RED proofs (pre-v0.4.0):
- dispatcher-check-secret-path 'core-loop-reason.org' → NIL (unprotected)
- dispatcher-check-core-path function does not exist
- Write to core file passes through gate unchanged
- test-self-build-core-protection does not exist
- Dispatcher suite: 19/0
GREEN proofs (v0.4.0):
- dispatcher-check-core-path: T for core-*.org/lisp, NIL for others
- SELF_BUILD_MODE=true: core write → :approval-required Flight Plan
- SELF_BUILD_MODE=false (default): writes pass through
- Dispatcher suite: 24/0 (new test-self-build-core-protection)
Prose:
- New 'Self-Build Safety Boundary' section: explains thin harness/fat
skills corollary, regex-based core-* detection, Flight Plan vs LOG
blocking, SELF_BUILD_MODE env var semantics.
Adds dispatcher-check-core-path: regex-based detection of core-*.org and
core-*.lisp files (Perceive-Reason-Act loop, Merkle-tree memory, skill
engine, Dispatcher gates).
Vector 2b in dispatcher-check: when SELF_BUILD_MODE=true and a core file
write is detected, produces :approval-required (Flight Plan HITL) instead
of allowing the write through. When SELF_BUILD_MODE=false (default),
writes pass through — development mode.
Core file protection is separate from secret-path protection
(*dispatcher-protected-paths*) which blocks credentials/keys/tokens.
Test test-self-build-core-protection:
- core-loop-reason.org, core-memory.lisp → protected
- gateway-tui-view.org → not protected
- SELF_BUILD_MODE=true → writes blocked as :approval-required
- SELF_BUILD_MODE=false → writes pass through
Test: 102/0 (dispatcher 24/0)
1. Shell actuator: remove double bash -c wrapping (format ~s produces
S-expression-safe strings, not shell-safe). Now passes cmd directly
to (timeout N bash -c cmd) via run-program arg list.
2. Dispatcher: extend high-impact approval gate to :system :eval.
Previously only :shell, :tool "shell", and :emacs :eval triggered
HITL. Now :system :eval also requires Flight Plan approval.
3. Skill sandbox: before promoting a skill from its jailed package to
:passepartout, scan for restricted symbol references (uiop:run-program,
uiop:shell, uiop:run-shell-command). Block promotion on violation.
New skill-entry status :sandbox-blocked for blocked skills.
Test: 91 pass, 0 fail across 13 suites.
Root cause chain:
1. proto-get was used throughout the pipeline but never defined — added
to core-communication.org as a keyword-normalizing getf wrapper.
2. security-dispatcher.lisp was loaded by skill-initialize-all into a
separate package, making HITL functions invisible to :passepartout.
Fixed by adding to ASDF component list and excluding from skill loader.
3. org-id-generate was referenced from hitl-create but lives in an
unexported skill package — replaced with uuid:make-v4-uuid.
4. uiop:string-prefix-p was called with :test keyword argument it does
not accept — replaced with string-downcase normalization on both sides.
Also:
- Export hitl-create, hitl-approve, hitl-deny, hitl-handle-message,
stimulus-inject from :passepartout for REPL accessibility.
Fixes 4 pre-existing PROSE-BEFORE-CODE violations in the HITL in-memory
store section. Each function (hitl-create, hitl-approve, hitl-deny,
hitl-handle-message) now has a *** sub-heading with explanatory prose
before its code block.
(setf (getf signal :approved t)) → (setf (getf signal :approved) t)
Caught during system compilation. This is exactly the class of bug that
the REPL-first discipline would have caught instantly.
- dispatcher-check: add :level :approval-required to network/high-impact returns
- cognitive-verify: distinguish approval-required from hard rejection; pass
approval requests through to act gate instead of returning early
- loop-gate-reason: don't retry approval requests; pass them as approved-action
with :status :requires-approval
- loop-gate-act: detect approval-required, create Flight Plan, dispatch HITL
message to user's client, don't execute original action
- loop-gate-perceive: handle re-injected approved signals from
dispatcher-approvals-process; set :approved-action on signal
- dispatcher-approvals-process: fix function name (stimulus-inject) and wrap
action in proper signal envelope with :sensor :approval-required
- Fix: list-objects-with-attribute → memory-objects-by-attribute
- Fix: org-id-new → org-id-generate
- Fix: inject-stimulus → stimulus-inject (correct function name)
Flow:
1. LLM proposes high-risk action → dispatcher returns approval-required
2. cognitive-verify collects approval request → passes to reason as :requires-approval
3. loop-gate-act creates Flight Plan → dispatches HITL message to client → exits
4. Human approves in Emacs → heartbeat re-injects with :approved t
5. Re-injected signal flows through pipeline → dispatcher passes through
6. Action executed normally
- Added ;; REPL-VERIFIED: comments to all 164 definition blocks across 30 org files
- Split 32 multi-definition blocks into one-per-block (one function per block)
- Added Org headlines to 45 blocks missing prose-before-code
- verify-repl now returns PASS on entire org/ directory
- system-context-manager (new skill): stack-based project focusing with
push-context/pop-context, path resolution relative to base path, and
scope-aware memory queries via context-scoped-query.
- core-memory: add :scope slot to memory-object struct (default :memex).
- core-memory: ingest-ast accepts &key (scope :memex), propagates to children.
- core-context: context-query accepts :scope parameter for filtering.
- DEFECT FIX: renamed org-object-* accessors to memory-object-*
across core-context, security-dispatcher, tests, and defpackage exports.
The struct was renamed but accessor references were never updated —
the code referenced nonexistent functions.
- New system-event-orchestrator skill with hook registry, cron registry, and tier classifier
- Three dispatch tiers: :reflex (no LLM), :cognition (light), :reasoning (full)
- Org-mode timestamp parsing for repeat patterns (+1w, +1d, +1m)
- Registers on heartbeat via defskill, dispatches due cron jobs
- Fix all remaining harness-log → log-message references across org files
