feat(v0.2.0): finalize autonomous self-editing foundation

- Hardened actuators: Fixed path-traversal vulnerabilities in file I/O tools and blocked .org files from regex replacements to force AST usage. Enforced Merkle snapshots on AST edits. - Implemented Reflection Loops: Injected rejection traces from deterministic gates back into the LLM context to enable autonomous self-correction. - Finalized tool permission tiers (ask/allow/deny) with proper LLM prompt filtering.
2026-04-27 13:44:43 -04:00
parent c8d8f1412d
commit f1be82a00b
5 changed files with 132 additions and 39 deletions
--- a/harness/skills.org
+++ b/harness/skills.org
@@ -363,11 +363,13 @@ EXAMPLES:
 ---
 " )))
    (maphash (lambda (name tool)
-               (setf output (concatenate 'string output
-                                         (format nil "- ~a: ~a~%  Parameters: ~s~%~%"
-                                                 name
-                                                 (cognitive-tool-description tool)
-                                                 (cognitive-tool-parameters tool)))))
+               (let ((perm (ignore-errors (uiop:symbol-call :opencortex.skills.org-skill-tool-permissions :get-tool-permission name))))
+                 (unless (eq perm :deny)
+                   (setf output (concatenate 'string output
+                                             (format nil "- ~a: ~a~%  Parameters: ~s~%~%"
+                                                     name
+                                                     (cognitive-tool-description tool)
+                                                     (cognitive-tool-parameters tool)))))))
             *cognitive-tools*)
    output))
 #+end_src
@@ -462,9 +464,9 @@ EXAMPLES:
           (declare (ignore context))
           (let* ((file (getf args :file))
                  (memex-root (or (uiop:getenv "MEMEX_DIR") "/home/user/memex"))
-                  (truename (ignore-errors (namestring (truename file)))))
-             (or (null truename)
-                 (str:starts-with-p memex-root truename))))
+                  (abs-path (namestring (uiop:ensure-absolute-pathname file (uiop:getcwd)))))
+             (and (str:starts-with-p memex-root abs-path)
+                  (not (search ".." abs-path)))))
  :body (lambda (args)
          (let ((file (getf args :file)))
            (handler-case
@@ -483,9 +485,10 @@ EXAMPLES:
           (declare (ignore context))
           (let* ((file (getf args :file))
                  (memex-root (or (uiop:getenv "MEMEX_DIR") "/home/user/memex"))
-                  (truename (ignore-errors (namestring (truename file)))))
-             (or (null truename)
-                 (str:starts-with-p memex-root truename))))
+                  (abs-path (namestring (uiop:ensure-absolute-pathname file (uiop:getcwd)))))
+             (and (str:starts-with-p memex-root abs-path)
+                  (not (search ".." abs-path))
+                  (not (str:ends-with-p ".org" abs-path))))) ;; Force AST tools for .org files
  :body (lambda (args)
          (let ((file (getf args :file))
                (content (getf args :content))
@@ -515,9 +518,10 @@ EXAMPLES:
           (declare (ignore context))
           (let* ((file (getf args :file))
                  (memex-root (or (uiop:getenv "MEMEX_DIR") "/home/user/memex"))
-                  (truename (ignore-errors (namestring (truename file)))))
-             (or (null truename)
-                 (str:starts-with-p memex-root truename))))
+                  (abs-path (namestring (uiop:ensure-absolute-pathname file (uiop:getcwd)))))
+             (and (str:starts-with-p memex-root abs-path)
+                  (not (search ".." abs-path))
+                  (not (str:ends-with-p ".org" abs-path))))) ;; Force AST tools for .org files
  :body (lambda (args)
          (let ((file (getf args :file))
                (old (getf args :old))