RED: embedding-backend-native does not exist. No CFFI llama binding.
GREEN (REPL progress):
- cffi:define-foreign-library libllama → loaded
- defcstruct with correct sizes (verified via C sizeof program):
llama-mparams (72 bytes), llama-cparams (136 bytes), llama-batch (56)
- Field offsets verified via C offsetof program
- llama_backend_init discovered as required prerequisite
- llama-model-default-params correctly fills 72-byte struct (verified)
- llama-embedding CLI verified: 768-dim vectors, 22ms/4tokens
BLOCKED: llama_model_load_from_file segfaults via CFFI. Suspect struct-by-value
vs pointer ABI mismatch on x86-64. Needs interactive SBCL REPL to debug the
calling convention (structs >16 bytes passed by hidden reference on SysV).
CFFI bindings preserved in org/system-model-embedding-native.org for
continued REPL work. Includes: model load, context create, tokenize,
encode, embeddings-ith, batch init/free.
Model: nomic-embed-text-v1.5.Q4_K_M.gguf (80MB, 768-dim, nomic-bert)
at ~/.local/share/passepartout/models/
Adds Discord gateway: REST API POST /channels/{id}/messages for
sending, HTTP GET for polling messages. Maps Discord mentions to
:user-input signals. HITL commands intercepted before injection.
Adds Slack gateway: Web API chat.postMessage for sending,
conversations.history for polling. Uses SLACK_TOKEN from vault.
Each gateway registered in *gateway-registry* following the same
jail-loaded skill pattern as Telegram and Signal.
Registry now has 4 platforms: telegram, signal, discord, slack.
RED: Messaging suite had only 1 test (5 checks). No Telegram or Signal
integration tests existed.
GREEN: 4 new tests, 12 new checks (5 → 17):
test-telegram-send-format: verifies URL/body construction for
telegram-send — URL contains sendMessage + token, body encodes
chat_id + text as JSON.
test-telegram-poll-hits-interception: verifies HITL commands
(/approve, /deny, /approve <token>) are intercepted before
signal injection. Non-HITL messages pass through.
test-signal-send-format: verifies signal-send constructs correct
CLI args for signal-cli (account, send, -m, text, chat-id).
test-signal-poll-json-parse: verifies signal-cli JSON output is
parsed correctly — extracts envelope source and dataMessage text.
Test: 123/0 across 13 suites (messaging 17/0).
RED proofs (pre-v0.4.0):
- dispatcher-check-secret-path 'core-loop-reason.org' → NIL (unprotected)
- dispatcher-check-core-path function does not exist
- Write to core file passes through gate unchanged
- test-self-build-core-protection does not exist
- Dispatcher suite: 19/0
GREEN proofs (v0.4.0):
- dispatcher-check-core-path: T for core-*.org/lisp, NIL for others
- SELF_BUILD_MODE=true: core write → :approval-required Flight Plan
- SELF_BUILD_MODE=false (default): writes pass through
- Dispatcher suite: 24/0 (new test-self-build-core-protection)
Prose:
- New 'Self-Build Safety Boundary' section: explains thin harness/fat
skills corollary, regex-based core-* detection, Flight Plan vs LOG
blocking, SELF_BUILD_MODE env var semantics.
Gate trace: cognitive-verify accumulates (:gate name :result status) for
each deterministic gate. Trace prepended to action plist via list*.
TUI on-daemon-msg extracts :gate-trace and stores on message object.
add-msg accepts &key gate-trace for future rendering (collapsible Tab).
Rule counter: TUI actuator enriches response payload with :rule-count
=(hash-table-count *hitl-pending*). TUI status bar shows 'Rules:N'.
Focus map: TUI actuator adds :foveal-id from signal context. TUI stores
in state and renders second status line '[Focus: id]'.
Status bar: now two lines — line 1 (connection, mode, msgs, scroll,
rules, thinking spinner), line 2 (focus map, timestamp).
Test: 112/0 across 14 suites (reason 15/0 including gate-trace assertions)
Adds dispatcher-check-core-path: regex-based detection of core-*.org and
core-*.lisp files (Perceive-Reason-Act loop, Merkle-tree memory, skill
engine, Dispatcher gates).
Vector 2b in dispatcher-check: when SELF_BUILD_MODE=true and a core file
write is detected, produces :approval-required (Flight Plan HITL) instead
of allowing the write through. When SELF_BUILD_MODE=false (default),
writes pass through — development mode.
Core file protection is separate from secret-path protection
(*dispatcher-protected-paths*) which blocks credentials/keys/tokens.
Test test-self-build-core-protection:
- core-loop-reason.org, core-memory.lisp → protected
- gateway-tui-view.org → not protected
- SELF_BUILD_MODE=true → writes blocked as :approval-required
- SELF_BUILD_MODE=false → writes pass through
Test: 102/0 (dispatcher 24/0)
SIGWINCH: handle KEY_RESIZE (410) in main loop — re-measure screen,
re-create status/chat/input windows at new dimensions, force redraw.
Scroll clamp: PageUp clamped to (max 0 (- total 1)), prevents scrolling
past message list end. Status bar shows 'msgs:N scroll:0'.
/quit: saves :input-history to ~/.cache/passepartout/history (one line
per entry, most recent first), sends goodbye handshake, sets :running nil.
/reconnect: closes stale socket via disconnect-daemon, re-runs
connect-daemon with retry backoff. Connection-loss detection: reader-loop
counts consecutive nils; after 10, queues :disconnected event. Handler
clears :connected/:busy, shows red system message.
Load-history: reads ~/.cache/passepartout/history on startup, populates
:input-history for up-arrow recall.
Message vector: :messages init as adjustable vector with fill pointer.
add-msg uses vector-push-extend (O(1) append). view-chat uses aref
(O(1) access) instead of nth (O(n) for lists).
Adds word-wrap(text width) — splits strings into lines at word
boundaries respecting terminal width. Rewrites view-chat to:
- Wrap each message with word-wrap before rendering
- Render each wrapped line as a separate add-string call
- Account for wrapped line count in visible-message calculation
RED proof: tmux capture shows messages split mid-word at terminal edge.
GREEN proof: tmux capture shows clean word-boundary wrapping:
The quick brown fox jumps over the lazy dog while the cat naps
peacefully in the sunny garden
1. Shell actuator: remove double bash -c wrapping (format ~s produces
S-expression-safe strings, not shell-safe). Now passes cmd directly
to (timeout N bash -c cmd) via run-program arg list.
2. Dispatcher: extend high-impact approval gate to :system :eval.
Previously only :shell, :tool "shell", and :emacs :eval triggered
HITL. Now :system :eval also requires Flight Plan approval.
3. Skill sandbox: before promoting a skill from its jailed package to
:passepartout, scan for restricted symbol references (uiop:run-program,
uiop:shell, uiop:run-shell-command). Block promotion on violation.
New skill-entry status :sandbox-blocked for blocked skills.
Test: 91 pass, 0 fail across 13 suites.
Wrap read-from-string/read with (let ((*read-eval* nil)) ...) at three
untrusted-input code paths:
1. think() in core-loop-reason — LLM output parsing. LLM output is
untrusted by definition; #.(shell ...) in a response must not execute.
2. action-system-execute in core-loop-act — :system :eval path processes
untrusted payload code from the signal pipeline.
3. load-memory-from-disk in core-memory — memory.snap file could be
corrupted or planted in ~/, must not execute #. reader macros.
Adds test-read-eval-rce-blocked to pipeline-reason-suite: mocks a
backend returning malicious output containing #.(setf ...), verifies
no side effects occur and safe fallback is returned.
RED proof recorded: *read-eval* T + #.(setf ...) → :PWNED (RCE active)
GREEN proof: *read-eval* NIL → reader-error caught (RCE blocked)
Test: reason 12/0, full suite 88/0
Croatoan child windows don't inherit the screen's :input-blocking nil.
Without explicit (setf (input-blocking iw) nil), get-char blocks the
main loop indefinitely, preventing redraw from running. New agent
messages queued by the reader-loop thread were never rendered until
the user pressed a key.
Now the loop runs at 30fps and responses appear immediately.
- connect-daemon: retry up to 3 times with 3s backoff instead of
single 10s attempt. Shows 'Connecting...' while retrying.
- Failed attempts show attempt count and error detail.
- After all retries exhausted: shows TIP to start daemon first.
- Connection status bar already shows Connected/Disconnected.
- passepartout tui already auto-starts daemon if port 9105 is closed.
TUI integration: 7/7 pass.
- recv-daemon: catch all errors silently (not just usocket:timeout-error
which doesn't match SBCL's SB-INT:IO-TIMEOUT). Prevents log-message
from bleeding through to the Croatoan screen.
- reader-loop: add (sleep 0.5) when recv-daemon returns nil, preventing
tight spin on repeated I/O timeouts during idle periods.
- Backspace: get-char returns raw ncurses integers (263=KEY_BACKSPACE),
not key structs. Use code-key + key-name to normalize codes >255
to keywords, so (eq ch :backspace) actually matches.
- TUI blank screen: add initial redraw+refresh before the main loop.
get-char blocks, so the first frame was never drawn on startup.
- connect-daemon: remove :element-type character (daemon listens in
binary mode, mismatch caused hang). Add :timeout 10.
- Tests: use actual ncurses codes (343=KEY_ENTER, 263=KEY_BACKSPACE,
9=TAB) instead of make-key or raw ascii codes.
TUI: 45/45 pass.
Croatoan returns key structs (make-key :name :backspace) for special
keys. The on-key handler was comparing these structs to keywords like
:backspace with eq, which always failed. Keys like Enter (returned as
13) worked, but Backspace/Tab/arrows didn't. Actually, the user couldn't
delete typed characters.
Fix: normalize at the top of on-key — if the input is a key struct,
extract the :name keyword. This allows the existing keyword-based
cond dispatches to work for all keys.
Updated all tests to use (make-key :name :enter/backspace/tab) instead
of raw integer codes, matching what Croatoan actually sends.
TUI: 43/43 pass.
- passepartout setup: add pre-compile step for :passepartout + :passepartout/tui.
So first daemon/TUI start is fast (~10s instead of ~120s).
- TUI test: remove pre-warm (now in setup). Add 3 rendering diagnostics:
* add-msg-render: /eval injects agent msg, verify text on screen
(isolates TUI rendering from daemon)
* daemon-msg-roundtrip: wait for LLM, check via /eval that :agent
entry exists in :messages list (isolates daemon\xe2\x86\x92TUI comm)
* agent-response-renders: full E2E \xe2\x80\x94 LLM response text on screen
(confirms complete TUI\xe2\x86\x92daemon\xe2\x86\x92LLM\xe2\x86\x92TUI pipeline)
- Fix missing #+end_src in shell block (was preventing tangle)
- Update Contract section with new Phase 3 diagnostic items
- Test: 7/7 pass (was 5/5)
tmux capture-pane strips the ⬇ (U+2B07) character; grep on it always
returns empty. Switch to case-insensitive text matching on actual
LLM response content (hello, hi, greeting, hey).
Also: reorder tests (cascade-parsing, eval-command, status-bar first
to warm the TUI; agent-responds last), increase handshake timeout
to 60s, increase agent poll timeout to 90s.
TUI integration: 5/5 pass (was 4/5 with false-negative on agent-responds)
- TUI agent-responds: hardened to detect and FAIL on cascade/exhausted
responses (previously a separate WARN-only test that let real
cascade failures slip through)
- New TUI cascade-parsing test: /eval *provider-cascade* on screen,
checks for clean keywords (no cl-dotenv quote artifacts)
- Pre-warm step: sbcl --eval '(ql:quickload :passepartout/tui)'
before launching tmux, cuts TUI startup from ~120s to ~10s
- Removed test_agent_not_cascade_failure (absorbed into agent-responds)
- New integration test: test-provider-cascade-parsing verifies
PROVIDER_CASCADE entries are keywords without quotes, matching
registered backends — catches the exact cl-dotenv quote bug
- Fixed stop-daemon ghost symbol (removed export) and paren bug
- Contract section updated with numbered Phase 2/3 items
cl-dotenv preserves surrounding quotes in .env values (unlike bash).
PROVIDER_CASCADE="deepseek,..." resulted in keywords like :"DEEPSEEK
instead of :DEEPSEEK, causing all cascade lookups to fail silently.
Fixes:
- .env.example: remove quotes from PROVIDER_CASCADE
- provider-cascade-initialize: add #" and #' to string-trim chars
- system-model-router: same fix for LOCAL_BACKENDS parsing
- repl: test-repl-list-vars used wrong keyword (REPL-SENSOR→PASSEPARTOUT),
test-repl-inspect-found expected nonexistent 'function' substring
- literate: test-extract-lisp-blocks had ~% as literal chars (→format nil),
test-block-balance-check-valid had broken path merging
- diagnostics: test-diagnostics-env-fail used fragile (setf uiop:getenv),
test-diagnostics-dependency-success included missing 'sbcl' binary
- llm-gateway: test-provider-rejects-bad-keyword made real HTTP request
- reason: test-backend-cascade-no-backends lacked isolation from backends,
test-loop-gate-reason-sets-status called real LLM
- context: delete-file cleanup error now ignore-errors'd
- messaging: *gateway-registry* unbound in jailed package; use symbol-value
4 remaining failures are test-registration issues from jailed packages
(FiveAM suite state conflicts across skill package boundaries).
84% reduction in failures (16→4).
- skill-package-forms-strip: only strip (in-package :passepartout),
preserving test-package declarations. This allows embedded test code
to evaluate in the correct package, fixing 7 previously-unreachable
test suites (vault, perms, policy, validator, lisp, org, archivist).
- Remove security-dispatcher from skill-topological-sort exclusion:
dispatcher was never loaded (neither via ASDF nor skill system).
Test package was previously NIL; now loads properly.
Test results: 146 pass, 16 fail (was 80P 1F).
Remaining failures are pre-existing test code bugs (variable access
across jailed packages, cleanup errors) now exposed by the fix.
