-find-headline) - Dispatcher: 38/38
2026-05-08 16:28:10 -04:00
parent bec894ca4f
commit d2d61c5b44
6 changed files with 140 additions and 24 deletions
--- a/org/core-package.org
+++ b/org/core-package.org
@@ -95,10 +95,11 @@ The package definition. All public symbols are exported here.
    #:hitl-approve
    #:hitl-deny
    #:hitl-handle-message
-    #:dispatcher-check-secret-path
-    #:dispatcher-check-shell-safety
-    #:dispatcher-check-privacy-tags
-    #:dispatcher-check-network-exfil
+   #:dispatcher-check-secret-path
+   #:dispatcher-check-shell-safety
+   #:dispatcher-check-privacy-tags
+   #:dispatcher-check-network-exfil
+   #:dispatcher-check
    #:dispatcher-gate
    #:wildcard-match
    #:actuator-initialize
@@ -167,6 +168,7 @@ The package definition. All public symbols are exported here.
   #:cognitive-tool-parameters
   #:cognitive-tool-guard
   #:cognitive-tool-body
+   #:tool-read-only-p
   #:register-probabilistic-backend
   #:*probabilistic-backends*
   #:*provider-cascade*
@@ -266,18 +268,20 @@ Tools that the LLM can invoke are registered here. Each tool has a name, descrip
  description
  parameters
  guard
-  body)
+  body
+  read-only-p)
 #+end_src

 #+begin_src lisp
-(defmacro def-cognitive-tool (name description parameters &key guard body)
+(defmacro def-cognitive-tool (name description parameters &key guard body read-only-p)
  "Registers a cognitive tool. PARAMETERS is a list of plists, one per parameter."
  `(setf (gethash (string-downcase (string ',name)) *cognitive-tool-registry*)
         (make-cognitive-tool :name (string-downcase (string ',name))
                              :description ,description
                              :parameters ',parameters
                              :guard ,guard
-                              :body ,body)))
+                              :body ,body
+                              :read-only-p ,read-only-p)))
 #+end_src

 #+begin_src lisp
@@ -299,6 +303,12 @@ Tools that the LLM can invoke are registered here. Each tool has a name, descrip
 ;; Alias: generate-tool-belt-prompt → cognitive-tool-prompt
 (defun generate-tool-belt-prompt ()
  (cognitive-tool-prompt))
+
+(defun tool-read-only-p (name)
+  "Returns T if the named cognitive tool is read-only, NIL otherwise."
+  (let ((tool (gethash (string-downcase (string name)) *cognitive-tool-registry*)))
+    (when tool
+      (cognitive-tool-read-only-p tool))))
 #+end_src

 *** Centralized logging (log-message)