Move config/test/models to daemon TCP protocol, TUI uses .env fallback

- Daemon: add handle-client-config inline handler for :config-get,
  :config-set, :config-list, :provider-test, :provider-models
- TUI cmd-config: write .env directly, send reload to daemon if connected
- TUI: /config test and /config models send TCP to daemon (fallback:
  daemon-not-running message)
- Add Test Provider and Discover Models to Ctrl+P daemon commands

.env.example

@@ -1,62 +1,122 @@
-# opencortex: Neural Engine Configuration
-# Core LLM Providers
-GEMINI_API_KEY="your_gemini_key_here"
-ANTHROPIC_API_KEY="your_anthropic_key_here"
-OPENAI_API_KEY="your_openai_key_here"
-GROQ_API_KEY="your_groq_key_here"
+# passepartout: Environment Configuration Template
+# Copy this to .env and fill in your values
+
+# =============================================================================
+# IDENTITY
+# =============================================================================
+MEMEX_USER="YourName"
+MEMEX_ASSISTANT="AgentName"
+
+# =============================================================================
+# LLM PROVIDERS (OpenRouter recommended as primary)
+# =============================================================================
 OPENROUTER_API_KEY="your_openrouter_key_here"
+OPENAI_API_KEY="your_openai_key_here"
+ANTHROPIC_API_KEY="your_anthropic_key_here"
+GROQ_API_KEY="your_groq_api_key_here"
+GEMINI_API_KEY="your_gemini_key_here"
+DEEPSEEK_API_KEY="your_deepseek_key_here"
+NVIDIA_API_KEY="your_nvidia_nim_key_here"
 
-# Legacy/Default (Optional)
-LLM_API_KEY="your_api_key_here"
-LLM_ENDPOINT="https://generativelanguage.googleapis.com/v1beta/models/gemini-pro:generateContent"
+# Cascade order (first available provider wins)
+# Default (if unset): openrouter,openai,anthropic,groq,gemini-api,deepseek,nvidia
+PROVIDER_CASCADE=deepseek,openrouter,openai,anthropic,groq,gemini,nvidia
 
-# Communication Gateways
+# =============================================================================
+# LOCAL LLM (generic OpenAI-compatible endpoint)
+# =============================================================================
+# Set this to the base URL of any local OpenAI-compatible server
+# (llama.cpp, Ollama, vLLM, LM Studio, etc.)
+LOCAL_BASE_URL="localhost:8080"
+
+# Ollama host (legacy: falls back to LOCAL_BASE_URL if not set)
+OLLAMA_HOST="localhost:11434"
+
+# =============================================================================
+# VECTOR EMBEDDINGS (semantic search)
+# =============================================================================
+EMBEDDING_PROVIDER="hashing"  # "hashing" (local, no deps), "local", or "openai"
+EMBEDDING_MODEL="nomic-embed-text"  # model name for embeddings
+EMBEDDING_BASE_URL="https://api.openai.com/v1"  # for :openai provider
+
+# =============================================================================
+# MESSAGING GATEWAYS (optional)
+# =============================================================================
 TELEGRAM_BOT_TOKEN="your_telegram_bot_token_here"
 SIGNAL_ACCOUNT_NUMBER="+1..."
 
-# System 2: Symbolic Constraints
-SAFETY_BLOCK_SHELL=true
-GTD_ENFORCE_INTEGRITY=true
-
-# Harness Protocol Daemon Configuration
+# =============================================================================
+# DAEMON CONFIGURATION
+# =============================================================================
 ORG_AGENT_DAEMON_PORT=9105
-ORG_AGENT_WEB_PORT=8080
 DAEMON_HOST="0.0.0.0"
 HEARTBEAT_INTERVAL=60
 DAEMON_SLEEP_INTERVAL=3600
-
-# Outbound Communication Defaults
 DEFAULT_ACTUATOR="cli"
 SILENT_ACTUATORS="cli,system-message,emacs"
 
-# Core Skill Requirements
-# A comma-separated list of skill Org files (without extension) required for boot.
-MANDATORY_SKILLS="org-skill-policy,org-skill-bouncer"
+# =============================================================================
+# SECURITY
+# =============================================================================
+PROTOCOL_ENFORCE_HMAC=false
+PROTOCOL_HMAC_SECRET="change-this-to-a-secure-random-string"
 
-# Context Management & Peripheral Vision
+# Privacy filter tags: comma-separated list of tags that mark content as private.
+# Files/headings tagged with any of these will be filtered from LLM context.
+# Default: @personal
+PRIVACY_FILTER_TAGS="@personal,@health,@finance"
+
+# =============================================================================
+# DISPATCHER RULE LEARNING
+# =============================================================================
+# Number of HITL approvals before a pattern becomes a permanent rule
+DISPATCHER_RULE_THRESHOLD=3
+
+# Where learned rules are persisted
+RULES_FILE="$HOME/memex/system/rules.org"
+
+# =============================================================================
+# BOOTSTRAP
+# =============================================================================
+MANDATORY_SKILLS="security-policy,security-dispatcher"
+
+# =============================================================================
+# CONTEXT / MEMORY
+# =============================================================================
 CONTEXT_SEMANTIC_THRESHOLD=0.75
 CONTEXT_LOG_LIMIT=20
 
-# Memex Integration
-# Inside Docker, /app/ is the root for consolidated notes
-MEMEX_DIR="/memex"
-ZETTELKASTEN_DIR="/memex/notes"
-SKILLS_DIR="/memex/notes"
+# =============================================================================
+# MEMEX STRUCTURE
+# =============================================================================
+MEMEX_DIR="$HOME/memex"
+ZETTELKASTEN_DIR="$HOME/memex/notes"
+INBOX_DIR="$HOME/memex/inbox"
+DAILY_DIR="$HOME/memex/daily"
+PROJECTS_DIR="$HOME/memex/projects"
+AREAS_DIR="$HOME/memex/areas"
+RESOURCES_DIR="$HOME/memex/resources"
+ARCHIVES_DIR="$HOME/memex/archives"
+SYSTEM_DIR="$HOME/memex/system"
+LLM_REQUEST_TIMEOUT=30
 
-# PARA Structure (Consolidated)
-INBOX_DIR="/memex/inbox"
-DAILY_DIR="/memex/daily"
-PROJECTS_DIR="/memex/projects"
-AREAS_DIR="/memex/areas"
-RESOURCES_DIR="/memex/resources"
-ARCHIVES_DIR="/memex/archives"
-SYSTEM_DIR="/memex/system"
+# =============================================================================
+# TOKEN ECONOMICS (v0.5.0)
+# =============================================================================
+# Max tokens for the combined system prompt + context + user prompt.
+# Default: 16384 (half of a 32K context window, leaves room for model response).
+CONTEXT_MAX_TOKENS=16384
 
-# Identity Configuration
-MEMEX_USER="YourName"
-MEMEX_ASSISTANT="AgentName"
-RECIPIENT_ID="+1..." # For Signal/Telegram delivery
+# Soft daily cost cap in USD. Warning injected into system prompt when
+# approaching budget.
+COST_BUDGET_DAILY=1.00
 
-# Harness Protocol Integrity & Authentication (HMAC-SHA256)
-Harness Protocol_ENFORCE_HMAC=false
-Harness Protocol_HMAC_SECRET="change-this-to-a-secure-random-string"
+# v0.7.2: Privacy tag severity tiers. Format: @tag:block,@tag:warn,@tag:log
+# :block = filter content, :warn = log+allow, :log = silently record
+# Default: empty (no tags configured)
+#TAG_CATEGORIES=@personal:block,@financial:block,@draft:warn
+
+# v0.7.2: Self-build core file protection mode
+# When true, writes to core-*.org and core-*.lisp require HITL approval.
+# Default: false (unrestricted — use during development)
+SELF_BUILD_MODE=false

.gitea/workflows/deploy.yml

@@ -1,44 +1,24 @@
-name: Deploy-Agent-V15-Stdin
+name: Deploy (Gitea)
+
 on:
   push:
     branches:
       - main
 
 jobs:
-  JOB-V15-STDIN:
+  deploy:
     runs-on: debian-latest
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Install Docker CLI
         run: |
-          echo "Installing Docker CLI..."
-          apt-get update
-          apt-get install -y docker.io docker-compose
+          apt-get update && apt-get install -y docker.io docker-compose
 
-      - name: Deploy via Host Docker Socket (Stdin Method)
+      - name: Build and deploy via Docker Compose
         run: |
-          echo "Piping local compose file to host Docker daemon..."
-          
-          # We read the compose file from the checked-out code in the runner,
-          # but we tell the host Docker daemon that the "project directory" is /memex/projects/opencortex.
-          # The host daemon will use its own /memex files to build the image.
-          
-          cat deploy/docker/docker-compose.yml | docker-compose \
-            -p opencortex \
-            --project-directory /memex/projects/opencortex \
-            -f - \
-            down
-            
-          cat deploy/docker/docker-compose.yml | docker-compose \
-            -p opencortex \
-            --project-directory /memex/projects/opencortex \
-            -f - \
-            build --no-cache opencortex
-            
-          cat deploy/docker/docker-compose.yml | docker-compose \
-            -p opencortex \
-            --project-directory /memex/projects/opencortex \
-            -f - \
-            up -d --force-recreate opencortex
+          cd infrastructure/docker
+          docker-compose -p passepartout down
+          docker-compose -p passepartout build --no-cache passepartout
+          docker-compose -p passepartout up -d --force-recreate passepartout

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,25 @@
+name: Bug Report
+
+about: Report something that is not working as expected.
+
+---
+
+**Describe the bug**
+A clear description of what went wrong.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Run '...'
+3. See error
+
+**Expected behavior**
+What you expected to happen.
+
+**Environment:**
+- OS: [e.g. Debian 12, macOS 14]
+- SBCL version: [e.g. 2.4.0]
+- OpenCortex version: [e.g. v0.1.0]
+
+**Additional context**
+Any other relevant information (logs, stack traces, etc.)

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,22 @@
+name: Feature Request
+
+about: Suggest a new feature or enhancement.
+
+---
+
+**Describe the problem**
+What problem does this feature solve?
+
+**Describe the ideal solution**
+A clear description of what you want to happen.
+
+**Describe alternatives considered**
+Any alternative solutions you've considered.
+
+**Additional context**
+Any other relevant context (mockups, related issues, etc.)
+
+**Implementation suggestion**
+(Optional) If you have thoughts on how to implement this in pure Common Lisp + Org-mode:
+- Which skill should own this?
+- Should it be a =def-cognitive-tool=, a new skill, or an enhancement to an existing one?

.github/workflows/lint.yml

@@ -0,0 +1,74 @@
+name: Lint
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            git emacs-nox
+
+      - name: Check for forbidden patterns
+        run: |
+          ! grep -r "json\." --include="*.lisp" lisp/ && \
+            echo "OK: No JSON in Lisp files"
+
+      - name: Check org files have lisp source blocks
+        run: |
+          FAIL=0
+          for f in org/*.org; do
+            if ! grep -q "#+begin_src lisp" "$f"; then
+              echo "WARNING: $f has no lisp blocks"
+              FAIL=1
+            fi
+          done
+          echo "OK: Org files checked for lisp blocks"
+
+      - name: Verify each .lisp has a corresponding .org source
+        run: |
+          FAIL=0
+          for f in lisp/*.lisp; do
+            [ -f "$f" ] || continue
+            base=$(basename "$f" .lisp)
+            if [ -f "org/${base}.org" ]; then
+              : # direct match
+            else
+              # Check if generated from a parent org via :tangle header
+              if grep -q ":tangle.*$(basename "$f")" org/*.org 2>/dev/null; then
+                : # :tangle reference found
+              else
+                echo "WARNING: $f has no corresponding .org source"
+                FAIL=1
+              fi
+            fi
+          done
+          [ "$FAIL" = 0 ] && echo "OK: All .lisp files have .org sources"
+
+      - name: Check literate granularity (one function per block)
+        run: |
+          for f in org/*.org; do
+            blocks=$(grep -c "^[[:space:]]*(defun " "$f" 2>/dev/null || true)
+            srcblocks=$(grep -c "#+begin_src lisp" "$f" 2>/dev/null || true)
+            if [ "$blocks" -gt "$srcblocks" ] && [ "$srcblocks" -gt 0 ]; then
+              echo "WARNING: $f has $blocks defuns but only $srcblocks src blocks"
+            fi
+          done
+          echo "OK: Granularity check complete"
+
+      - name: Check README has quick install
+        run: |
+          grep -q "curl.*passepartout" README.org && \
+            echo "OK: Quick install in README" || \
+            echo "WARNING: Quick install curl command not found in README"

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Create tarball
+        run: |
+          git archive --format=tar.gz --prefix=passepartout-$(git describe --tags) HEAD -o passepartout.tar.gz
+
+      - name: Create zipball
+        run: |
+          git archive --format=zip --prefix=passepartout-$(git describe --tags) HEAD -o passepartout.zip
+
+      - name: Extract tag message as release notes
+        run: |
+          git tag -l --format='%(contents)' ${GITHUB_REF#refs/tags/} > /tmp/release-notes.md
+          echo "--- Notes preview ---"
+          head -20 /tmp/release-notes.md
+
+      - name: Upload to GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            passepartout.tar.gz
+            passepartout.zip
+          body_path: /tmp/release-notes.md
+          generate_release_notes: true

.github/workflows/test.yml

@@ -0,0 +1,92 @@
+name: Tests
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    env:
+      FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update && sudo apt-get install -y --no-install-recommends \
+            sbcl emacs-nox git curl socat rlwrap
+
+      - name: Install Quicklisp
+        run: |
+          curl -fsSL https://beta.quicklisp.org/quicklisp.lisp -o /tmp/quicklisp.lisp
+          sbcl --noinform --non-interactive \
+            --load /tmp/quicklisp.lisp \
+            --eval '(quicklisp-quickstart:install)'
+          rm -f /tmp/quicklisp.lisp
+          sbcl --noinform --non-interactive \
+            --eval '(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))' \
+            --eval '(ql:quickload :fiveam :silent t)' \
+            --eval '(quit)'
+
+      - name: Load and verify system
+        run: |
+          export PASSEPARTOUT_DATA_DIR="$PWD/.github-test"
+          mkdir -p "$PASSEPARTOUT_DATA_DIR/org" "$PASSEPARTOUT_DATA_DIR/lisp" "$PASSEPARTOUT_DATA_DIR/test"
+
+          # Tangle org files into lisp/
+          cp org/*.org "$PASSEPARTOUT_DATA_DIR/org/"
+          cd "$PASSEPARTOUT_DATA_DIR/org" && for f in *.org; do
+            if command -v emacs; then
+              emacs -Q --batch --eval "(require 'org)" \
+                --eval "(setq org-confirm-babel-evaluate nil)" \
+                --eval "(org-babel-tangle-file \"$f\")" 2>/dev/null || true
+            fi
+          done
+          rm -f *.org
+          cd "$OLDPWD"
+
+          # Move test files to test/
+          find "$PASSEPARTOUT_DATA_DIR/lisp" -name "*-tests.lisp" -exec mv {} "$PASSEPARTOUT_DATA_DIR/test/" \; 2>/dev/null || true
+
+      - name: Load passepartout and initialize skills
+        run: |
+          export PASSEPARTOUT_DATA_DIR="$PWD/.github-test"
+          sbcl --non-interactive \
+            --eval '(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))' \
+            --eval "(push (truename \"$PWD/\") asdf:*central-registry*)" \
+            --eval "(push (truename \"$PASSEPARTOUT_DATA_DIR/\") asdf:*central-registry*)" \
+            --eval '(ql:quickload :passepartout :silent t)' \
+            --eval "(setf (uiop:getenv \"PASSEPARTOUT_DATA_DIR\") \"$PASSEPARTOUT_DATA_DIR\")" \
+            --eval '(passepartout:skill-initialize-all)' \
+            --eval "(let ((n (hash-table-count passepartout:*skill-registry*))) (format t \"~%Skills loaded: ~a~%\" n) (unless (>= n 10) (sb-ext:exit :code 1)))"
+
+      - name: Daemon smoke test
+        run: |
+          export PASSEPARTOUT_DATA_DIR="$PWD/.github-test"
+          sbcl --non-interactive \
+            --eval '(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))' \
+            --eval "(push (truename \"$PWD/\") asdf:*central-registry*)" \
+            --eval "(push (truename \"$PASSEPARTOUT_DATA_DIR/\") asdf:*central-registry*)" \
+            --eval '(ql:quickload :passepartout :silent t)' \
+            --eval "(setf (uiop:getenv \"PASSEPARTOUT_DATA_DIR\") \"$PASSEPARTOUT_DATA_DIR\")" \
+            --eval '(passepartout:main)' \
+            > /tmp/passepartout-daemon.log 2>&1 &
+          DAEMON_PID=$!
+
+          for i in $(seq 1 20); do
+            if ss -tln 2>/dev/null | grep -q 9105; then
+              echo "✓ Daemon ready on port 9105"
+              timeout 3 bash -c 'exec 3<>/dev/tcp/localhost/9105; head -c 200 <&3' 2>/dev/null | grep -q "handshake" && \
+                echo "✓ Protocol handshake received"
+              break
+            fi
+            sleep 1
+          done
+
+          kill $DAEMON_PID 2>/dev/null || true
+          wait $DAEMON_PID 2>/dev/null || true
+          echo "✓ Daemon smoke test passed"

.gitignore

@@ -1,6 +1,16 @@
 .env
-opencortex-server
+passepartout-server
 \$MEMEX_DIR/
 *.log
 *~
 \#*#
+passepartout-tui
+test_input.txt
+
+# Generated artifacts (source of truth is .org)
+/skills/*.lisp
+/tmp/*.lisp
+*.fasl
+docs/#DESIGN_DECISIONS.org# docs/DESIGN_DECISIONS.org~
+extras/*.elc
+state/

Dockerfile

@@ -1,71 +0,0 @@
-# OPENCORTEX v1.0 Production Environment
-FROM debian:bookworm-slim
-
-# Prevent interactive prompts during build
-ENV DEBIAN_FRONTEND=noninteractive
-
-# 1. Install System Dependencies
-# - sbcl: The Lisp Runtime
-# - curl/git/unzip: Standard tools for Quicklisp and binaries
-# - default-jre: Required by signal-cli
-# - python3/pip: Required for Playwright bridge
-# - socat: Required for stateful CLI interaction
-RUN apt-get update && apt-get install -y \
-    sbcl \
-    curl \
-    git \
-    unzip \
-    default-jre \
-    libsqlite3-0 \
-    python3 \
-    python3-pip \
-    python3-venv \
-    emacs-nox \
-    socat \
-    && rm -rf /var/lib/apt/lists/*
-
-# 2. Setup Playwright (High-Fidelity Browsing)
-RUN python3 -m venv /opt/venv
-ENV PATH="/opt/venv/bin:$PATH"
-RUN pip install playwright \
-    && playwright install --with-deps chromium
-
-# 3. Install signal-cli (v0.14.0)
-ENV SIGNAL_CLI_VERSION=0.14.0
-RUN curl -L https://github.com/AsamK/signal-cli/releases/download/v${SIGNAL_CLI_VERSION}/signal-cli-${SIGNAL_CLI_VERSION}-Linux.tar.gz | tar xz -C /opt \
-    && ln -s /opt/signal-cli-${SIGNAL_CLI_VERSION}/bin/signal-cli /usr/local/bin/signal-cli
-
-# 4. Install Quicklisp & Pin Distribution
-# Pinned to 2026-04-01 for bit-rot resistance.
-WORKDIR /root
-RUN curl -O https://beta.quicklisp.org/quicklisp.lisp \
-    && sbcl --non-interactive \
-        --load quicklisp.lisp \
-        --eval '(quicklisp-quickstart:install)' \
-        --eval '(ql-dist:install-dist "http://beta.quicklisp.org/dist/quicklisp/2026-04-01/distinfo.txt" :prompt nil :replace t)'
-
-# 5. Configure SBCL to load Quicklisp on startup
-RUN echo '(let ((quicklisp-init (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))) (when (probe-file quicklisp-init) (load quicklisp-init)))' > /root/.sbclrc
-
-# 6. Setup Application Directory
-WORKDIR /app
-COPY . /app/projects/opencortex
-
-# 7. Pre-cache Lisp Dependencies
-RUN sbcl --non-interactive \
-    --eval '(push #p"/app/projects/opencortex/" asdf:*central-registry*)' \
-    --eval '(ql:quickload :opencortex)'
-
-# 8. Environment & Volumes
-# The host's memex root should be mounted to /memex
-ENV MEMEX_DIR=/memex
-VOLUME ["/memex"]
-
-# Default Ports
-EXPOSE 9105 8080
-
-# Entrypoint
-CMD ["sbcl", "--non-interactive", \
-     "--eval", "(push #p\"/app/projects/opencortex/\" asdf:*central-registry*)", \
-     "--eval", "(ql:quickload :opencortex)", \
-     "--eval", "(opencortex:main)"]

LICENSE

@@ -1,21 +1,661 @@
-MIT License
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
 
-Copyright (c) 2026 Amr Gharbeia
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+                            Preamble
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.org

@@ -1,144 +1,163 @@
-#+TITLE: OpenCortex: The Conductor of your Life Stack
+#+TITLE: Passepartout — The Plain-Text AI Assistant That Never Gets More Expensive
+#+AUTHOR: Amr
+#+FILETAGS: :passepartout:ai:assistant:
 
-*opencortex* is a minimalist, extensible AI agent framework designed to manage and continuously organize your personal knowledge base. It transforms a static collection of plaintext notes into a live, programmable [[https://en.wikipedia.org/wiki/Memex][Memex]]—an automated, personalized memory system where humans and AI collaborate in the exact same workspace.
+#+HTML: <div style="display: flex; gap: 8px; flex-wrap: wrap; margin-bottom: 1em;">
+#+HTML: <img src="https://img.shields.io/badge/version-v0.7.2-blue?style=flat-square">
+#+HTML: <img src="https://img.shields.io/badge/license-AGPLv3-green?style=flat-square">
+#+HTML: <img src="https://img.shields.io/badge/Lisp-Common%20Lisp-forestgreen?style=flat-square">
+#+HTML: <img src="https://img.shields.io/badge/docs-Org--mode-darkgreen?style=flat-square">
+#+HTML: </div>
 
-* The Problem with Current AI Agents
+Passepartout is an AI assistant that runs in your terminal. It reads and writes your Org-mode files, executes tasks through a verified safety gate, and works fully offline with local LLMs. Every action the LLM proposes is checked by ten deterministic safety gates before it touches a file, runs a command, or sends a message. The LLM suggests. The gate decides.
+Everything it knows is a folder of plain text files that you own.
 
-The current ecosystem of AI agents (typically built in Python or TypeScript) is overwhelmingly built on architectural choices that prioritize rapid prototyping over long-term reliability, security, and self-modification:
-
-1. *The Format Trap (Markdown & JSON):* Most agents force a painful translation layer. Humans write in Markdown, which lacks a strict Abstract Syntax Tree (AST)—a rigorous, nested representation of data that machines need to parse context reliably. Machines, in turn, output JSON or YAML, which are hostile formats for human thought and note-taking. The result is a fractured workspace where the agent's memory and the human's memory are fundamentally incompatible. Furthermore, because Markdown cannot be efficiently collapsed, agents are forced to consume massive amounts of tokens by reading entire files just to find a single paragraph.
-2. *The Language Trap (Python & TypeScript):* Python and TypeScript are fantastic for gluing together APIs or training models, but they are poorly suited for an agent that needs to safely read, write, and execute its own code at runtime. Their underlying structures are complex and opaque, making autonomous self-editing incredibly brittle and dangerous.
-3. *The Probabilistic Trap:* Almost all modern agents rely entirely on /probabilistic/ reasoning. We ask an AI model to guess a shell command or write a Python script, and then blindly pipe that output to a terminal. Without a rigorous, /deterministic/ layer to formally verify the model's proposals before execution, these systems are fundamentally unsafe. 
-
-* The Vision: A Modern, Homoiconic Memex
-
-opencortex abandons these fragile paradigms by returning to first principles and embracing two historically powerful technologies: *Org-mode* and *Common Lisp*. 
-
-** 1. Org-mode: The Universal Language
-Instead of wrestling with Markdown parsers or hiding data in opaque databases, opencortex mandates that *Org-mode is the native AST for both humans and machines.* 
-
-Org-mode is unique because it seamlessly brings together human-readable prose, structured metadata (properties and tags), lifecycle states (TODO/DONE), and executable code blocks into a single plain-text file. The code is the data, and the data is the interface. When the agent "remembers" a fact or schedules a task, it writes an Org headline. You read exactly what the agent reads.
-
-*The Token Advantage:* Because Org-mode is a strict outline, opencortex never needs to send an entire document to an AI model. It uses *Sparse Trees* to send a high-level table of contents, zooming in only on the specific headline relevant to the task. This drastically reduces token consumption and eliminates context window overflow.
-
-** 2. Common Lisp: The Engine of Self-Modification
-There is a beautiful irony to opencortex: Lisp was invented in 1958 specifically to achieve Artificial Intelligence, and it has been waiting nearly 70 years for /this exact moment/ in computing history. 
-
-Lisp possesses a unique property called *Homoiconicity*: the primary representation of the program is also a data structure (nested lists) within the language itself. Because Lisp code /is/ Lisp data, it is trivially easy for an AI to generate, manipulate, and safely evaluate new tools at runtime. This makes Lisp the ultimate, un-brittle language for a "self-writing" agent.
-
-** 3. The Probabilistic-Protodeterministic Loop
-opencortex does not let AI models touch your system directly. Instead, it splits cognition into two distinct engines:
-- *The Probabilistic Engine (The AI Models):* Provides semantic understanding, multimodal translation, and probabilistic creativity. It looks at your Memex and proposes an action by writing a strictly formatted Lisp s-expression.
-- *The Deterministic Engine (Common Lisp):* Provides deterministic logic, physics, and safety. It intercepts the model's Lisp proposal, formally verifies its structure against your security rules, and only executes it if it is mathematically sound.
-
-Crucially, the Deterministic engine is *continuously progressive*. Right now, it starts by acting as a strict security bouncer—enforcing rules and bounding the AI's actions. But as the system matures, the Deterministic engine will progressively take over more and more of the actual reasoning, reducing the AI models' involvement to a mere semantic translation layer for the messy outside world. We are moving from a /probabilistic-protodeterministic/ system today, toward a fully autonomous /probabilistic-deterministic/ Lisp machine tomorrow.
-
-* Architecture: Thin Harness, Fat Skills
-
-To guarantee long-term stability, opencortex enforces a strict architectural boundary inspired by the "thin harness, fat skills" philosophy.
-
-** The Minimalist Harness
-The Lisp microkernel does almost no actual "work." It is a thin, unbreakable harness strictly responsible for three things:
-1. *The Memory:* Maintaining the live graph of your Memex in RAM.
-2. *The Communication Protocol:* Managing the secure bridge between the agent and the outside world. While power users can connect natively via Emacs or Vim, the vast majority of users will interact with opencortex exclusively through chat clients (like Telegram, Signal, or Matrix), web dashboards, or a Terminal UI (TUI). The harness doesn't care; it just securely routes the messages.
-3. *The Cognitive Cycle:* Moving signals through the Perceive -> Probabilistic -> Deterministic -> Dispatch pipeline.
-
-Everything else—AI routing, vector embeddings, shell execution, or web browsing—is pushed entirely out of the harness and into *Fat Skills*.
-
-** Literate, Single-File Skills
-In standard agent frameworks, adding a new capability (like "Search the Web") requires creating a sprawling folder with a Python script, a JSON configuration file, and a separate text file for the AI prompt. This creates massive structural bloat.
-
-In opencortex, a Skill is simply a *single .org file*. 
-
-Using *Literate Programming*, this single file contains everything:
-- The human-readable documentation and architectural intent.
-- The system prompt instructions for the Probabilistic Engine.
-- The deterministic Lisp code for the Deterministic engine's safety checks.
-- The actual execution logic.
-
-When the system boots, it parses these single files, mathematically proves their dependencies, and compiles them directly into the live Lisp image.
-
-** The Anatomy: Three Data Stores
-The agent's "mind" is not a transient chat session; it is a durable, stateful architecture consisting of three layers:
-1. *The Linguistic Substrate (Plaintext Files):* The human-readable Source of Truth on your hard drive. You can edit these files in any text editor, and the agent will instantly perceive the changes.
-2. *The Lisp Memory (RAM):* The "Active Brain," a live, threaded graph of Lisp objects representing every headline, paragraph, and tag in your Memex. It allows the agent to navigate your life instantly without constantly re-reading files.
-3. *The Telemetry Store (External):* A high-volume database for sub-deterministic sensory data (e.g., smart home logs or system metrics), which the agent monitors and distills.
-
-** The Psychology: The 2x2 Cognitive Matrix
-The agent operates on a matrix that balances cognitive speed with cognitive state:
-
-| | Probabilistic (Neural/Intuitive) | Deterministic (Deterministic/Logical) |
-| :--- | :--- | :--- |
-| Foreground (Active) | *The Interface:* Fast AI models for conversation, multimodal ingestion, and semantic understanding. | *The Steward:* Lisp engine that safely retrieves requested data from the Memex and enforces security rules while the Interface keeps you engaged. |
-| Background (Passive) | *The Editor:* Deep AI models finding hidden patterns while you sleep. | *The Librarian:* Lisp engine continuously maintaining data integrity and filing away loose notes. |
-
-** The Physiology: Five Core Processes
-1. *Perception:* Automatically vectorizes your input and sets the "Foreground Focus" so the agent knows exactly what you are looking at or talking about.
-2. *Reasoning:* Uses Lisp-native logic to reconcile contradictions and enforce the physics of the Memex.
-3. *Distillation:* A Background loop that reads your chronological daily logs and automatically extracts concepts into permanent, evergreen notes.
-4. *Reflection:* A heartbeat-driven process that finds forgotten links and maintains the structural health of the system.
-5. *Sensation:* A converter that monitors the raw flood of telemetry data and turns significant anomalies into actionable TODO items on your list.
-
-* The Ecosystem: Core Skill Groups
-
-Because the harness is deliberately thin, every capability of opencortex is implemented as a single-file Literate Skill. This allows you to hot-reload, modify, or completely remove features on the fly without restarting the core environment. 
-
-The ecosystem is divided into five primary skill groups:
-
-** 1. Gateways (How you talk to the agent)
-The agent meets you where you are. While it natively integrates with text editors, it features standalone gateway skills for modern interfaces. 
-- *Chat Gateways:* Interact securely from your phone via clients like Matrix, Signal, or Telegram.
-- *Web & TUI Dashboards:* High-level visual overviews of your agent's background processes and telemetry.
-
-** 2. Cognition & Memory (How the agent thinks)
-- *Model Routing:* Dynamically routes requests to the best available Probabilistic model (e.g., Anthropic, OpenAI, Local Llama) based on task complexity or privacy needs.
-- *Peripheral Vision & Embeddings:* Manages the vectorization of your notes, ensuring the agent retrieves semantically relevant context via sparse trees.
-- *The Ontology Scribe:* Centralizes all rules regarding Org, GTD, and Org-Roam parsing into a single background subroutine, eliminating parser confusion across the codebase.
-
-** 3. Actuators (How the agent affects the world)
-- *The Shell Actuator:* Safely executes whitelisted terminal commands to interact with the host OS.
-- *The Playwright Bridge:* Grants the agent the ability to spin up a headless browser, navigate the web, read documentation, and interact with web applications.
-
-** 4. Security & Alignment (How the agent stays safe)
-- *Formal Verification:* The mathematical gatekeeper that proves a proposed action is safe (e.g., ensuring file writes are confined strictly to your Memex directory) before execution.
-- *The Credentials Vault:* A secure, masked enclave that prevents AI models from ever reading your raw API keys or .env files.
-
-** 5. Background Subroutines (The Autonomous Workers)
-- *The Journal Scribe:* Periodically distills messy chronological logs into clean, permanent notes.
-- *The Gardener:* A heartbeat-driven worker that flags broken links, finds orphaned ideas, and maintains the structural health of your Memex.
-
-* Quick Start (The Zero-to-One Experience)
-
-opencortex can be installed and booted with a single command. The unified entrypoint script will detect your OS, offer to install Docker if missing, interactively gather your API keys, and launch the autonomous kernel in the background.
+*Install:*
 
 #+begin_src bash
-curl -fsSL https://raw.githubusercontent.com/gharbeia/opencortex/main/opencortex.sh | bash
+curl -fsSL https://raw.githubusercontent.com/amrgharbeia/passepartout/main/passepartout | bash -s configure
 #+end_src
 
-After installation, simply type `opencortex` in your terminal to start chatting with your autonomous brain.
+This installs dependencies (SBCL, Quicklisp), tangles the Org source files, and runs the setup wizard for LLM providers. Requires curl and sudo access for package installation.
 
-For power users who wish to run the agent natively (Baremetal), please refer to the [[file:literate/setup.org][setup.org]] literate documentation.
+* What is an AI Agent?
 
-* The Evolutionary Roadmap (v0.1.0 to v4.0.0+)
+An AI agent is a program that can act on your behalf — reading files, running commands, sending messages — rather than just answering questions. Unlike a chatbot that only produces text, an agent has /actuators/ that let it affect the world: a shell, a file editor, a message sender. See [[https://en.wikipedia.org/wiki/Software_agent][Software agent]] on Wikipedia.
 
-** v0.1.0: The Autonomous Foundation (Current Release)
-The initial MVP that establishes a secure, auditable Lisp kernel for a personal operating system. It features a robust metabolic pipeline, mandatory skill enforcement, and background distillation.
+Passepartout is a /sovereign/ agent: it runs on your machine, operates on your plain-text files, and verifies every action through deterministic safety gates before execution.
 
-** v1.0.0 (Phase 2.5): The Verified Wrapper (Current Target)
-At this stage, opencortex achieves feature parity with State-of-the-Art autonomous agents (like Devin or SWE-agent) but with Lisp-grade mathematical security.
-- *The Tools are External:* The agent uses a standard bash shell, a headless browser (via Playwright), and standard file I/O.
-- *The Safety is Internal:* The Bouncer and Formal Verification gates mathematically prove actions are safe before piping them to external tools.
-- *The Result:* An autonomous agent capable of end-to-end software engineering, web research, and system administration, running securely and locally.
+* What Makes Passepartout Different
 
-** v2.0.0 (Phase 3): The Cannibalization
-Replacing string-based tool wrappers with native Lisp data structures to eliminate LLM fragility.
-- *Cannibalizing the Browser:* Ingesting the DOM as a native Lisp AST rather than fighting with Playwright scripts.
-- *Cannibalizing the Shell & Editor:* Moving from bash execution to native OS API bindings. Emacs becomes a viewport for the live AST, not a master.
-- *The Result:* The LLM no longer has to guess at messy `stdout` or raw HTML strings; it manipulates deterministic data structures directly.
+** Every action is verified, not trusted.
 
-** v3.0.0 (Phase 4): True Symbolic Determinism
-The great inversion. The Lisp engine takes the wheel, and the LLM is relegated to translation.
-- *The Semantic Translator:* The LLM exclusively translates unstructured human intent (natural language, images) into strict Lisp S-expressions.
-- *Deterministic Planning (The Solver):* The core reasoning engine uses formal logic, graph traversal, and constraint solving to plan and execute workflows.
-- *Self-Correcting Syntax:* The Lisp engine catches and repairs hallucinated syntax errors without consulting the LLM.
+Most AI agents add safety checks as an afterthought — prompt-based guardrails that consume LLM tokens and can be evaded with clever phrasing. Passepartout inverts this: ten deterministic safety gates run in pure Lisp between the LLM's proposal and execution. Secret scanning checks for API key leaks. Path protection blocks reads and writes to sensitive files, including a self-build safety boundary that prevents the agent from modifying its own core pipeline without human review. Shell safety detects destructive commands and injection vectors. Network exfiltration detection flags unauthorized outbound connections. Lisp syntax validation catches malformed code before it writes to disk.
 
+Every gate costs 0 LLM tokens. Every gate is a Common Lisp function, not a prompt. Every gate runs for every action, unconditionally.
+
+If a gate blocks a proposal, the rejection feedback goes back to the LLM so it can self-correct and try again. If the deterministic Dispatcher is uncertain, it creates a Flight Plan — a human-readable Org buffer you review and approve. The human decides. The Dispatcher learns from your decision and writes a rule for next time.
+
+** The more you use it, the cheaper it gets (architectural aspiration)
+
+Passepartout is designed with a downward cost curve — an architectural property, not yet measured empirically. Here is the thesis.
+
+When you use Passepartout, the Dispatcher observes every blocked action and every human-approved exception. Each decision becomes a deterministic rule. A file write you approved once becomes an allowed path pattern. A shell command you denied becomes a permanent block. Each hardened rule means one fewer LLM call next time. This rule-learning system is planned for v0.5.0.
+
+Meanwhile, the foveal-peripheral context model prunes your [[https://en.wikipedia.org/wiki/Memex][memex]] — your personal knowledge base, a term coined by Vannevar Bush in 1945 for a mechanised private library — to the relevant Org subtrees before sending anything to the LLM. The agent does not load your entire knowledge base, or even the entire file like agents that use Markdown do — it loads precisely the headlines that matter. Less context in, fewer tokens out.
+
+These mechanisms are implemented and working today. Token cost measurement and optimization are tracked in the [[file:docs/ROADMAP.org][v0.5.0 Roadmap]]. Until empirically verified, the cost claims in [[file:docs/DESIGN_DECISIONS.org][Design Decisions]] (2-3x fewer tokens for coding, 13-24x for knowledge management) should be read as architectural projections, not measured results.
+
+** It edits its own source code. Verified before execution.
+
+Passepartout can read its own Org-mode source files, propose changes, and hot-reload skills into the running image without restarting. The skill engine loads every skill into a jailed Common Lisp package, validates its syntax, tests its trigger function in isolation, and only then promotes it to the live registry.
+
+Core pipeline files — the Perceive-Reason-Act loop, the Merkle-tree memory, the Dispatcher gate stack — are path-protected. The agent could modify its own brain stem, but it cannot do this without human review. Skills and system modules expand freely. The core stays small, protected, and auditable.
+
+No other AI agent can modify its own reasoning engine and reload the change while it is running. This is not a planned feature. It works today.
+
+** Your memory and your tasks are the same format. Org-mode.
+
+Passepartout makes a bet that most systems consider too expensive: humans and machines should share the same file format. That format is Org-mode.
+
+Your notes, your calendar, your project plans, the agent's memory, and the agent's own source code are all the same thing: Org files in ~/memex/. =headline trees. Property drawers for metadata. Source blocks for code. TODO keywords for task state. Tags for categorization.
+
+When you write a TODO in Emacs, the agent sees it immediately as a native data structure and acts on it. When the agent creates a note, you can open it in any text editor and read it. There is no import/export step, no hidden database (except maybe for indexing), no format conversion. If Passepartout stops existing tomorrow, your data survives in plain text, readable in 2040.
+
+** Works offline. Works locally. The safety doesn't stop.
+
+You can run Passepartout entirely on your hardware with a local LLM via Ollama or some other inference engine. No internet connection required. But unlike most local AI tools, offline mode does not mean safety-last. The ten deterministic safety gates are pure Common Lisp — they run identically whether you are online or off. The Merkle-tree memory with snapshot rollback is in-process, 0 milliseconds, 0 network calls. Semantic retrieval runs on in-image vectors, 0 LLM tokens per query.
+
+Cloud providers (OpenRouter, OpenAI, Anthropic, Groq, Gemini, DeepSeek, NVIDIA NIM...) are optional add-ons. When you use them, the model-tier router automatically selects the cheapest provider that matches your task's complexity. Privacy-tagged content stays local even when cloud providers are configured.
+
+* How It Works
+
+Every signal — a chat message, a heartbeat tick, a file change notification — moves through three stages:
+
+#+begin_example
+Signal  →  Perceive  →  Reason  →  Act
+            normalize    LLM proposes  dispatch approved action
+                         gates verify  tool output feeds back
+#+end_example
+
+*Perceive* normalizes raw input from any gateway (TUI, CLI, Telegram, Signal) into a uniform signal plist. Buffer updates from Emacs ingest Org AST nodes into memory. Heartbeat ticks trigger background maintenance. HITL commands intercept before the LLM is invoked.
+
+*Reason* calls the LLM to generate a proposal, then runs the proposal through every registered deterministic gate — sorted by priority, highest first. If a gate rejects (shell command blocked, path protected, secret exposed), the rejection trace feeds back to the LLM for self-correction, up to three retries. If a gate requests human approval, the action becomes a Flight Plan awaiting your decision. If all gates pass, the action proceeds to Act.
+
+*Act* dispatches the approved action to the correct actuator: shell commands go to the shell actuator (with timeout and output limiting), tool invocations go to the cognitive tool registry, system commands trigger internal harness operations, and chat responses route to the TUI or messaging gateway. Each stage can feed back into Perceive — a tool output becomes the next perception.
+
+This pipeline is not a single-threaded bottleneck. The priority-queued signal processor (v0.5.0 roadmap) preempts background maintenance for user interactions. The Merkle-tree memory supports concurrent reads and writes through versioned snapshots — multiple signals can process simultaneously without corrupting shared state.
+
+Deep detail: [[file:docs/ARCHITECTURE.org][Architecture]] for the full code map and pipeline flow, [[file:docs/DESIGN_DECISIONS.org][Design Decisions]] for the rationale behind every architectural choice.
+
+* Current Capabilities
+
+Features marked =Stable= ship in the current release. Features marked =Planned= are scheduled in the [[file:docs/ROADMAP.org][Roadmap]].
+
+| Capability                       | Status   | Since   | Notes                                                                |
+|----------------------------------+----------+---------+----------------------------------------------------------------------|
+| 10-vector deterministic safety   | Stable   | v0.2.0  | Secrets, paths, self-build, shells, network, lisp, privacy, approval |
+| Foveal-peripheral context model | Stable   | v0.2.0  | Sends relevant subtrees, not all files                               |
+| Merkle-tree memory + snapshots   | Stable   | v0.2.0  | Integrity hashing, copy-on-write rollback                            |
+| Self-editing + hot-reload         | Stable   | v0.2.0  | Agent reads, modifies, reloads its own code                          |
+| 8 provider cascade                | Stable   | v0.1.0  | OpenRouter, OpenAI, Anthropic, Groq, Gemini, DeepSeek, NVIDIA, local |
+| Terminal UI (Croatoan)            | Stable   | v0.2.0  | Scrollback, history, themes, commands, tab completion                |
+| Skill engine (20+ skills)         | Stable   | v0.1.0  | Jailed loading, topological sort, hot-reload                         |
+| Human-in-the-Loop approval        | Stable   | v0.3.0  | Flight Plan workflow for blocked actions                             |
+| Model-tier routing                | Stable   | v0.3.0  | Sends simple tasks to cheaper models                                 |
+| Event orchestrator (hooks + cron) | Stable   | v0.3.0  | Org-based hook and cron dispatch                                     |
+| Context manager (project scoping) | Stable   | v0.3.0  | Push/pop focus, persist across restart                               |
+| Semantic retrieval (trigram)      | Stable   | v0.4.0  | Trigram Jaccard — lexical overlap, 0 LLM tokens                      |
+| TUI gate trace + focus map        | Stable   | v0.4.0  | Visual safety trace + what the agent is looking at                   |
+| Emacs bridge                      | Stable   | v0.4.0  | Native Emacs client over the wire protocol                           |
+| Self-build safety boundary        | Stable   | v0.4.0  | Core files path-protected, HITL Flight Plan required                 |
+| Expanded theme (25-color)         | Stable   | v0.4.0  | 4 named presets (dark/light/gruvbox/solarized), /theme command       |
+| Discord + Slack gateways          | Stable   | v0.4.0  | 4 platforms: Telegram, Signal, Discord, Slack                        |
+| Native embedding inference        | Beta     | v0.4.x  | CFFI llama.cpp binding, nomic-embed-text (768-dim)                   |
+| Structured output (function-calling) | Stable | v0.4.2 | LLM tool use via native function-calling API, JSON→plist boundary |
+| Shell sandbox (bwrap)               | Stable | v0.4.3 | Bubblewrap namespace isolation, network/IPC lockdown   |
+| Shell severity classification        | Stable | v0.4.3 | catastrophic→dangerous→moderate→harmless tier system   |
+| Token economics + cost tracking   | Stable   | v0.5.0  | Per-session cost counter, prompt caching, budget enforcement         |
+| Time awareness                    | Stable   | v0.6.0  | Symbolic-time-memory + sensor-time skills, ISO timestamps in prompts |
+| TUI readline/Ctrl bindings        | Stable   | v0.7.0  | Ctrl+U/W/A/E/L/D, Ctrl+X+E editor, Ctrl+C interrupt cascade         |
+| TUI Unicode width                 | Stable   | v0.7.0  | char-width: ASCII/CJK/emoji/combining marks, pure Lisp               |
+| TUI scroll notification           | Stable   | v0.7.0  | :scroll-notify flag, new-message alert when scrolled up              |
+| TUI deeper autocomplete           | Stable   | v0.7.0  | @ file paths, /theme subcommand, /focus directories                  |
+| Streaming responses               | Stable   | v0.7.2  | SSE streaming, live output in TUI, interrupt-and-redirect            |
+| TUI markdown rendering            | Stable   | v0.7.2  | Bold/italic/inline code styled via Croatoan attributes               |
+| Priority-queue signal processing  | Planned  | v0.7.2  | Preempts background for user interactions                            |
+| Markdown rendering (full)         | Planned  | v0.7.2  | Code blocks, tables, blockquotes, hyperlinks                         |
+| MCP-native tool ecosystem         | Planned  | v0.7.0  | 50+ tools from the MCP ecosystem                                     |
+| Voice gateway                     | Planned  | v0.7.3  | Speech-to-text + text-to-speech via Whisper / ElevenLabs             |
+| Task planning (tree DAG)          | Planned  | v0.8.0  | Org headline task trees, branch pruning                              |
+| Skill creator                     | Planned  | v0.8.0  | LLM drafts skills from natural language, verified before load        |
+| Computer use / vision             | Planned  | v0.9.0  | Screenshot capture, UI interaction                                   |
+| SWE-bench evaluation harness      | Planned  | v0.9.0  | Automated benchmark scoring with Org trajectory audit                |
+| Consensus loop (multi-provider)   | Planned  | v0.10.0 | Parallel inference, disagreement detection                           |
+| GTD integration                   | Planned  | v0.10.0 | Full capture-clarify-organize-reflect-engage                         |
+| Deep Emacs integration            | Planned  | v0.10.0 | Org-agenda, clock time, refile, archive                              |
+
+* Quick Start
+
+After installation, the =passepartout= command is available from anywhere.
+
+#+begin_src bash
+passepartout tui       # launch the terminal interface
+passepartout daemon    # start the background daemon (for TUI/CLI/gateways)
+passepartout doctor    # run system health check
+#+end_src
+
+See [[file:docs/USER_MANUAL.org][User Manual]] for the full guide.
+
+* Project Documentation
+
+| Document                                  | Answers                                               |
+|-------------------------------------------+-------------------------------------------------------|
+| [[file:docs/USER_MANUAL.org][User Manual]]            | How do I use it?                                      |
+| [[file:docs/ARCHITECTURE.org][Architecture]]       | How does it work inside?                              |
+| [[file:docs/DESIGN_DECISIONS.org][Design Decisions]] | Why was it built this way?                            |
+| [[file:docs/ROADMAP.org][Roadmap]]                  | Where is it going? When?                              |
+| [[file:docs/CONTRIBUTING.org][Contributing]]         | How do I contribute?                                  |
+
+* License
+
+Passepartout is released under the [[file:LICENSE][AGPLv3 license]].
+See [[file:CLA.org][CLA.org]] for the Contributor License Agreement.

USER_MANUAL.md

@@ -1,55 +0,0 @@
-# OpenCortex v0.1.0 User Manual
-
-OpenCortex is a neurosymbolic AI agent designed for autonomous Memex maintenance. It combines the probabilistic power of Large Language Models with the deterministic safety of Common Lisp and the structured clarity of Org-mode.
-
-## 1. Quick Start
-
-Install and boot OpenCortex with a single command:
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/gharbeia/opencortex/main/opencortex.sh | bash
-```
-
-Once installed, simply run `opencortex` to start the interactive CLI.
-
-## 2. The Core MVP Skills
-
-The v0.1.0 release includes the following essential skills:
-
-### Safety & Integrity
-*   **System Policy:** Enforces core invariants (Sovereignty, Transparency).
-*   **The Bouncer:** Inspects all proposed actions and blocks high-risk operations.
-*   **Protocol Validator:** Ensures communication integrity.
-
-### Cognitive Kernel
-*   **LLM Gateway:** Routes requests to your preferred provider (Gemini, Anthropic, etc.).
-*   **Peripheral Vision:** Manages context and retrieves relevant notes via Sparse Trees.
-*   **Memory Steward:** Maintains the live graph of your Org-mode Memex.
-*   **Credentials Vault:** Securely stores your API keys.
-
-### Interaction & Actuation
-*   **CLI Gateway:** The primary interface for chatting with your agent.
-*   **Shell Actuator:** Allows the agent to perform safe system side-effects.
-
-### Autonomous Services
-*   **The Scribe:** Automatically distills your daily chronological logs into structured notes.
-*   **The Gardener:** Proactively repairs broken links and flags orphaned nodes.
-
-## 3. Basic Usage
-
-### Chatting
-Type natural language messages into the CLI. The agent will perceive your intent, consult its Memory, and propose actions.
-
-### Memex Maintenance
-OpenCortex monitors your `daily/` directory. Use the Scribe to distill your thoughts:
-`User: Distill my notes from yesterday.`
-
-### Safety Approvals
-When the Bouncer intercepts a high-impact action, it will create a "Flight Plan" in your Memex. You must mark it as `APPROVED` before the agent proceeds.
-
-## 4. Configuration
-
-All configuration is stored in the `.env` file in your installation directory. You can update your API keys, change your Assistant's name, or modify the mandatory skill list there.
-
----
-*OpenCortex: The Conductor of your Life Stack.*

deploy/bare-metal/install.sh

@@ -1,46 +0,0 @@
-#!/bin/bash
-# opencortex: Bare Metal Installation Script
-# This script sets up the opencortex daemon on a Linux host (Debian/Fedora).
-
-set -e
-
-echo "--- opencortex: Bare Metal Installation ---"
-
-# 1. Check Dependencies
-echo "[1/4] Checking dependencies..."
-for cmd in sbcl curl git ripgrep; do
-    if ! command -v $cmd &> /dev/null; then
-        echo "Error: $cmd is not installed. Please install it first."
-        exit 1
-    fi
-done
-
-# 2. Setup Quicklisp
-if [ ! -d "$HOME/quicklisp" ]; then
-    echo "[2/4] Quicklisp not found. Installing..."
-    curl -O https://beta.quicklisp.org/quicklisp.lisp
-    sbcl --non-interactive --load quicklisp.lisp --eval '(quicklisp-quickstart:install)'
-    rm quicklisp.lisp
-    echo "Quicklisp installed."
-else
-    echo "[2/4] Quicklisp already installed."
-fi
-
-# 3. Build standalone binary
-echo "[3/4] Building standalone binary..."
-PROJECT_ROOT=$(pwd)/../..
-sbcl --non-interactive \
-     --eval "(push \"$PROJECT_ROOT/\" asdf:*central-registry*)" \
-     --eval "(ql:quickload :opencortex)" \
-     --eval "(asdf:make :opencortex)"
-
-echo "Binary built: $PROJECT_ROOT/opencortex-server"
-
-# 4. Instructions for Systemd
-echo "[4/4] Installation complete."
-echo ""
-echo "To run as a systemd service:"
-echo "1. Edit opencortex.service to set correct paths."
-echo "2. sudo cp opencortex.service /etc/systemd/system/"
-echo "3. sudo systemctl daemon-reload"
-echo "4. sudo systemctl enable --now opencortex"

deploy/bare-metal/org-agent.service

@@ -1,18 +0,0 @@
-[Unit]
-Description=opencortex: Probabilistic-Deterministic Lisp Machine Kernel
-After=network.target
-
-[Service]
-Type=simple
-# Update User and WorkingDirectory to match your local setup
-User=amr
-WorkingDirectory=/home/amr/.openclaw/workspace/memex/5_projects/opencortex
-ExecStart=/home/amr/.openclaw/workspace/memex/5_projects/opencortex/opencortex-server
-Restart=always
-RestartSec=10
-
-# Environment variables can be loaded from the .env file
-EnvironmentFile=/home/amr/.openclaw/workspace/memex/5_projects/opencortex/.env
-
-[Install]
-WantedBy=multi-user.target

deploy/docker/Dockerfile

@@ -1,44 +0,0 @@
-FROM debian:bookworm-slim
-
-# Install SBCL, ripgrep, and build dependencies
-RUN apt-get update && \
-    apt-get install -y sbcl build-essential curl git ripgrep libsqlite3-dev lynx python3 python3-pip && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Install Quicklisp globally
-RUN curl -O https://beta.quicklisp.org/quicklisp.lisp && \
-    sbcl --non-interactive \
-         --load quicklisp.lisp \
-         --eval '(quicklisp-quickstart:install :path "/opt/quicklisp")' \
-         --eval '(ql-util:without-prompting (ql:add-to-init-file))' && \
-    rm quicklisp.lisp
-
-# Set up the working directory
-WORKDIR /app
-
-# Copy source code and system definition
-COPY opencortex.asd /app/
-COPY src/ /app/src/
-
-# Ensure we aren't using a stale binary from the host
-RUN rm -f /app/opencortex-server
-
-# Build the standalone binary natively inside the container
-# This ensures GLIBC compatibility with the runtime environment.
-RUN sbcl --non-interactive \
-         --eval '(push "/app/" asdf:*central-registry*)' \
-         --eval '(ql:quickload :opencortex)' \
-         --eval '(asdf:make :opencortex)'
-
-# Ensure the binary is executable
-RUN chmod +x /app/opencortex-server
-
-# Expose the communication protocol and Web Dashboard ports
-EXPOSE 9105 8080
-
-# The app expects the memex to be mounted here
-VOLUME /memex
-
-# Run the natively compiled standalone daemon
-CMD ["./opencortex-server"]

deploy/docker/docker-compose.yml

@@ -1,18 +0,0 @@
-version: '3.8'
-
-services:
-  opencortex:
-    build:
-      context: ../..
-      dockerfile: deploy/docker/Dockerfile
-    container_name: opencortex
-    restart: unless-stopped
-    ports:
-      - "${ORG_AGENT_DAEMON_PORT:-9105}:${ORG_AGENT_DAEMON_PORT:-9105}"
-      - "${ORG_AGENT_WEB_PORT:-8080}:${ORG_AGENT_WEB_PORT:-8080}"
-    volumes:
-      - /memex:/memex
-
-networks:
-  sandbox-net:
-    driver: bridge

deploy/guix/manifest.scm

@@ -1,14 +0,0 @@
-;; opencortex: Guix Environment Manifest
-;; Usage: guix shell -m manifest.scm -- sbcl --eval ...
-
-(specifications->manifest
- '("sbcl"
-   "sbcl-cl-json"
-   "sbcl-bordeaux-threads"
-   "sbcl-usocket"
-   "sbcl-dexador"
-   "sbcl-cl-ppcre"
-   "ripgrep"
-   "git"
-   "curl"
-   "sqlite"))

deploy/lxc/setup.org

@@ -1,33 +0,0 @@
-#+TITLE: LXC / Systemd-nspawn Deployment Guide
-#+AUTHOR: opencortex
-
-* Overview
-For users who prefer containerization without the overhead or dependency on the Docker daemon, `opencortex` can be run within a standard Linux Container (LXC) or a systemd-nspawn container.
-
-* Systemd-nspawn Setup (Fastest for Linux users)
-
-1. **Create the container root:**
-   #+begin_src bash
-   sudo debootstrap --arch=amd64 bookworm /var/lib/machines/opencortex
-   #+end_src
-
-2. **Start and enter the container:**
-   #+begin_src bash
-   sudo systemd-nspawn -D /var/lib/machines/opencortex
-   #+end_src
-
-3. **Install dependencies (inside container):**
-   #+begin_src bash
-   apt-get update && apt-get install -y sbcl curl git ripgrep libsqlite3-dev build-essential
-   #+end_src
-
-4. **Bind mount the Memex directory:**
-   Add this to your container startup or use the `--bind` flag:
-   #+begin_src bash
-   sudo systemd-nspawn -D /var/lib/machines/opencortex --bind /home/amr/.openclaw/workspace/memex
-   #+end_src
-
-* Proxmox LXC Setup
-1. Create a new LXC container using the Debian 12 template.
-2. Ensure the network is bridged so Emacs can reach it.
-3. Run the `deploy/bare-metal/install.sh` script inside the container.

deploy/vms/debian/Vagrantfile

@@ -1,22 +0,0 @@
-Vagrant.configure("2") do |config|
-  config.vm.box = "debian/bookworm64"
-  config.vm.network "forwarded_port", guest: 9105, host: 9105
-
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "1024"
-    vb.cpus = 2
-  end
-
-  config.vm.provision "shell", inline: <<-SHELL
-    apt-get update
-    apt-get install -y sbcl curl git ripgrep libsqlite3-dev build-essential
-    
-    # Setup for opencortex
-    mkdir -p /home/vagrant/opencortex
-    cp -r /vagrant/* /home/vagrant/opencortex/
-    chown -R vagrant:vagrant /home/vagrant/opencortex
-    
-    # Build binary natively
-    sudo -u vagrant bash -c "cd /home/vagrant/opencortex && ./deploy/bare-metal/install.sh"
-  SHELL
-end

deploy/vms/fedora/Vagrantfile

@@ -1,21 +0,0 @@
-Vagrant.configure("2") do |config|
-  config.vm.box = "fedora/39-cloud-base"
-  config.vm.network "forwarded_port", guest: 9105, host: 9105
-
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "1024"
-    vb.cpus = 2
-  end
-
-  config.vm.provision "shell", inline: <<-SHELL
-    dnf install -y sbcl curl git ripgrep sqlite-devel make gcc
-    
-    # Setup for opencortex
-    mkdir -p /home/vagrant/opencortex
-    cp -r /vagrant/* /home/vagrant/opencortex/
-    chown -R vagrant:vagrant /home/vagrant/opencortex
-    
-    # Build binary natively
-    sudo -u vagrant bash -c "cd /home/vagrant/opencortex && ./deploy/bare-metal/install.sh"
-  SHELL
-end

docker-compose.yml

@@ -1,19 +0,0 @@
-services:
-  opencortex:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    container_name: opencortex
-    env_file: .env
-    volumes:
-      # Mount the entire memex directory (2 levels up from projects/opencortex)
-      - ../..:/memex
-      # Ensure signal-cli state is preserved
-      - signal-state:/root/.local/share/signal-cli
-    ports:
-      - "${ORG_AGENT_DAEMON_PORT:-9105}:9105"
-      - "${ORG_AGENT_WEB_PORT:-8080}:8080"
-    restart: unless-stopped
-
-volumes:
-  signal-state:

docs/.#DESIGN_DECISIONS.org

@@ -0,0 +1 @@
+user@amr.1407003:1778162380

docs/.#ROADMAP.org

@@ -0,0 +1 @@
+user@amr.1407003:1778162380

docs/ARCHITECTURE.org

@@ -0,0 +1,139 @@
+#+TITLE: Passepartout Architecture
+#+AUTHOR: Agent
+#+STARTUP: content
+
+* The Four Quadrants
+
+Passepartout divides cognition along two axes: **Foreground vs Background** (initiated by the user vs running autonomously) and **Probabilistic vs Deterministic** (LLM-driven vs pure Lisp logic).
+
+|                | Probabilistic (LLM)                                         | Deterministic (Lisp)                                       |
+|----------------+-------------------------------------------------------------+------------------------------------------------------------|
+| **Foreground** | Chat responses, task execution, code generation             | Shell execution, file I/O, safety gates, dispatcher checks |
+| **Background** | Scribe distillation, vector embedding, autonomous decisions | Heartbeat, cron jobs, memory auto-save, gateway polling    |
+
+The Probabilistic engine proposes. The Deterministic engine verifies and executes. No proposal from the LLM touches a file, runs a command, or sends a message without passing through at least one deterministic gate.
+
+* Architectural Layers
+
+** Core Pipeline (loaded by ASDF — the harness)
+- package definition: defpackage, cognitive tools, logging
+- memory: memory-object struct, Merkle hashing, snapshots, persistence
+- context: foveal-peripheral rendering, context assembly for LLM
+- pipeline: perceive → reason → act stages, orchestrator, heartbeat
+- skills engine: defskill macro, topological sorter, jailed loading
+- communication: framed TCP protocol, actuator registry, daemon server
+- diagnostics: health checks, doctor CLI
+
+** Skills (loaded at runtime by the skill engine)
+- gateway: TUI, CLI, messaging (Telegram, Signal)
+- system-model: provider dispatch, router, embeddings, model explorer
+- security: dispatcher (safety gate), policy, permissions, validator, vault
+- programming: Lisp, Org, literate tools, REPL, standards
+- system: config, archivist, self-improve, memory introspection, shell actuator, event-orchestrator, context-manager, setup
+
+** Clients (connect to daemon via framed TCP protocol)
+- TUI: Croatoan-based terminal interface (model-view architecture, dirty-flag rendering)
+- CLI: pipe-friendly command-line gateway
+- Emacs: elisp bridge speaking the wire protocol (planned v0.4.0)
+
+* Pipeline Flow
+
+Every signal moves through three stages:
+
+```
+Signal → Perceive (normalize) → Reason (think + verify) → Act (dispatch)
+```
+
+The signal is a plist: ~(:TYPE :EVENT :META (...) :PAYLOAD (:SENSOR :user-input :TEXT "..."))~
+
+1. **Perceive** normalizes raw input from any gateway into a uniform signal
+2. **Reason** calls the LLM to generate a proposal, then runs the proposal through all registered deterministic gates (sorted by priority). If a gate rejects the proposal, the rejection trace feeds back to the LLM for self-correction (up to 3 retries)
+3. **Act** dispatches the approved action to the registered actuator (~:cli~, ~:tool~, ~:system~, ~:shell~, ~:telegram~, ~:signal~)
+
+Each stage can produce feedback signals that loop back to Perceive (e.g., a tool-execute action produces a ~:tool-output~ event that becomes the next perception).
+
+** Depth limiting
+
+A depth counter prevents infinite loops. If a signal's depth exceeds 10, it is silently dropped. This is the circuit breaker for runaway recursive cycles.
+
+* Foveal-Peripheral Context Model
+
+When the agent assembles context for the LLM, it does not send the entire memory. It renders a sparse outline using three rules:
+
+1. *Depth ≤ 2* — the root node and its immediate children are always included (title and properties only, no content).
+2. *Foveal focus* — the node the user is currently interacting with is rendered in full, including its body content and all descendants.
+3. *Semantic relevance* — any node whose embedding vector has cosine similarity ≥ threshold (default 0.75) to the foveal node is rendered in full.
+4. *Temporal relevance* — nodes modified within a time window (current session, today) are rendered in full. Deadlines and scheduled items approaching within the warning window (default 60 minutes) are surfaced proactively in the awareness context. Nodes older than the window are title-only. This is the temporal dimension of the foveal-peripheral model: prune in time as well as in semantic space.
+
+Nodes that don't match any rule are rendered as title-only — a single Org headline with its :ID: property. This keeps active context between 2,000–4,000 tokens for typical memex sizes, versus 50,000–150,000 tokens for a full serialization. The embedding vectors that power semantic retrieval are computed at ingest time (~ingest-ast~ in core-memory.lisp) and can use local models (Ollama), cloud APIs (OpenAI embeddings), or a zero-dependency lexical fallback (trigram Jaccard similarity).
+
+For the rationale behind sparse-tree rendering and why this architecture outperforms "load everything" systems, see Design Decisions: Org-Mode as Unified AST.
+
+* Dispatcher Gate Stack
+
+Every action the LLM proposes passes through a stack of deterministic gates before execution. Gates are registered as skills with ~defskill~ and sorted by priority (highest first) in ~cognitive-verify~ (core-loop-reason.lisp).
+
+| Priority | Gate                      | What It Checks                                           |
+|----------+---------------------------+----------------------------------------------------------|
+| 600      | security-permissions      | Tool permission table (allow/ask/deny per tool)          |
+| 600      | security-vault            | Credential storage integrity                             |
+| 500      | security-policy           | Requires :explanation on every action                    |
+| 150      | security-dispatcher       | 11-check safety: lisp, secret path, self-build,          |
+|          | (the Dispatcher)          | content exposure, vault, privacy tags, privacy text,      |
+|          |                           | shell safety, network exfil, high-impact approval         |
+| 95       | security-validator        | Protocol schema validation                               |
+| 100      | system-archivist          | Scribe and Gardener maintenance on heartbeat             |
+| 80       | system-event-orchestrator | Cron job dispatch on heartbeat                           |
+
+Gates return either the action (passed through unchanged), a rejection (:LOG or :EVENT with block reason), or an approval request (:EVENT with :level :approval-required). Rejections feed back to the LLM as a rejection trace — the model sees what it proposed, which gate blocked it, and why, and retries with that context (up to 3 retries). Approval requests create Flight Plan Org nodes requiring human review via the HITL workflow.
+
+Every gate is a pure Common Lisp function. Verification costs 0 LLM tokens. Contrast with prompt-based guardrails (Claude Code, OpenClaw, Hermes Agent) which consume 100–500 LLM tokens per verification.
+
+For the rationale behind deterministic vs prompt-based safety, see Design Decisions: The Probabilistic-Deterministic Split and The Dispatcher as Learning System.
+
+* Embedding & Semantic Retrieval Pipeline
+
+Every memory-object can carry an embedding vector for semantic search. The pipeline:
+
+1. *Ingest* — ~ingest-ast~ (core-memory.lisp) calls ~embeddings-compute~ on new objects, storing the vector in ~memory-object-vector~.
+2. *Queue* — objects with stale vectors are queued via ~mark-vector-stale~. The ~embed-all-pending~ cron job (every 10 minutes, :REFLEX tier) drains the queue and recomputes vectors.
+3. *Retrieval* — ~context-awareness-assemble~ (core-context.lisp) passes the foveal node's vector to ~context-object-render~. Nodes with cosine similarity ≥ threshold against the foveal vector are rendered in full rather than as title-only.
+
+Three backends are available, selected via ~EMBEDDING_PROVIDER~:
+- :local — Ollama-compatible /api/embeddings endpoint (e.g., nomic-embed-text)
+- :openai — OpenAI /v1/embeddings API (e.g., text-embedding-3-small)
+- :hashing — zero-dependency lexical fallback using trigram Jaccard similarity (replaced SHA-256 hashing in v0.4.0 because cryptographic hashes maximise output divergence — the opposite of what a similarity metric needs)
+
+For the design rationale, see Design Decisions: Token Economics and Performance Advantage.
+
+* Skill Lifecycle
+
+1. *Discovery:* ~skill-initialize-all~ scans the skills directory, globs for ~*.lisp~ files (excluding ~core-*~ files which are loaded by ASDF)
+2. *Sorting:* ~skill-topological-sort~ orders skills by their ~#+DEPENDS_ON:~ declarations
+3. *Loading:* Each skill is loaded into a jailed package (~passepartout.skills.<skill-name>~). The loader removes ~in-package~ forms, evaluates the remaining code in the jailed package, and exports symbols matching the skill's short name to ~passepartout~
+4. *Registration* The skill's ~defskill~ call creates a ~skill~ struct in ~*skill-registry*~, registering its trigger function, probabilistic prompt generator, deterministic gate, and system-prompt augment
+5. *Triggering:* On each cognitive cycle, ~skill-triggered-find~ iterates the registry and returns the highest-priority skill whose trigger matches the context
+6. *Hot-reload:* A skill can be replaced at runtime by loading a new version into its jailed package — no restart needed
+
+* Communication protocol Format
+
+All communication between the daemon and its gateways (TUI, CLI, Emacs) uses length-prefixed plists over TCP:
+
+```
+00002C(:TYPE :EVENT :PAYLOAD (:ACTION :handshake :VERSION "0.4.0"))
+```
+
+The 6-character hex prefix encodes the payload length. The payload is a ~prin1~-serialized plist. ~*read-eval*~ is bound to nil on the receiving end to prevent code injection.
+
+** Standard message envelope:
+
+| Key | Value | Meaning |
+|-----|-------|---------|
+| ~:TYPE~ | ~:REQUEST~, ~:EVENT~, ~:RESPONSE~, ~:LOG~, ~:STATUS~ | Message category |
+| ~:META~ | plist | ~:SOURCE~, ~:SESSION-ID~, ~:reply-stream~ |
+| ~:PAYLOAD~ | plist | Action-specific data (~:SENSOR~, ~:ACTION~, ~:TEXT~) |
+| ~:DEPTH~ | integer | Recursion counter for loop prevention |
+
+The protocol lifecycle begins with a handshake: the daemon sends a :handshake action with its version, and the client responds with its capabilities. After handshake, either side can send any message type. The daemon never initiates a disconnect — clients poll for messages and reconnect on EOF.
+
+Planned for v0.6.3: streaming chunk frames (~:type :stream-chunk~) carrying partial LLM output. The final chunk is an empty string signalling end-of-stream, enabling interrupt-and-redirect from the client side.

docs/CLA.org

@@ -0,0 +1,24 @@
+#+TITLE: OpenCortex Contributor License Agreement (CLA)
+#+STARTUP: content
+
+* Overview
+This Contributor License Agreement ("Agreement") clarifies the intellectual property license granted with Contributions from any person or entity to the OpenCortex project. 
+
+* 1. Definitions
+- *"You"* (or *"Your"*) means the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with the Project Lead (Amr Gharbeia).
+- *"Contribution"* means any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to the Project Lead for inclusion in the Work.
+
+* 2. Grant of Copyright License
+Subject to the terms and conditions of this Agreement, You hereby grant to the Project Lead and to recipients of software distributed by the Project Lead a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+* 3. Grant of Patent License
+Subject to the terms and conditions of this Agreement, You hereby grant to the Project Lead and to recipients of software distributed by the Project Lead a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work.
+
+* 4. You Represent That You Are Legally Entitled to Grant the Above License
+You represent that each of Your Contributions is Your original creation. You represent that Your Contribution submissions include complete details of any third-party license or other restriction of which You are personally aware and which are associated with any part of Your Contributions.
+
+* 5. Your Rights
+You retain all right, title, and interest in and to Your Contributions. This agreement simply grants the Project Lead the necessary rights to distribute the project (including under the AGPLv3 or any future commercial licenses).
+
+* 6. Agreement
+By submitting a Pull Request or patch to the OpenCortex repository, You explicitly agree to the terms of this Contributor License Agreement.

docs/CONTRIBUTING.org

@@ -0,0 +1,116 @@
+#+TITLE: Contributing to Passepartout
+#+AUTHOR: Passepartout Contributors
+#+STARTUP: content
+#+FILETAGS: :docs:contributing:
+
+* Philosophy
+Passepartout is built on a "Zero-Bloat" mandate. The core kernel is mathematically pure, pushing all peripheral logic, API integrations, and routing to hot-reloadable "Skills".
+
+* Development Workflow
+
+The full development cycle is described in ~AGENTS.md~. In summary:
+
+1. *Think in org* — write reasoning and goals in the .org file
+2. *Write contract* — define each function's behavior in a ~** Contract~ section
+3. *TDD from contract* — each contract item becomes a ~fiveam:test~; prove RED then GREEN
+4. *Reflect in org* — ensure implementation is in .org source
+5. *Update literate prose* — explain the code: what, why, how it connects
+
+* Literate Programming
+
+~.org~ files in ~org/~ are the source of truth. ~lisp/~ files are generated by ~org-babel-tangle~.
+
+- Never edit =lisp/= files directly — always modify the corresponding =org/= file
+- All ~#+begin_src lisp~ blocks in a file inherit their tangle destination from the file-level ~#+PROPERTY: header-args:lisp :tangle ../lisp/FILE.lisp~
+- Every architectural decision, constraint, and implementation detail must be documented alongside the code
+
+* Contracts and Tests
+
+Every code change starts with a contract and a failing test. Write a ~** Contract~ section listing each function's behavior, then create a ~fiveam:test~ in the ~* Test Suite~ section for each contract item.
+
+To run tests for a specific file:
+
+#+begin_src bash
+sbcl --noinform \
+  --eval '(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))' \
+  --eval '(ql:quickload :passepartout :silent t)' \
+  --eval '(load "lisp/FILE.lisp")' \
+  --eval '(fiveam:run (intern "SUITE-NAME" :passepartout-TESTS))' --quit
+#+end_src
+
+No test may be committed without proof it was first run to failure (RED).
+
+* Skill Creation Standard
+
+A skill is a =.org= file in =org/= that defines:
+
+1. *Contract* — what the skill guarantees
+2. *Implementation* — the code, tangled to ~lisp/~ via ~#+PROPERTY: header-args:lisp~
+3. *Skill Registration* — a ~defskill~ form with ~:priority~, ~:trigger~, ~:probabilistic~ / ~:deterministic~
+4. *Test Suite* — ~fiveam:test~ forms verifying the contract
+
+Example:
+#+begin_src lisp
+(defskill :passepartout-example
+  :priority 100
+  :trigger (lambda (ctx) ...)
+  :probabilistic (lambda (ctx) ...)
+  :deterministic (lambda (action ctx) ...))
+#+end_src
+
+* Project Structure
+
+| Directory            | Purpose                                          |
+|----------------------+--------------------------------------------------|
+| =org/=               | Literate source files (edit these)               |
+| =lisp/=              | Tangled .lisp output (never edit)                |
+| =docs/=              | ROADMAP, ARCHITECTURE, DESIGN_DECISIONS, etc.    |
+| =scripts/=           | Build and utility scripts                        |
+| ~/.local/share/passepartout/= | XDG data dir — deployed lisp files     |
+| ~/.config/passepartout/=     | Config (.env)                          |
+
+* Key Libraries
+
+| Library          | Purpose                          |
+|------------------+----------------------------------|
+| Croatoan         | TUI (terminal UI)                |
+| usocket          | TCP sockets (daemon protocol)    |
+| bordeaux-threads | Threading (reader thread)        |
+| dexador          | HTTP client (LLM API calls)      |
+| cl-ppcre         | Regex (search-files, dispatcher) |
+| ironclad         | SHA-256 (Merkle hashing)         |
+| hunchentoot      | HTTP server                      |
+| cl-json          | JSON encoding/decoding           |
+
+* Protocol
+
+All inter-process communication uses the Unified Envelope protocol over TCP (port 9105). Message types: ~:REQUEST~, ~:EVENT~, ~:RESPONSE~, ~:STATUS~, ~:LOG~. Each message includes a ~:META~ block with routing metadata.
+
+* Pre-Commit Hook
+
+Validates staged org files by tangling + structural-checking:
+#+begin_src bash
+ln -sf ../../scripts/pre-commit-repl-check .git/hooks/pre-commit
+#+end_src
+Runs automatically on ~git commit~.
+
+* Testing Tools
+
+** TUI REPL (~/eval~)
+The TUI has a built-in command for live evaluation:
+- ~/eval (+ 1 2)~ → result displayed in chat window
+- ~/eval (add-msg :system "test")~ → inject a test message
+
+** Tmux (TUI integration testing)
+#+begin_src bash
+tmux new-session -d -s test "passepartout tui 2>&1 | tee /tmp/tui.log"
+tmux send-keys -t test "hello world" Enter
+tmux capture-pane -t test -p -S -200
+tmux kill-session -t test
+#+end_src
+
+** Swank (Emacs REPL for TUI)
+1. Start TUI: ~passepartout tui~
+2. In Emacs: ~M-x slime-connect RET 127.0.0.1 RET 4006~
+3. ~C-M-x~ any form from =org/gateway-tui.org= → evaluates in live TUI process
+4. Configure port: ~export TUI_SWANK_PORT=4009~ (default: 4006)

docs/USER_MANUAL.org

@@ -0,0 +1,461 @@
+#+TITLE: Passepartout User Manual
+#+AUTHOR: Passepartout Contributors
+#+STARTUP: content
+#+FILETAGS: :docs:manual:
+
+* Introduction
+Welcome to Passepartout. Passepartout is a neurosymbolic AI agent and a Lisp Machine operating system designed to autonomously maintain your Memex (knowledge base) and interact with you via multiple, equal-citizen interfaces.
+
+* Installation
+Passepartout is bootstrapped via a single shell script.
+
+** Quick start (curl)
+
+#+begin_src bash
+curl -fsSL https://raw.githubusercontent.com/amrgharbeia/passepartout/main/passepartout | bash -s configure
+#+end_src
+
+This will:
+1. Install system dependencies (SBCL, Emacs, git, curl, socat — detected for Debian or Fedora)
+2. Install Quicklisp (Common Lisp package manager)
+3. Tangle literate Org sources into runnable Lisp
+4. Launch the interactive setup wizard (LLM providers, gateways)
+
+If you already have Emacs installed, the installer skips it and uses your existing installation.
+
+* Configuration
+The system is configured via a ~.env~ file in the project root. Essential variables include:
+
+- ~OPENROUTER_API_KEY~: Your LLM provider key.
+- ~PROVIDER_CASCADE~: The fallback order for LLM providers (e.g., ~openrouter,ollama,anthropic~).
+- ~MEMEX_DIR~: The absolute path to your knowledge base (defaults to ~/memex~).
+
+* Interacting with Passepartout
+Because of the Unified Envelope Architecture, the kernel treats all clients as interchangeable. You must first boot the background daemon:
+
+#+begin_src bash
+./passepartout --boot &
+#+end_src
+
+** Terminal User Interface (TUI)
+For a rich, split-pane terminal experience:
+#+begin_src bash
+./passepartout tui
+#+end_src
+
+** Command Line Interface (CLI)
+For raw, pipe-friendly interaction:
+#+begin_src bash
+./passepartout cli
+#+end_src
+
+** TUI Commands
+
+When connected via the TUI, the following commands are available (type them in the input area and press Enter):
+
+| Command               | Action                                                 |
+|-----------------------+--------------------------------------------------------|
+| ~/help~               | List all available commands                             |
+| ~/focus <project>~    | Set the agent's foveal focus to a project by name      |
+| ~/scope memex~        | Set scope to full memex (all projects visible)         |
+| ~/scope session~      | Set scope to current session only                       |
+| ~/scope project~      | Set scope to focused project only                       |
+| ~/unfocus~            | Clear the foveal focus                                  |
+| ~/approve HITL-xxxx~  | Approve a pending HITL action by its token              |
+| ~/deny HITL-xxxx~     | Deny a pending HITL action by its token                 |
+| ~/theme <name>~       | Switch theme (dark, light, solarized, gruvbox)         |
+| ~/cost~               | Toggle session cost display in status bar               |
+| ~/voice on~           | Enable voice capture (planned v0.7.3)                  |
+| ~/voice off~          | Disable voice capture                                   |
+| ~/quit~               | Save history and exit (planned v0.3.3)                 |
+
+For multi-line input, start the line with ~\~ then press Enter to insert a newline without sending.
+
+** Human-in-the-Loop Approval
+
+When the Dispatcher blocks a high-risk action (shell command, network call, core file modification), it creates a Flight Plan requiring your approval.
+
+1. The TUI displays a yellow message: ~→ HITL required: /approve HITL-ab12~
+2. Review the proposed action in the Dispatcher trace (expand with Tab)
+3. Type ~/approve HITL-ab12~ to approve, or ~/deny HITL-ab12~ to deny
+4. Approved actions are re-injected into the pipeline and executed
+5. Denied actions are discarded and the Dispatcher records the decision as a permanent rule
+
+Each approval or denial teaches the Dispatcher — the rule counter in the status bar (~[Rules: 47]~) increments with every decision.
+
+* The Memex Structure
+Passepartout assumes a local folder structure representing your "Memex".
+- Core memories and identities are mapped to Org-mode files.
+- The ~Scribe~ background worker distills chronological logs into structured Zettelkasten notes.
+- The ~Gardener~ continuously repairs broken links and flags orphaned nodes.
+
+* How Safety Works
+
+Passepartout enforces safety through ten deterministic gates. Every action the agent wants to take — reading a file, running a shell command, sending network traffic — passes through these gates before execution. Critically, all ten gates are pure Lisp functions: they cost zero LLM tokens to evaluate. Safety checking never touches your provider budget.
+
+** The Ten Safety Gates
+
+| Gate | What It Checks |
+|------+----------------|
+| Lisp syntax | Validates that any Lisp code is well-formed before evaluation |
+| Secret file paths | Blocks reads from known secret directories (~.ssh~, ~.env~, ~.aws~, etc.) |
+| Self-build core | Prevents modification of the agent's own source and build files |
+| Secret content | Scans text output for API keys, tokens, or credential patterns |
+| Vault secrets | Guards any secret stored in the encrypted vault |
+| Privacy tags | Respects ~@privacy:~ annotations on memory objects and files |
+| Privacy text leaks | Scans outgoing text for PII (emails, phone numbers, addresses) |
+| Shell safety | Blocks destructive commands (~rm -rf~, ~:(){:|:&};:~, ~mkfs~, ~dd~) |
+| Network exfiltration | Blocks outbound traffic carrying private data to unknown hosts |
+| High-impact actions | Catches system-level changes (package installs, service restarts, mount) |
+
+** Severity Tiers
+
+Each gate assigns a severity to the action it inspects:
+
+| Severity   | Behavior                                              |
+|------------+-------------------------------------------------------|
+| Catastrophic | Always blocked. No approval possible.                |
+| Dangerous    | Requires HITL approval. Generates a Flight Plan.    |
+| Moderate     | Allowed, but logged. The agent learns from the outcome. |
+| Harmless     | Always allowed. No logging overhead.                 |
+
+** What Happens When an Action Is Blocked
+
+When a gate blocks an action, the Dispatcher creates a Flight Plan — a structured record of what the agent wants to do, why it was blocked, and which gate triggered. The Flight Plan is presented to you for review. You can approve it (~/approve~), deny it (~/deny~), or ask the agent to clarify its intent (~/clarify~). Once you approve, the action executes immediately. Once you deny, the Dispatcher records the decision as a permanent rule and will never propose that action again.
+
+* Understanding Context and Focus
+
+Passepartout uses a foveal-peripheral context model, inspired by human vision. This is how the agent decides what to pay attention to in your Memex.
+
+** The Three Levels of Attention
+
+- ~/foveal/~ — What the agent reads deeply and reasons about right now. Anything you explicitly mention, plus the current focused project.
+- ~/peripheral/~ — What the agent knows exists (titles, summaries, metadata) but does not read in detail. Everything in scope.
+- ~/blind/~ — Outside scope. The agent cannot see or access it.
+
+** Focus Commands
+
+| Command             | Effect                                                  |
+|---------------------+---------------------------------------------------------|
+| ~/focus <project>~  | Set the agent's foveal attention to a project           |
+| ~/scope memex~      | Expand scope to everything in your Memex               |
+| ~/scope session~    | Narrow scope to just the current conversation           |
+| ~/scope project~    | Narrow scope to the focused project only               |
+| ~/unfocus~          | Clear the foveal focus; the agent sees everything at peripheral level |
+
+** The Focus Map
+
+The status bar displays a focus map — a compact representation of what the agent is "looking at." Projects in foveal view are highlighted; peripheral projects are dimmed. When you change focus, the map updates in real time so you always know the agent's current attention budget.
+
+* Skills and What They Do
+
+Skills are hot-reloadable modules that extend the agent's capabilities. Unlike core system files, a bug in a skill degrades the agent but does not kill it — skills can be repaired by the agent itself. Skills are organized into categories by function:
+
+** Core Pipeline
+The agent's cognitive loop: Perceive (consume input) → Reason (think with the LLM) → Act (execute tools). This is the central nervous system of the agent.
+
+** Security
+~Dispatcher~, ~Policy~, ~Permissions~, ~Validator~, ~Vault~. These skills enforce the safety gates, manage approval workflows, encrypt secrets, and verify that every action conforms to the rules you have set.
+
+** Channels
+~TUI~, ~CLI~, ~Telegram~, ~Signal~, ~Discord~, ~Slack~, ~Shell~. Each channel is a separate skill that handles I/O for a specific interface. All channels are equal citizens — the agent treats a message from Telegram identically to one typed in the TUI.
+
+** Programming
+~Lisp~, ~Org~, literate tools, ~REPL~, standards libraries. These skills allow the agent to write, evaluate, and reason about Lisp code, manage Org-mode documents, and tangle literate programs into runnable source.
+
+** Symbolic
+~Awareness~, ~Scope~, ~Events~, ~Config~, ~Memory~, ~Identity~, ~Time~. These skills manage the agent's internal state: what it knows about itself, what it remembers, how it configures its behavior, and how it tracks time and events.
+
+** Neuro
+~Provider~, ~Router~, ~Explorer~. These skills manage the LLM backends. The Provider skill abstracts each LLM API; the Router decides which provider to use based on cost, latency, and availability; the Explorer discovers new providers.
+
+** Embedding
+Backends for semantic search and native inference. These skills enable the agent to embed text, search your Memex by meaning rather than exact keyword, and run local inference without network calls.
+
+** Economics
+~Tokenizer~, ~Cost Tracker~, ~Token Economics~. These skills count tokens, estimate costs before making LLM calls, track spending across providers, and enforce budget limits.
+
+* The Tool System
+
+The agent has ten cognitive tools — discrete actions it can take to interact with your environment. Each tool maps to a specific capability.
+
+** Read-Only Tools
+
+| Tool              | What It Does                                |
+|-------------------+---------------------------------------------|
+| ~search-files~    | Search file contents with regex patterns    |
+| ~find-files~      | Find files by name using glob patterns      |
+| ~read-file~       | Read the contents of a file on disk         |
+| ~list-directory~  | List the contents of a directory            |
+| ~org-find-headline~ | Find a headline in an Org-mode file       |
+
+** Write Tools
+
+| Tool              | What It Does                                |
+|-------------------+---------------------------------------------|
+| ~write-file~      | Create or overwrite a file on disk          |
+| ~org-modify-file~ | Modify an Org-mode file structurally        |
+| ~run-shell~       | Execute a shell command                     |
+| ~eval-form~       | Evaluate a Lisp expression                  |
+| ~run-tests~       | Execute a test suite                        |
+
+** Auto-Approval
+
+Write tools are subject to safety-gate inspection. Read-only tools are auto-approved by default (though the agent still checks for secret-file reads). You can configure per-tool auto-approval in your ~.env~ file with the ~AUTO_APPROVE_TOOLS~ variable:
+
+#+begin_src bash
+# Auto-approve read-file and find-files (default)
+AUTO_APPROVE_TOOLS=read-file,find-files,list-directory,search-files
+#+end_src
+
+* Cost Tracking
+
+Every LLM call costs tokens, and tokens cost money. Passepartout tracks this transparently.
+
+** Token Budgets
+
+Set ~CONTEXT_MAX_TOKENS~ in your ~.env~ file to cap the total context window the agent may use per interaction:
+
+#+begin_src bash
+CONTEXT_MAX_TOKENS=128000
+#+end_src
+
+The agent will truncate older context rather than exceed this limit.
+
+** Per-Call Cost Tracking
+
+Before every LLM call, the Economics skill estimates the cost (prompt tokens + expected completion tokens) and checks it against your budget. After the call, it records actual usage. The status bar shows your session total.
+
+** The ~/cost~ Command
+
+Toggle cost display in the status bar with ~/cost~. When enabled, you'll see a running total like ~[$0.047]~ showing the estimated cost of the current session.
+
+** Per-Provider Pricing
+
+Different providers charge different rates. The Router skill is aware of this and will choose the cheapest viable provider for each call unless you pin a specific provider:
+
+#+begin_src bash
+# Pin to a specific provider
+PROVIDER_CASCADE=anthropic
+#+end_src
+
+** Prompt Prefix Caching
+
+Providers that support prefix caching (Claude via Anthropic, some OpenRouter models) automatically benefit from it. The agent reuses the system prompt prefix across calls, and the Economics skill tracks the cache-hit savings separately in the cost breakdown.
+
+* Session Control
+
+Passepartout maintains a session history with checkpointed memory snapshots. You can move backward and forward through your session state.
+
+** Undo and Redo
+
+| Command      | Effect                                                   |
+|--------------+----------------------------------------------------------|
+| ~/undo~      | Restore the memory to the state before your last action  |
+| ~/redo~      | Re-apply the last undone action                          |
+| ~/rewind <n>~ | Restore the memory to the state n actions ago           |
+
+** What Gets Restored
+
+A session rewind restores three things: file changes (files written or modified are reverted), memory objects (the agent's internal knowledge), and TODO states (the roadmap and task tracking). This means you can safely let the agent explore and experiment — if it goes down a wrong path, rewind and redirect.
+
+* Gate Trace Reference
+
+Below every agent message in the TUI, you'll see colored lines representing the safety-gate trace for that message. These show you exactly which gates ran on the agent's actions and what happened.
+
+| Symbol | Meaning                                                    |
+|--------+------------------------------------------------------------|
+| ~✓~    | Green — the gate passed. The action was allowed.            |
+| ~✗~    | Red — the gate blocked the action. The reason is shown.     |
+| ~→~    | Yellow — HITL approval required. A Flight Plan is pending.  |
+
+Press ~Ctrl+G~ to toggle gate trace visibility on and off. The most recent gate trace for your last interaction is always available via the ~/why~ command — type ~/why~ and the agent will display the full trace with explanations.
+
+* Tag System
+
+Passepartout uses an Org-mode tag system to annotate and control behavior. Tags are metadata appended to headlines and memory objects.
+
+** Severity Tags
+
+The ~@tag:severity~ tier controls how strictly the safety system handles a tagged item:
+
+| Tag              | Behavior                                                     |
+|------------------+--------------------------------------------------------------|
+| ~@tag:block~     | The tagged item is treated as catastrophic — always blocked  |
+| ~@tag:warn~      | The tagged item triggers HITL approval when accessed         |
+| ~@tag:log~       | Access is allowed but logged for audit                       |
+
+** Tag Categories
+
+Configure which tags trigger which behavior with the ~TAG_CATEGORIES~ environment variable:
+
+#+begin_src bash
+TAG_CATEGORIES=block:warn:log
+#+end_src
+
+** The ~/tags~ Command
+
+Type ~/tags~ to list all tags currently active in the agent's scope, along with their severity levels and the files or memory objects they apply to.
+
+* HITL Deep Dive
+
+When the Safety system blocks an action, a structured workflow begins. Understanding this workflow helps you make informed approval decisions quickly.
+
+** The Flight Plan Lifecycle
+
+1. /Trigger/: A gate rates an action Dangerous or Catastrophic, or a ~@tag:warn~ tag is encountered.
+2. /Plan/: The Dispatcher serializes the proposed action into a Flight Plan: what tool, what arguments, what file or command, which gate triggered.
+3. /Display/: The TUI shows a yellow prompt with the Flight Plan token (~HITL-ab12~).
+4. /Review/: Press ~Tab~ to expand the gate trace and see the full Flight Plan details.
+5. /Decision/: You type ~/approve HITL-ab12~ or ~/deny HITL-ab12~.
+6. /Execute or Discard/: Approved plans execute immediately. Denied plans are discarded.
+7. /Learn/: The Dispatcher increments its rule counter and records the decision as a permanent rule. If you denied an action, the Dispatcher will never propose it again.
+
+** Clarifying Questions
+
+If you are unsure why the agent wants to perform an action, you can ignore the Flight Plan prompt. After three retries without a decision, the agent escalates by injecting a ~/clarify~ message into the pipeline, asking the agent to explain its intent in plain language. You can then approve or deny with full context.
+
+** The Rule Counter
+
+The status bar shows ~[Rules: N]~ — the number of permanent rules the Dispatcher has learned from your decisions. Each approval or denial is a learning event. Over time, the Dispatcher builds a personalized safety profile that reflects your preferences: which actions you always approve, which you always deny, and which you want to review case by case.
+
+* TUI Keybinding Reference
+
+The TUI supports a rich set of keyboard shortcuts for efficient interaction.
+
+** Editing Keys
+
+| Combo     | Action                                    |
+|-----------+-------------------------------------------|
+| ~Ctrl+D~  | Quit the TUI                              |
+| ~Ctrl+U~  | Clear the current input line              |
+| ~Ctrl+W~  | Delete the word before the cursor         |
+| ~Ctrl+A~  | Move cursor to beginning of line (Home)   |
+| ~Ctrl+E~  | Move cursor to end of line               |
+| ~Ctrl+K~  | Delete from cursor to end of line         |
+| ~Ctrl+L~  | Redraw the screen                         |
+| ~Ctrl+X+E~ | Open the current input in your external editor (~$EDITOR~) |
+| ~Tab~     | Autocomplete commands, themes, and file paths |
+
+** Navigation and Control
+
+| Combo            | Action                                           |
+|------------------+--------------------------------------------------|
+| ~Ctrl+C~         | Interrupt (cascade: stop streaming → stop thinking → quit) |
+| ~Ctrl+F~         | Search through message history                   |
+| ~Ctrl+P~         | Open the command palette                         |
+| ~Ctrl+G~         | Toggle gate trace visibility                     |
+| ~Ctrl+X+B~       | Toggle the sidebar (focus map, memory browser)   |
+| ~Page Up~        | Scroll chat up by 10 lines                       |
+| ~Page Down~      | Scroll chat down by 10 lines                     |
+| ~Up Arrow~       | Previous input in command history                |
+| ~Down Arrow~     | Next input in command history                    |
+
+** The Status Bar
+
+The status bar at the bottom of the TUI shows the agent's current state at a glance. Each indicator has a specific meaning:
+
+| Indicator        | Meaning                                                            |
+|------------------+--------------------------------------------------------------------|
+| ~[Connected]~    | Green — daemon is reachable on port 9105. Gray — disconnected.     |
+| ~[Mode: TUI]~    | The current interaction mode (TUI, CLI, Telegram, etc.)            |
+| ~[Msg: 142]~     | Total messages in the current session                              |
+| ~[↑ 12]~         | Scroll indicator — you are scrolled up 12 lines from the bottom    |
+| ~[◉]~            | Activity spinner — spinning means the agent is working             |
+| ~[⟳]~            | Streaming indicator — shown while the agent is generating text     |
+| ~[$0.047]~       | Session cost (visible when ~/cost~ is toggled on)                  |
+| ~[Rules: 52]~    | Number of permanent HITL rules learned from your decisions         |
+| ~[prj:my-proj]~  | Current focused project name                                       |
+
+* Deployment
+
+** Bare metal (Debian / Fedora)
+
+The ~configure~ command supports both Debian-based (Ubuntu, Pop, Mint) and Fedora-based (RHEL, Rocky) distributions. It detects your distro automatically and installs the correct packages.
+
+#+begin_src bash
+./passepartout configure              # interactive
+./passepartout configure --non-interactive  # headless
+./passepartout configure --with-firewall    # also open port 9105
+#+end_src
+
+After configuration, you can re-run ~configure~ any time to add providers or link gateways.
+
+** Binary install (save-lisp-and-die)
+
+For platforms where SBCL cannot be installed (corporate laptops, shared hosts, constrained environments), a self-contained binary is provided:
+
+#+begin_src bash
+curl -fsSL https://github.com/amrgharbeia/passepartout/releases/latest/download/passepartout -o passepartout
+chmod +x passepartout
+./passepartout daemon
+#+end_src
+
+This binary bundles SBCL, all required Lisp code, native embedding inference, and a Swank server on port 4005. The experience is identical to a source install — the REPL is available, skills hot-reload, and the image is mutable. Memory survives snapshots.
+
+The binary is a convenience for constrained platforms. It is not a sealed container. The system remains constitutionally open — connect with SLIME, trace functions, inspect memory objects, modify the system while it runs.
+
+** systemd service (auto-start on boot)
+
+#+begin_src bash
+./passepartout install service
+#+end_src
+
+Installs a user-level systemd unit that starts the daemon on login. Logs are available via ~journalctl --user -u passepartout.service -f~.
+
+To remove:
+
+#+begin_src bash
+./passepartout uninstall service
+#+end_src
+
+** Docker
+
+A Debian-based Docker image is provided for containerized deployment.
+
+#+begin_src bash
+cd infrastructure/docker
+docker-compose up -d
+#+end_src
+
+This builds an image from ~debian:trixie-slim~ with all dependencies pre-installed. The memex directory is mounted from the host.
+
+** Backup
+
+#+begin_src bash
+./passepartout backup ~/my-backup.tar.gz
+#+end_src
+
+Backs up the config, data, and memex directories.
+
+** Restore
+
+#+begin_src bash
+./passepartout restore ~/my-backup.tar.gz
+#+end_src
+
+Restores from a backup file. Run ~passepartout doctor~ afterward to verify integrity.
+
+* Troubleshooting
+
+** The daemon won't start
+- Check SBCL is installed: ~which sbcl~
+- Run ~passepartout doctor~ to diagnose
+- Check port 9105 is free: ~lsof -i :9105~
+- Check the log output for errors
+
+** The TUI connects but shows "Disconnected"
+- The daemon may have crashed. Run ~passepartout daemon~ in another terminal
+- If the daemon is running, check it's listening: ~lsof -i :9105~
+- Use ~/reconnect~ (planned v0.6.0) to reconnect without restarting the TUI
+
+** The LLM returns garbage or fails to respond
+- Run ~passepartout doctor~ to verify your LLM provider keys
+- Check ~PROVIDER_CASCADE~ in your ~.env~ file
+- Try switching models: edit ~.env~ and restart the daemon
+- If using local models via Ollama, verify Ollama is running: ~ollama list~
+
+** Memory fails to load on startup
+- Check ~/memory.snap~ exists and is valid S-expression format
+- Run ~passepartout doctor~ to diagnose memory integrity
+- If corrupted, delete ~/memory.snap~ and restart — the daemon starts with empty memory

docs/deployment.org

@@ -1,36 +0,0 @@
-#+TITLE: Deployment Guide: Containerized OpenCortex
-#+AUTHOR: Amr
-#+DATE: [2026-04-11 Sat]
-#+FILETAGS: :deployment:docker:infrastructure:
-
-* Overview
-The ~opencortex~ is designed to run within a Docker container to ensure system dependencies (SBCL, Quicklisp, signal-cli) are perfectly matched across different host environments.
-
-* Prerequisites
-- Docker Engine
-- Docker Compose
-- A valid ~.env~ file in the ~projects/opencortex/~ directory (refer to ~.env.example~).
-
-* Quick Start
-** 1. Build and Start
-From the ~projects/opencortex/~ directory:
-#+begin_src bash
-docker-compose up --build -d
-#+end_src
-
-** 2. Check Logs
-#+begin_src bash
-docker-compose logs -f
-#+end_src
-
-* Volume Mapping
-The ~docker-compose.yml~ file automatically mounts your host's ~memex~ directory to ~/memex~ inside the container. This allows the agent to:
-1. Read/Write to your Zettelkasten and GTD files.
-2. Maintain its local state (Memory, snapshots).
-
-* Troubleshooting
-** signal-cli Identity
-If using the Signal gateway, ensure you have registered your number via the host's ~signal-cli~ or within the container. The state is preserved in the ~signal-state~ Docker volume.
-
-** Re-loading Skills
-The container pre-caches dependencies during the build. If you modify core Lisp logic, you must rebuild the image (~--build~). If you only modify ~.org~ skills in your memex, the agent can reload them dynamically if they are part of the startup scan.

docs/marketing-v0.1.0.org

@@ -1,46 +0,0 @@
-#+TITLE: v0.1.0 Launch & Marketing Plan
-#+AUTHOR: Amr
-#+FILETAGS: :marketing:release:autonomy:
-#+STARTUP: content
-
-* Overview
-With the v0.1.0 "Autonomous MVP" released, the goal is to leverage GitHub's social graph to build a community of early adopters, contributors, and power users who resonate with the "Thin Harness, Fat Skills" and "Local-First" philosophy.
-
-* 1. Licensing Strategy
-Before wide promotion, the project's license must align with its goals.
-- **MIT License (Current):** Maximum adoption, frictionless for developers to embed in their own tools. Good for rapid growth.
-- **GPLv3 / AGPLv3:** Enforces copyleft. Ensures any modifications or integrations by corporations must remain open-source. Protects the "Autonomous" ethos from proprietary enclosure.
-- **Dual Licensing:** Open-source for individuals, commercial license for enterprise usage (if monetization is a future goal).
-
-*Decision Needed:* Do we stick with MIT, or switch to a copyleft license (AGPL) to protect the autonomous nature of the project?
-
-* 2. The GitHub Migration & Setup
-To maximize visibility, the repository must be optimized for GitHub's ecosystem.
-- [ ] **Mirror/Migrate to GitHub:** Move the primary remote from the self-hosted Gitea to GitHub.
-- [ ] **README Optimization:** Add badges (License, Build Status, Version). Ensure the "Zero-to-One" curl command is prominent. Add an architecture diagram (mermaid).
-- [ ] **Repository Topics:** Add tags like `common-lisp`, `autonomous-agents`, `org-mode`, `pkm`, `zettelkasten`, `llm`, `local-first`.
-- [ ] **Contributing Guide:** Add `CONTRIBUTING.md` to explain the Literate Programming standard and how to add new "Skills".
-- [ ] **Issue Templates:** Create templates for "Bug Report" and "Skill Proposal".
-
-* 3. The PR & Social Media Campaign
-The narrative: "An autonomous AI agent that doesn't just chat, but lives natively in your Org-mode Memex. No Python glue code, no cloud lock-in—just pure, homoiconic Common Lisp."
-
-** Target Audiences & Channels
-1. **The Emacs / Org-mode Community:**
-   - *Channels:* `r/emacs`, `r/orgmode`, Hacker News (`/r/lisp`), Emacs News.
-   - *Hook:* "A background daemon that autonomously distills your daily logs into a Zettelkasten using LLMs."
-2. **The Local-First / PKM Community:**
-   - *Channels:* `r/Zettelkasten`, `r/PKM`, Obsidian/Logseq diaspora looking for more power.
-   - *Hook:* "Own your brain. An AI agent that runs locally on your Markdown/Org files with mathematical security gates."
-3. **The AI / Autonomous Agent Hackers:**
-   - *Channels:* Hacker News (Show HN), Twitter/X (AI tech Twitter).
-   - *Hook:* "Tired of fragile Python/Playwright agent wrappers? opencortex uses a deterministic Lisp microkernel to formally verify LLM actions before execution."
-
-** Launch Materials
-- **Demo Video (2 minutes):** Show the one-liner install, the agent running the `Scribe` skill in the background, and the user querying it via `opencortex chat`.
-- **Blog Post / Essay:** "Why we built an Autonomous Agent in Common Lisp." Discuss the fragility of current SOTA (Devin/SWE-agent) and the necessity of the Bouncer/Policy gates.
-
-* 4. Post-Launch Community Engagement
-- Encourage "Show and Tell" in GitHub Discussions.
-- Create a "Skill Directory" where users can share their custom `.org` skills.
-- Actively solicit feedback for the v0.2.0 (Lisp TUI) roadmap.

docs/quickstart.org

@@ -1,55 +0,0 @@
-#+TITLE: Quickstart Guide: The Road to Autonomousty
-#+AUTHOR: Amr
-#+DATE: [2026-04-11 Sat]
-#+FILETAGS: :quickstart:onboarding:guide:
-
-* 1. Introduction
-Welcome to ~opencortex~, the "Executive Soul" of your personal OS. This guide will help you set up and interact with your first probabilistic-deterministic agent.
-
-* 2. Prerequisites
-Before launching the harness, ensure your host environment has:
-- **Docker & Docker Compose**: The primary enclosure for the Lisp Machine.
-- **LLM API Keys**: At least one key for Gemini, Anthropic, or OpenAI.
-- **Emacs (Optional)**: For the full literate experience via ~opencortex.el~.
-
-* 3. Installation & Enclosure
-** Step 1: Clone the Autonomousty
-#+begin_src bash
-git clone https://github.com/amr/opencortex.git
-cd opencortex
-#+end_src
-
-** Step 2: Secret Configuration
-Copy the example environment file and add your keys.
-#+begin_src bash
-cp .env.example .env
-# Edit .env with your favorite editor
-#+end_src
-
-** Step 3: Launch the Image
-This will build the SBCL environment and start the Micro-Loader.
-#+begin_src bash
-docker-compose up --build -d
-#+end_src
-
-* 4. Interaction Gateways
-Once the harness is "Ready", you can interact with it via multiple sensors.
-
-** Gateway A: Emacs (communication protocol)
-If you have configured the ~opencortex~ package in Emacs:
-1. Open a chat buffer: ~M-x opencortex-chat-open~.
-2. Send: "Are you online, agent?"
-
-** Gateway B: External Sensors
-If you enabled Signal or Telegram in ~.env~, send a message directly to your bot.
-
-* 5. Verification (The Chaos Check)
-To ensure the harness is fully healthy, check the logs for the Micro-Loader summary:
-#+begin_src bash
-docker-compose logs -f opencortex
-#+end_src
-Look for: ~LOADER: Boot Complete. [Ready: 34] [Failed: 0]~
-
-* 6. Next Steps
-- **Extend the Brain**: Read the [[file:skill-creation.org][Skill Creation Guide]] to add custom Lisp skills.
-- **Deep Dive**: Explore the [[file:../literate/][literate/]] directory to understand the harness's architecture.

docs/rca/rca-boot-sequence.org

@@ -1,42 +0,0 @@
-#+TITLE: Root Cause Analysis: Micro-Loader & Deterministic Boot Sequence
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:boot:loader:topological-sort:autonomy:
-
-* Executive Summary
-Refactored the arbitrary skill loading mechanism into a robust **Micro-Loader**. The system now calculates a deterministic boot sequence based on `#+DEPENDS_ON:` tags and protects the harness from malformed or hanging skills via package-based jailing and execution timeouts.
-
-* 1. Issue: Fragile Load Order
-** Symptoms
-Skills that depended on functions or variables from other skills would randomly fail to load depending on the filesystem's directory traversal order.
-** Root Cause
-`initialize-all-skills` used a simple `dolist` over `uiop:directory-files`, which has no semantic awareness of inter-skill dependencies.
-** Resolution
-1. **Metadata Scanning:** Implemented `parse-skill-metadata` to extract `:ID:` and `#+DEPENDS_ON:` without executing code.
-2. **Topological Sort:** Implemented a DFS-based `topological-sort-skills` to guarantee that prerequisites are loaded before their dependents.
-3. **Circular Detection:** Added explicit detection and error reporting for circular dependency loops.
-
-* 2. Issue: Shared State Corruption (Brain Rot)
-** Symptoms
-Variables or functions with the same name in different skills would silently overwrite each other, causing unpredictable behavior.
-** Root Cause
-All skills were being evaluated directly into the `opencortex` package.
-** Resolution
-**Package-Based Jailing:** Each skill is now evaluated within its own dedicated, shadowed package (e.g., `OPENCORTEX.SKILLS.ORG-SKILL-CHAT`). This ensures logical isolation while still allowing access to kernel exports.
-
-* 3. Issue: Boot Stall (The Hanging Skill)
-** Symptoms
-A single skill with an infinite loop or heavy synchronous initialization could hang the entire agent during startup.
-** Root Cause
-Skill loading was strictly synchronous and blocking on the main thread.
-** Resolution
-**Execution Timeouts:** Implemented `load-skill-with-timeout`, which wraps the loader in a monitored thread. If a skill takes longer than 5 seconds to initialize, the loader terminates the thread, jails the failure, and continues with the rest of the boot sequence.
-
-* 4. opencortex Mandate Alignment
-** Evolutionary Kernel
-The boot sequence is now a verifiable, mathematical process rather than a side-effect of filesystem organization.
-** Literate Granularity
-The `org-skill-skills.org` source was refactored into a strictly granular "one definition per block" format.
-
-* 5. Permanent Learnings
-- **Reverse Topological Order:** Remember that a DFS-based sort with `push` needs an `nreverse` to place dependencies at the front of the list.
-- **Path Portability:** Use `uiop:getcwd` instead of `pwd` for more reliable path resolution across different Lisp implementations and OSes.

docs/rca/rca-bouncer.org

@@ -1,33 +0,0 @@
-#+TITLE: Root Cause Analysis: Deterministic Engine Bouncer & Authorization Gate
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:bouncer:authorization:autonomy:security:
-
-* Executive Summary
-Implemented the "Planning Mode" Bouncer to intercept high-risk Probabilistic Engine proposals (e.g., shell commands, Lisp evaluation). The system now forces these actions into an asynchronous "Flight Plan" Org node for manual Autonomous approval, fulfilling the "everything is a node" and high-integrity mandates.
-
-* 1. Issue: Automated High-Risk Execution
-** Symptoms
-Probabilistic Engine proposals involving `shell` or `eval` were executed immediately upon passing the `decide` gate's safety harness. This lacked human-in-the-loop oversight for irreversible or complex operations.
-** Root Cause
-Architecture gap. The system lacked an authorization state between "Safe" and "Executed".
-** Resolution
-1. **Interceptor:** Added `bouncer-check` to `deterministic.lisp`. It flags high-risk actions that lack the `:approved t` property.
-2. **Asynchronous Event:** If flagged, the harness emits an `:approval-required` event.
-3. **Flight Plan Skill:** Created `org-skill-bouncer.org` to:
-   - Catch the event and create a serialized Org node with state `PLAN`.
-   - Monitor the Memory for `APPROVED` states.
-   - Re-inject approved actions with the `:approved t` bypass flag.
-
-* 2. Design Decision: Org-native Approval
-** Requirement
-Align with "Homoiconic Memory" and "Lisp Machine Autonomousty".
-** Selected Path
-State-Based Approval (Org-native).
-- *Pros:* Auditable, asynchronous, utilizes existing Org-mode workflows.
-- *Cons:* Slightly more latency than an interactive prompt.
-** Alignment
-Ensures that the agent's "Flight Plans" are first-class citizens in the Memex, allowing the Autonomous to review and approve them using standard GTD tools.
-
-* 3. Permanent Learnings
-- **Serial Bypass:** Always include a specific bypass flag (e.g., `:approved t`) when re-injecting intercepted actions to prevent infinite interception loops.
-- **Heartbeat Listeners:** Periodic scanning of the Memory for state transitions is an effective way to implement asynchronous authorization gates without blocking the harness.

docs/rca/rca-formal-verification.org

@@ -1,36 +0,0 @@
-#+TITLE: Root Cause Analysis: Lisp-Native Formal Verification Gate
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:security:formal-verification:autonomy:
-
-* Executive Summary
-Implemented a Lisp-Native Deterministic Prover to replace heuristic whitelisting with formal security invariants. This ensures that every high-impact action (shell, file I/O) is mathematically proven safe against the Autonomous's core mandates.
-
-* 1. Architectural Shift: Native vs. External
-** Issue
-The initial draft suggested using `Z3`, an external SMT solver. However, `Z3` was not available in the environment and would add significant complexity/bloat to the Docker image.
-** Resolution
-Leveraged Common Lisp's inherent strength in symbol manipulation to build a **Lisp-Native Prover**. Invariants are defined as high-order predicates that operate on the structure of proposed actions. This provides a self-contained, high-performance verification layer.
-
-* 2. Issue: Dependency Fragility
-** Symptoms
-System failed to load with `Package STR does not exist`.
-** Root Cause
-Incorrect assumption about the Quicklisp system name vs. the package name. The library is `cl-str` but the Quicklisp system is `str` and the package is `str`.
-** Resolution
-1. Updated `opencortex.asd` to depend on `:str`.
-2. Updated all source code and literate notes to use the `str:` prefix.
-3. Verified via explicit `ql:quickload` in the test runner.
-
-* 3. Formal Invariants Implemented
-- **Path Confinement:** Deterministically proves that any file operation or absolute path in a shell command is strictly within the `/home/user/memex` root.
-- **No Network Exfiltration:** Prevents the shell from invoking common exfiltration tools (`nc`, `ssh`, etc.) by inspecting the parsed command structure.
-
-* 4. opencortex Mandate Alignment
-** Soundness over Heuristics
-By moving to formal invariants, we have moved from "blacklisting bad things" to "proving safety." Any action that cannot be proven to satisfy all invariants is denied by default.
-** Literate Granularity
-The `org-skill-formal-verification.org` file follows the "one definition per block" mandate, ensuring that the logic of each invariant is individually documented and verifiable.
-
-* 5. Permanent Learnings
-- **Tooling Independence:** Whenever possible, prefer native Lisp logic over external binaries for core security gates to reduce the attack surface and deployment complexity.
-- **Environment Consistency:** Always use `(setf (uiop:getenv ...) ...)` for portable environment manipulation in tests.

docs/rca/rca-gateway-matrix.org

@@ -1,40 +0,0 @@
-#+TITLE: Root Cause Analysis: Matrix Gateway & Communication Track Completion
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:gateway:matrix:chat:autonomy:
-
-* Executive Summary
-Successfully implemented the third and final external communication channel (Matrix) for OpenCortex v1.0. Resolved integration issues related to case-sensitivity in JSON keys and strict header requirements in `dexador`.
-
-* 1. Issue: Symbol Casing in JSON Keys
-** Symptoms
-The `TEST-MATRIX-INBOUND-NORMALIZATION` test failed because `room-id` was being extracted as `"!ROOM:HS.ORG"` (uppercase) instead of `"!room:hs.org"`.
-** Root Cause
-Common Lisp's default reader converts symbol names to uppercase. When `(string car-of-alist)` was called on a symbol generated by `cl-json`, it produced an uppercase string.
-** Resolution
-Updated the implementation to use `(string-downcase (string ...))` for room IDs and other case-sensitive Matrix identifiers.
-
-* 2. Issue: Since Token Extraction Failure
-** Symptoms
-The sync loop failed to update the `*matrix-since-token*`, causing duplicate message processing risk.
-** Root Cause
-Anticipating `:next-batch` but receiving `:next--batch` (or vice versa) due to inconsistent `cl-json` behavior across different environments or structures.
-** Resolution
-Implemented a robust `(or (cdr (assoc :next-batch json)) (cdr (assoc :next--batch json)))` lookup to handle both hyphenation styles.
-
-* 3. Issue: Type Error in Authorization Headers
-** Symptoms
-`dex:put` crashed with a `TYPE-ERROR`.
-** Root Cause
-I was passing a single string or an incorrectly nested list where `dexador` expected a strict alist of header pairs `(("Key" . "Value") ...)`.
-** Resolution
-Standardized all gateway HTTP calls to use proper alist nesting for headers.
-
-* 4. Completion: Communication Track
-With Telegram, Signal, and Matrix gateways now verified and passing tests, the OpenCortex has achieved full multi-channel parity.
-- **Telegram:** Polling via Bot API.
-- **Signal:** Wrapping `signal-cli`.
-- **Matrix:** Polling via `/sync` Client API.
-
-* 5. Permanent Learnings
-- **Case Sensitivity:** Matrix IDs (rooms, users) are case-sensitive; Lisp symbols are not. Always force downcasing or use strings for storage.
-- **Header Alists:** Always use dotted pairs `("Key" . "Value")` for `dexador` headers.

docs/rca/rca-gateway-signal.org

@@ -1,33 +0,0 @@
-#+TITLE: Root Cause Analysis: Signal Gateway & Multi-Channel Chat
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:gateway:signal:chat:autonomy:
-
-* Executive Summary
-Successfully implemented the second external communication channel (Signal) using `signal-cli`. Further hardened the multi-channel chat logic and resolved JSON mapping discrepancies between Common Lisp and external CLI outputs.
-
-* 1. Issue: JSON Key Mapping Mismatch
-** Symptoms
-The `TEST-SIGNAL-INBOUND-NORMALIZATION` test failed despite the mock JSON appearing correct.
-** Root Cause
-`cl-json` default behavior for decoding. It converts camelCase keys from JSON (e.g., `dataMessage`) into kebab-case keywords in Lisp (e.g., `:DATA-MESSAGE`). I had incorrectly anticipated `:DATA--MESSAGE` or `:DATA_MESSAGE`.
-** Resolution
-1. **Diagnostic:** Added debug output to the test suite to inspect the exact plist structure returned by `cl-json`.
-2. **Correction:** Updated both the implementation and the literate note to use the correct `:DATA-MESSAGE` and `:SOURCE` keywords.
-
-* 2. Implementation: Signal-CLI Wrapper
-** Strategy
-Unlike Telegram's HTTP API, Signal requires a local binary (`signal-cli`). 
-- **Sensor:** Uses `uiop:run-program` with `receive --json` in a polling loop (5s interval).
-- **Actuator:** Uses `uiop:run-program` with `send -m <text> <recipient>`.
-** Security
-The system uses the pre-configured Signal account `+13322690326` discovered in the user's memex.
-
-* 3. Alignment with opencortex Mandates
-** Literate Granularity
-Strictly adhered to the "one definition per block" mandate throughout the new `org-skill-gateway-signal.org` file.
-** Verification
-The `gateway-signal-suite` (10 checks) provides full coverage for inbound parsing and outbound command generation.
-
-* 4. Permanent Learnings
-- **JSON Semantics:** Always verify the specific keyword transformation rules of the JSON library when dealing with external CLI outputs.
-- **Process Robustness:** `uiop:run-program` is the reliable standard for CLI-based gateways in SBCL.

docs/rca/rca-gateway-telegram.org

@@ -1,43 +0,0 @@
-#+TITLE: Root Cause Analysis: Telegram Gateway & Channel-Aware Chat
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:gateway:telegram:chat:autonomy:
-
-* Executive Summary
-Successfully implemented the first external communication channel (Telegram) and decoupled the Chat Agent from its Emacs-centric roots. Resolved significant load-order and dependency issues identified during integration.
-
-* 1. Issue: Undefined Foundational Functions
-** Symptoms
-During compilation, `gateway-telegram.lisp` failed with `UNDEFINED-FUNCTION` for `register-actuator` and `harness-log`.
-** Root Cause
-Poorly scoped foundational functions. These were defined in `core.lisp` (the loop orchestrator), which was loaded *after* the gateways in `opencortex.asd`. This created a "Circular Intention" where the gateways needed the harness to exist before the harness could load the gateways.
-** Resolution
-1. **Relocation:** Moved `*actuator-registry*` and `register-actuator` to `communication.lisp` (the foundation).
-2. **Reordering:** Adjusted `opencortex.asd` to load `core.lisp` (containing the stimulus loop) immediately after the deterministic gates but before the physical sensors (gateways).
-
-* 2. Issue: Hardcoded Chat UI
-** Symptoms
-The `Chat Agent` could only respond via Emacs buffer insertion, rendering it useless for external channels like Telegram.
-** Root Cause
-Architectural myopia. The original chat skill assumed the user was always in front of Emacs.
-** Resolution
-Refactored `org-skill-chat` to be **Channel-Aware**:
-- It now extracts `:channel` and `:chat-id` from the inbound stimulus.
-- It dynamically generates the Probabilistic Engine mandate, instructing the LLM to use the appropriate `:target` (e.g., `:telegram`) based on the conversation context.
-
-* 3. Side-Issue: UIOP Portability
-** Symptoms
-Tests failed with `Symbol "SETENV" not found in the UIOP/DRIVER package`.
-** Root Cause
-Misinterpretation of the `UIOP` API. `setenv` is not a standard export; the portable way is using `(setf (uiop:getenv ...) ...)`.
-** Resolution
-Updated all test environment setup to use the `setf` accessor.
-
-* 4. opencortex Mandate Alignment
-** Autonomous Boundary
-By moving the Telegram API logic to a user-space skill and communicating with the core via standard stimuli, we have respected the microkernel boundary.
-** Homoiconic Memory
-All Telegram interactions are now logged as `:chat-message` events, ensuring the agent's history is unified regardless of the platform.
-
-* 5. Permanent Learnings
-- **Foundation First:** Registries and logging macros must reside in the most foundational layers (`protocol` or `package`) to avoid load-order fragility.
-- **Instruct the Actuator:** When adding new channels, always update the Chat Agent's neural prompt so it knows how to "speak" back through the new interface.

docs/rca/rca-infrastructure-docker.org

@@ -1,30 +0,0 @@
-#+TITLE: Root Cause Analysis: Containerized Infrastructure (Docker)
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:docker:deployment:infrastructure:autonomy:
-
-* Executive Summary
-Standardized the `opencortex` execution environment by creating a production-grade Docker infrastructure. This ensures that all system dependencies, including the Lisp runtime and external binaries like `signal-cli`, are locked down and portable.
-
-* 1. Architectural Intent: The "Clean Room" Model
-** Problem
-The `opencortex` was relying on host-local binaries (`sbcl`, `signal-cli`) and manually configured Quicklisp dists. This made deployment to other environments (e.g., a VPS or a Autonomous Home Server) fragile and prone to version drift.
-** Solution
-1. **Dockerfile:** Created a multi-step build process that installs Debian Bookworm, SBCL, Java, and `signal-cli 0.14.0`.
-2. **Pre-Caching:** The build process triggers a `ql:quickload` of the `:opencortex` system, ensuring all Lisp dependencies are pre-downloaded and stored in the image layer, drastically reducing startup time.
-3. **Compose Orchestration:** Standardized the runtime via `docker-compose.yml`, which handles volume mounting of the user's `memex` directory and injection of `.env` secrets.
-
-* 2. Volume Mapping & Persistence
-** Strategy
-To maintain the "Autonomous" mandate, the agent's code is isolated, but its memory (the `memex`) remains on the host. 
-- **Mapping:** `../..` (host) -> `/memex` (container).
-- **State:** Created a named Docker volume `signal-state` to ensure that `signal-cli` identities and cryptographic keys survive container restarts and image updates.
-
-* 3. Alignment with opencortex Mandates
-** Evolutionary Completion
-By moving to Docker, we have achieved "Evolutionary Completion" for the deployment track. The system is no longer a collection of scripts; it is a deployable appliance.
-** Documentation
-A new `Deployment Guide` was added to `docs/deployment.org` to ensure standard operating procedures are preserved.
-
-* 4. Permanent Learnings
-- **Lisp Build Layers:** Always push the system to the ASDF registry and quickload during Docker build to bake dependencies into the image.
-- **Compose Locality:** Placing the `docker-compose.yml` inside the `projects/opencortex/` folder keeps infrastructure code close to the implementation logic.

docs/rca/rca-lisp-repair-async.org

@@ -1,33 +0,0 @@
-#+TITLE: Root Cause Analysis: Asynchronous Lisp Repair Syntax Gate
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:lisp:repair:decoupling:architecture:autonomy:
-
-* Executive Summary
-Reimplemented the `org-skill-lisp-repair` to align with the "Autonomous Boundary" mandate. The previously synchronous, core-blocking repair logic has been replaced with an asynchronous, event-driven architecture using the Reactive Signal Pipeline.
-
-* 1. Issue: Core Bloat & Synchronous Coupling
-** Symptoms
-The initial implementation of the Lisp Repair gate placed a `handler-case` and a dynamic function call (`repair-lisp-syntax`) directly inside the core `think` function (`probabilistic.lisp`). This forced the core to wait for repairs and made it "aware" of specific repair logic.
-** Root Cause
-Architectural shortcutting. By placing repair logic in the core execution path, we violated the microkernel principle which mandates that the core should be a "dumb" signal processor.
-** Resolution
-1. **Refactored Core:** `think` now only emits a `:syntax-error` stimulus if parsing fails. It no longer attempts to repair.
-2. **Asynchronous Skill:** `skill-lisp-repair` now triggers on the `:syntax-error` event. It performs the repair and returns the corrected action, which is then dispatched by the pipeline.
-
-* 2. Side-Issue: Nested Signal Payloads
-** Symptoms
-`TYPE-ERROR` during testing when extracting the broken code from the stimulus.
-** Root Cause
-Mismatched expectations of signal nesting. The skill expected the code at `(getf context :payload)`, but in the `decide-gate`, `context` is the full signal, and the error details were nested inside the `:candidate` field of that signal.
-** Resolution
-Updated the deterministic logic to correctly traverse the nested signal structure: `(getf (getf context :candidate) :payload)`.
-
-* 3. opencortex Mandate Alignment
-** Autonomous Boundary
-The core is now strictly a parser. Repair is an optional, user-space service.
-** Reactive Signal Pipeline
-Leveraged the pipeline's ability to re-inject `EVENT` signals to flatten the recursion of the repair loop.
-
-* 4. Permanent Learnings
-- **Emit, Don't Call:** In a microkernel, if a non-fatal error occurs, always emit a signal rather than calling a recovery function. This allows the system to remain asynchronous and modular.
-- **Signal Inspection:** When writing deterministic gates, always verify the exact shape of the `context` signal being passed by the harness to avoid nesting errors.

docs/rca/rca-playwright-bridge.org

@@ -1,39 +0,0 @@
-#+TITLE: Root Cause Analysis: Playwright-Python Bridge (High-Fidelity Browsing)
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:intelligence:browsing:automation:autonomy:
-
-* Executive Summary
-Successfully implemented a high-fidelity browsing bridge using Playwright and Python. This allows the `opencortex` to interact with modern, JavaScript-rendered web applications that were previously inaccessible via simple HTTP clients.
-
-* 1. Architectural Strategy: The I/O Bridge
-** Problem
-Common Lisp lacks a mature, native Playwright implementation. Direct bindings are complex and fragile.
-** Resolution
-Implemented a **JSON-over-STDIO Bridge**. 
-- A standalone Python script (`browser-bridge.py`) manages the Playwright lifecycle and Chromium instance.
-- The Lisp kernel communicates with this script using `uiop:run-program`, passing parameters via `stdin` and receiving structured results via `stdout`. This provides a stable, decoupled interface.
-
-* 2. Environment & Dependency Management
-** Issue
-Playwright requires a specific version of Chromium and several system-level libraries not present in the base Debian image.
-** Resolution
-Updated the `Dockerfile` to:
-1. Install Python3, pip, and venv.
-2. Create a virtual environment for isolated dependency management.
-3. Install the `playwright` package and execute `playwright install --with-deps chromium` during the image build. This ensures the production container is ready for high-fidelity browsing immediately upon startup.
-
-* 3. Cognitive Tooling
-Created the `:browser` cognitive tool, which exposes three primary capabilities to Probabilistic Engine:
-- **Navigation:** Full JS rendering and waiting for network idle.
-- **Extraction:** Targeted text retrieval via CSS selectors.
-- **Vision:** Base64-encoded screenshot capture for future multimodal processing.
-
-* 4. opencortex Mandate Alignment
-** Zero-Bloat (Managed)
-While adding Playwright increases the image size, it is a "Complexity Earned" trade-off that dramatically expands the agent's capability frontier.
-** Literate Granularity
-The `org-skill-playwright.org` file strictly follows the "one definition per block" mandate.
-
-* 5. Permanent Learnings
-- **Inter-Process JSON:** JSON is the ideal lingua franca for Lisp-Python bridges.
-- **Path Portability:** Always use `uiop:native-namestring` when passing Lisp paths to external shell commands to ensure OS compatibility.

docs/rca/rca-provider-verification.org

@@ -1,40 +0,0 @@
-#+TITLE: Root Cause Analysis: Individual Provider Track Verification
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:providers:llm:testing:autonomy:
-
-* Executive Summary
-Verified the unified LLM gateway implementation for all 6 individual provider tracks (Anthropic, Gemini, Groq, OpenAI, OpenRouter, Ollama). Identified and resolved critical parsing failures in the Gemini track and integration gaps in the system build definition.
-
-* 1. Issue: Fragile Response Parsing (Gemini)
-** Symptoms
-Gemini API responses were returning `NIL` content during mocked unit tests, despite the JSON structure being seemingly correct.
-** Root Cause
-Recursive `assoc` / `car` / `cdr` chains were hardcoded and brittle. Specifically, the Gemini extraction logic was incorrectly attempting to treat a single alist pair as a list of pairs, causing `assoc` to fail on the `:TEXT` key.
-** Resolution
-Implemented a robust `get-nested` helper function that safely traverses both nested objects (alists) and arrays (lists of alists). This normalized the extraction logic across all providers.
-
-* 2. Issue: Decoupled Build Configuration
-** Symptoms
-Provider logic was present in the codebase but inaccessible during tests and runtime.
-** Root Cause
-The `credentials-vault.lisp` and `llm-gateway.lisp` files (consolidated in a previous session) were never added to the `opencortex.asd` system definition. Furthermore, an incorrect loading order caused `UNDEFINED-FUNCTION` errors for `register-probabilistic-backend`.
-** Resolution
-1. Added both files to `opencortex.asd`.
-2. Enforced strict loading order: `probabilistic` (defines registry) -> `credentials-vault` -> `llm-gateway` (uses registry).
-
-* 3. Issue: Credential Key Mismatch
-** Symptoms
-Gemini requests failed with "API Key missing" even when environment variables were set.
-** Root Cause
-`llm-gateway` requested secrets for the `:gemini-api` provider, but the `credentials-vault` fallback logic only recognized the `:gemini` keyword.
-** Resolution
-Updated `vault-get-secret` to map both `:gemini` and `:gemini-api` to the same `GEMINI_API_KEY` environment variable.
-
-* 4. opencortex Mandate Alignment
-** Invariant Check
-- *High-Integrity Memory:* All individual provider tracks are now backed by automated unit tests (`llm-gateway-tests.lisp`).
-- *Literate Programming:* Updated `org-skill-llm-gateway.org` to reflect the improved `get-nested` utility.
-
-* 5. Permanent Learnings
-- **Tooling vs Source:** Tangled `.lisp` files are not enough; always ensure new modules are registered in the `.asd` file to be part of the official kernel build.
-- **Robustness over Brevity:** Use abstraction helpers like `get-nested` instead of deep `car/cdr` chains when dealing with external JSON structures that may have varying array/object nesting.

docs/rca/rca-self-fix-loop.org

@@ -1,40 +0,0 @@
-#+TITLE: Root Cause Analysis: Autonomous Self-Fix Loop Verification
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:self-fix:autonomy:testing:
-
-* Executive Summary
-Verified the autonomous repair capability of the `Self-Fix Agent`. The system successfully detected a deterministic type error in a secondary skill, initiated a repair request, and programmatically patched the source code via the `:repair-file` tool.
-
-* 1. Issue: Self-Fix Mechanism Verification
-** Symptoms
-Manual verification was required to prove that `org-skill-self-fix` could transition from "Thinking" about a bug to "Acting" on the file system.
-** Root Cause
-N/A (Deterministic test injection).
-** Resolution
-Created `self-fix-tests.lisp` which:
-1. Generates `org-skill-broken-math.org` with a `(+ 1 "two")` bug.
-2. Triggers the bug to produce a `PIPELINE CRASH`.
-3. Injects a `:repair-request` stimulus.
-4. Executes `self-fix-apply` to replace the bug with `(+ 1 2)`.
-5. Verifies the file content and successful hot-reload.
-
-* 2. Side-Issue: ASDF Configuration Fragility
-** Symptoms
-Repeated `LOAD-SYSTEM-DEFINITION-ERROR` and "unmatched close parenthesis" errors during test integration.
-** Root Cause
-Complexity in the `:components` nesting of `opencortex.asd` led to repeated syntax errors when using automated editing tools. The deep nesting made manual paren counting prone to "off-by-one" errors.
-** Resolution
-Refactored `opencortex.asd` to use a **Flat Component Structure**. 
-- *Before:* `:components ((:module "src" :components (...)))`
-- *After:* `:components ((:file "src/package") ...)`
-This eliminates unnecessary nesting levels and drastically reduces the surface area for syntax errors.
-
-* 3. opencortex Mandate Alignment
-** Invariant Check
-- *Lisp Machine Autonomousty:* Verification utilized hot-reloading (`load-skill-from-org`) without restarting the SBCL image.
-- *Literate Programming:* Updated `org-skill-self-fix.org` to match the finalized `self-fix.lisp` logic.
-- *Institutional Memory:* This RCA documents the decision to flatten the `.asd` structure to prevent future "Parenthesis Hell" incidents.
-
-* 4. Permanent Learnings
-- **Flatten Configuration:** Keep `defsystem` definitions as flat as possible. The overhead of `:module` blocks often outweighs their organizational benefit in a probabilistic-deterministic environment where agents frequently edit these files.
-- **Mocking Probabilistic Engine:** For verifying *loop mechanics*, mocking LLM responses is essential to ensure test determinism, while integration tests can use live LLM calls.

docs/rca/rca-shell-hardening.org

@@ -1,33 +0,0 @@
-#+TITLE: Root Cause Analysis: Shell Actuator Security Hardening
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:security:shell:injection:autonomy:
-
-* Executive Summary
-During the formal verification of the `org-skill-shell-actuator`, a critical command injection vulnerability was identified and patched. The previous implementation relied on a naive whitelist check that could be bypassed using shell metacharacters.
-
-* 1. Issue: Command Injection Vulnerability
-** Symptoms
-Commands like `ls ; rm -rf /` were potentially executable if the first word (`ls`) was in the whitelist. 
-** Root Cause
-The `execute-shell-safely` function only checked the first space-delimited word of the command string against the `*allowed-commands*` whitelist. Since `uiop:run-program` executes string-based commands via `/bin/sh -c`, the shell would process the entire string, including injected commands following metacharacters like `;`, `&`, or `|`.
-** Resolution
-1. **Metacharacter Blacklist:** Introduced `*shell-metacharacters*` containing dangerous shell symbols (`; & | > < $ \` \ !`).
-2. **Strict Validation:** Updated `execute-shell-safely` to scan the *entire* command string for these characters before performing the whitelist check.
-3. **Defense-in-Depth:** Any command containing a metacharacter is now rejected with a "Security Violation" error, even if the primary command is whitelisted.
-
-* 2. Side-Issue: Missing Package Context
-** Symptoms
-`UNDEFINED-FUNCTION EXECUTE-SHELL-SAFELY` during unit tests.
-** Root Cause
-`src/shell-logic.lisp` was missing an `(in-package :opencortex)` declaration, causing symbols to be defined in the default `COMMON-LISP-USER` package instead of the harness package.
-** Resolution
-Added the `in-package` header to `shell-logic.lisp`.
-
-* 3. opencortex Mandate Alignment
-** Invariant Check
-- *High-Integrity Memory:* The shell actuator is now formally verified with 4 new unit tests covering whitelist enforcement and injection blocking.
-- *Literate Programming:* Updated `org-skill-shell-actuator.org` Phase A and Build sections to reflect the hardened logic.
-
-* 4. Permanent Learnings
-- **Whole-String Validation:** Never assume that whitelisting the "head" of a command string is sufficient when passing that string to a shell. 
-- **Subshell Avoidance:** While the current fix blacklists metacharacters, future iterations should move toward passing command arguments as a Lisp list to `uiop:run-program`, bypassing the shell entirely.

docs/rca/rca-task-orchestrator.org

@@ -1,48 +0,0 @@
-#+TITLE: Root Cause Analysis: Consolidation VI - Task Orchestrator Implementation
-#+DATE: 2026-04-11
-#+FILETAGS: :rca:orchestrator:consensus:integrity:
-
-* Executive Summary
-The implementation of Consolidation VI (Task Orchestrator) aimed to introduce parallel multi-backend consensus, GTD task integrity, and delegation. During the build, a critical dependency failure was identified in the `lisp-validator` module.
-
-* 1. Issue: Undefined `SAFETY-HARNESS-VALIDATE`
-** Symptoms
-Existing `SAFETY-SUITE` tests failed with `#<UNDEFINED-FUNCTION SAFETY-HARNESS-VALIDATE>`.
-** Root Cause
-The function `lisp-validator-validate` was exported in `package.lisp` but never actually defined in `lisp-validator.lisp`. Only the internal recursive walker `lisp-validator-ast-walk` existed. This represents a "Hollow Export" bug where the interface was designed but the implementation was truncated or skipped in a previous session.
-** Resolution
-Defined `lisp-validator-validate` as a wrapper around `read-from-string` and `lisp-validator-ast-walk`.
-
-* 2. Design Decision: Deterministic Consensus
-** Requirement
-Multi-backend support to reduce hallucinations and increase reliability.
-** Solution
-Implemented `bt:make-thread` parallel queries in `ask-probabilistic`.
-** Trade-off
-Selected "Majority Rules" over "First-to-Finish".
-- *Pros:* Higher accuracy, mathematically consistent.
-- *Cons:* Slower (latency limited by the slowest provider).
-** Invariant Alignment
-Aligns with opencortex Mandate 4 (Radical Transparency) and Invariant 2 (Technical Mastery) by ensuring decisions are auditable and consistent across multiple brains.
-
-* 3. Design Decision: Task Integrity Gate
-** Requirement
-Prevent illegal GTD state transitions.
-** Solution
-Added `task-integrity-check` in `deterministic.lisp`.
-** Invariant Alignment
-Enforces the "High-Integrity Memory" mandate by ensuring the Org-mode AST remains semantically valid according to GTD rules (e.g., no orphaned active tasks).
-
-* 4. opencortex Mandate Violations during Session (Corrected)
-** Violations
-1. Editing without prior commit.
-2. Direct `.lisp` edits vs Literate Org tangling.
-3. Multi-function edits per block.
-** Correction
-1. Performed a retrospective commit.
-2. Synchronized `probabilistic-deterministic.org` and `core.org` with source code.
-3. Refactored the Markdown flight plan into an Org-mode flight plan.
-
-* 5. Permanent Learnings
-- *Check Exports:* Always verify that symbols exported in `package.lisp` have a corresponding definition in the literate source.
-- *Strict opencortex Mode:* Enable a pre-save hook or agent check to ensure all edits are performed within `#+begin_src` blocks in Literate Org files to avoid synchronization debt.

docs/ux.org

@@ -1,66 +0,0 @@
-#+TITLE: User Experience (UX) Journey
-#+AUTHOR: Amr
-#+FILETAGS: :ux:design:autonomy:
-#+STARTUP: content
-
-* Overview
-This document traces the intended User Experience (UX) journey for the ~opencortex~. It serves as a living design document to ensure that architectural decisions align with a frictionless, autonomous, and intuitive user interaction model.
-
-* 1. The Zero-to-One Experience (Onboarding)
-** Goal
-A user should be able to go from discovering the project to having a running, calibrated agent in under 3 minutes, with zero prerequisite knowledge of Lisp.
-
-** The Appliance Paradigm (Primary Path)
-The user runs a single command in their terminal:
-#+begin_src bash
-curl -fsSL https://raw.githubusercontent.com/gharbeia/opencortex/main/scripts/install.sh | bash
-#+end_src
-
-** The Interactive Wizard
-The script verifies Docker presence and then launches an interactive prompt before booting the container:
-1. *Identity:* "What is your name?" -> Configures ~$MEMEX_USER~
-2. *Assistant:* "What shall we name your Assistant?" -> Configures ~$MEMEX_ASSISTANT~
-3. *Neural Provider:* "Select your primary neural provider [Gemini/OpenRouter/Anthropic/OpenAI]" -> Configures API Keys.
-4. *Data Gravity:* "Where is your Memex located?" -> Maps the host directory to the Docker container.
-
-*Outcome:* The `.env` is generated, core skills are seeded into the user's Memex, and `docker-compose up -d` launches the daemon in the background. The user sees: /"Booting your autonomous brain in the background..."/
-
-* 2. The First Contact (The CLI Gateway)
-** Goal
-Immediately after boot, the user needs a way to verify the agent is alive and capable of answering questions about their Memex without configuring complex third-party integrations (like Telegram bots).
-
-** The Interaction
-The user types a local client command to connect to the background daemon:
-#+begin_src bash
-opencortex chat
-#+end_src
-
-This opens a slick, colorful interactive terminal session:
-#+begin_example
-> User: Hello, what are my active projects?
-> Agent: [Thinking...]
-> Agent: You currently have 3 active projects:
->        1. OpenCortex v1.0
->        2. Home Renovation
->        3. Read 'The Autonomous Individual'
-#+end_example
-
-** Behind the Scenes
-1. The ~opencortex chat~ client connects to the daemon's local port (e.g., 9105).
-2. It sends a ~:chat-message~ signal.
-3. The core harness routes this to the Probabilistic Engine.
-4. The Context Manager retrieves active projects from the Memex AST.
-5. The Deterministic Engine (Bouncer) verifies it is a safe read-only action.
-6. The ~:cli~ Actuator formats the Lisp response into Markdown and sends it back over the socket.
-
-* 3. The Interactive Refinement (v0.2.0)
-** Goal
-Transition from a "Verified Wrapper" around netcat to a high-fidelity, native Common Lisp TUI that rivals the experience of ~gemini-cli~.
-
-** Features
-- *Homoiconic UI:* The TUI is rendered directly by the Lisp kernel, allowing for live introspection of the agent's thoughts.
-- *Rich Formatting:* ANSI colors, bold headers, and syntax-highlighted code blocks.
-- *Command Palette:* Slash commands for system control without leaving the chat.
-
-* 4. The Continuous Loop (Daily Usage)
-(To be defined as the agent's capabilities expand into Scribe, Gardener, and Emacs-native interactions).

extras/passepartout.el

@@ -0,0 +1,214 @@
+;;; passepartout.el --- Emacs bridge for Passepartout AI assistant  -*- lexical-binding: t; -*-
+
+;; Author: Passepartout Project
+;; Version: 0.4.0
+;; Keywords: tools, processes, lisp
+;; URL: https://github.com/amrgharbeia/passepartout
+
+;;; Commentary:
+
+;; Connects to the Passepartout daemon on localhost:9105 via TCP.
+;; Speaks the framed plist protocol — 6-character hex length prefix
+;; followed by a prin1'd S-expression — identical to the TUI and CLI.
+;; The daemon does not know or care whether the client is the Croatoan
+;; TUI, the CLI, or Emacs.
+
+;; Framed protocol (per core-communication.org):
+;;   SEND: 6-char hex length + prin1'd plist
+;;   RECV: read 6-char header → parse hex length → read N bytes →
+;;         read-from-string (with read-eval nil on daemon side)
+
+;; Usage:
+;;   M-x passepartout RET        — connect to daemon, open response buffer
+;;   M-x passepartout-send-region — send selected region as user-input
+;;   M-x passepartout-send-buffer — send entire buffer
+;;   M-x passepartout-disconnect  — close connection
+
+;;; Code:
+
+(require 'cl-lib)
+
+(defgroup passepartout nil
+  "Emacs bridge for Passepartout AI assistant."
+  :group 'applications)
+
+(defcustom passepartout-host "127.0.0.1"
+  "Host where the Passepartout daemon is running."
+  :type 'string
+  :group 'passepartout)
+
+(defcustom passepartout-port 9105
+  "Port where the Passepartout daemon is listening."
+  :type 'integer
+  :group 'passepartout)
+
+(defvar passepartout-process nil
+  "Network process for the Passepartout connection.")
+
+(defvar passepartout--buffer ""
+  "Accumulation buffer for partial framed messages.")
+
+(defvar passepartout-response-buffer-name "*passepartout*"
+  "Name of the buffer where daemon responses are rendered.")
+
+;;;###autoload
+(defun passepartout ()
+  "Connect to the Passepartout daemon and open the response buffer."
+  (interactive)
+  (unless (and passepartout-process (process-live-p passepartout-process))
+    (setq passepartout-process
+          (make-network-process
+           :name "passepartout"
+           :host passepartout-host
+           :service passepartout-port
+           :filter #'passepartout--filter
+           :sentinel #'passepartout--sentinel
+           :coding 'utf-8-unix
+           :noquery t))
+    (setq passepartout--buffer ""))
+  (switch-to-buffer (get-buffer-create passepartout-response-buffer-name))
+  (passepartout-response-mode)
+  (message "Passepartout: connecting to %s:%d..." passepartout-host passepartout-port))
+
+(defun passepartout-disconnect ()
+  "Disconnect from the Passepartout daemon."
+  (interactive)
+  (when passepartout-process
+    (delete-process passepartout-process)
+    (setq passepartout-process nil
+          passepartout--buffer "")
+    (message "Passepartout: disconnected.")))
+
+;;; Protocol: framing
+
+(defun passepartout--frame-message (msg)
+  "Serialize MSG as a framed plist: 6-char hex length + prin1 output."
+  (let* ((payload (prin1-to-string msg))
+         (len (string-bytes payload)))
+    (format "%06x%s" len payload)))
+
+(defun passepartout--send (msg)
+  "Send a framed message to the daemon."
+  (when (and passepartout-process (process-live-p passepartout-process))
+    (process-send-string passepartout-process (passepartout--frame-message msg))))
+
+;;; Protocol: receive
+
+(defun passepartout--filter (proc string)
+  "Accumulate data and extract complete framed messages."
+  (setq passepartout--buffer (concat passepartout--buffer string))
+  (while (>= (length passepartout--buffer) 6)
+    (let* ((hex-len (substring passepartout--buffer 0 6))
+           (len (condition-case nil
+                    (string-to-number hex-len 16)
+                  (error nil))))
+      (if (not len)
+          (progn
+            (setq passepartout--buffer (substring passepartout--buffer 1))
+            (message "Passepartout: invalid frame header, skipping byte"))
+        (let ((total-needed (+ 6 len)))
+          (if (>= (length passepartout--buffer) total-needed)
+              (let* ((payload-str (substring passepartout--buffer 6 total-needed))
+                     (msg (condition-case nil
+                              (read-from-string payload-str)
+                            (error nil))))
+                (setq passepartout--buffer (substring passepartout--buffer total-needed))
+                (when msg
+                  (passepartout--handle-message msg)))
+            ;; Need more data, wait for next chunk
+            (setq passepartout--buffer passepartout--buffer)))))))
+
+(defun passepartout--sentinel (proc event)
+  "Handle connection state changes."
+  (when (string-match-p "closed\\|failed" event)
+    (setq passepartout-process nil
+          passepartout--buffer "")
+    (with-current-buffer (get-buffer-create passepartout-response-buffer-name)
+      (let ((inhibit-read-only t))
+        (goto-char (point-max))
+        (insert (format "* Connection lost: %s\n\n" event))))
+    (message "Passepartout: connection lost (%s)" event)))
+
+;;; Message handling
+
+(defun passepartout--handle-message (msg)
+  "Process a parsed daemon message and render in the response buffer."
+  (with-current-buffer (get-buffer-create passepartout-response-buffer-name)
+    (let ((inhibit-read-only t)
+          (payload (when (listp msg) (plist-get msg :PAYLOAD)))
+          (gate-trace (when (listp msg) (plist-get msg :GATE-TRACE))))
+      (goto-char (point-max))
+      (cond
+       ;; Agent text response
+       ((and payload (plist-get payload :TEXT))
+        (insert (format "* Agent [%s]\n%s\n"
+                        (format-time-string "%H:%M")
+                        (plist-get payload :TEXT)))
+        (when gate-trace
+          (passepartout--render-gate-trace gate-trace))
+        (insert "\n"))
+       ;; Handshake
+       ((and payload (eq (plist-get payload :ACTION) :HANDSHAKE))
+        (insert (format "* Connected to Passepartout v%s\n\n"
+                        (or (plist-get payload :VERSION) "?"))))
+       ;; Rule count / foveal update — display in mode line
+       ((and payload (plist-get payload :RULE-COUNT))
+        (setq passepartout-rule-count (plist-get payload :RULE-COUNT))
+        (force-mode-line-update))
+       ;; Fallback: dump raw
+       (t
+        (insert (format "* [%s] %s\n\n"
+                        (format-time-string "%H:%M")
+                        (prin1-to-string msg))))))))
+
+(defvar passepartout-rule-count 0
+  "Number of pending HITL rules from the Dispatcher.")
+
+(defun passepartout--render-gate-trace (trace)
+  "Render the gate trace as property drawer entries."
+  (insert ":PROPERTIES:\n")
+  (dolist (entry trace)
+    (when (listp entry)
+      (let ((gate (plist-get entry :GATE))
+            (result (plist-get entry :RESULT)))
+        (insert (format ":GATE: %s — %s\n"
+                        (if gate (symbol-name gate) "?")
+                        (symbol-name result))))))
+  (insert ":END:\n"))
+
+;;; Interactive commands
+
+(defun passepartout-send-region (beg end)
+  "Send the selected region as user input to Passepartout."
+  (interactive "r")
+  (unless passepartout-process
+    (passepartout))
+  (let ((text (buffer-substring-no-properties beg end)))
+    (passepartout--send (list :TYPE :EVENT
+                              :PAYLOAD (list :SENSOR :user-input :TEXT text)))
+    (message "Passepartout: sent %d chars" (length text))))
+
+(defun passepartout-send-buffer ()
+  "Send the entire buffer content as user input to Passepartout."
+  (interactive)
+  (unless passepartout-process
+    (passepartout))
+  (passepartout-send-region (point-min) (point-max)))
+
+;;; Response buffer mode
+
+(defvar passepartout-response-mode-map
+  (let ((map (make-sparse-keymap)))
+    (define-key map (kbd "q") #'quit-window)
+    (define-key map (kbd "g") #'passepartout)
+    map)
+  "Keymap for `passepartout-response-mode'.")
+
+(define-derived-mode passepartout-response-mode special-mode "Passepartout"
+  "Major mode for viewing Passepartout daemon responses.
+\\{passepartout-response-mode-map}"
+  (setq buffer-read-only t)
+  (setq-local font-lock-defaults nil))
+
+(provide 'passepartout)
+;;; passepartout.el ends here

infrastructure/docker/Dockerfile

@@ -0,0 +1,23 @@
+FROM debian:trixie-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    sbcl emacs-nox curl git socat netcat-openbsd rlwrap \
+    libssl-dev libncurses-dev libffi-dev zlib1g-dev libsqlite3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -O https://beta.quicklisp.org/quicklisp.lisp \
+    && sbcl --non-interactive --load quicklisp.lisp \
+        --eval "(quicklisp-quickstart:install)" \
+        --eval "(ql-util:without-prompting (ql:add-to-init-file))" \
+    && rm quicklisp.lisp
+
+WORKDIR /app
+COPY . .
+
+RUN mkdir -p /root/memex && ./passepartout.sh configure --non-interactive
+
+EXPOSE 9105
+
+CMD ["./passepartout.sh", "daemon"]

infrastructure/docker/docker-compose.yml

@@ -0,0 +1,16 @@
+services:
+  passepartout:
+    build:
+      context: ../../
+      dockerfile: infrastructure/docker/Dockerfile
+    container_name: passepartout
+    env_file: ../../.env
+    volumes:
+      - ../../../..:/memex
+      - signal-state:/root/.local/share/signal-cli
+    ports:
+      - "${ORG_AGENT_DAEMON_PORT:-9105}:9105"
+    restart: unless-stopped
+
+volumes:
+  signal-state:

infrastructure/passepartout.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Passepartout Daemon
+Documentation=https://github.com/amrgharbeia/passepartout
+After=network.target
+
+[Service]
+Type=simple
+User=%u
+ExecStart=%h/projects/passepartout/passepartout daemon
+Restart=on-failure
+RestartSec=10
+WorkingDirectory=%h/projects/passepartout
+
+[Install]
+WantedBy=default.target

literate/act.org

@@ -1,135 +0,0 @@
-#+TITLE: Stage 3: Act (act.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:act:
-#+STARTUP: content
-
-* Stage 3: Act (act.lisp)
-** Architectural Intent: Actuation
-The Act stage performs the final side-effects of the reasoning engine. It routes approved actions to their registered physical actuators (CLI, Shell, Emacs, etc.) and handles the execution of internal system tools.
-
-** Actuator Configuration
-The core harness can be configured via environment variables to operate silently or target different default outputs.
-
-#+begin_src lisp :tangle ../src/act.lisp
-(in-package :opencortex)
-
-(defvar *default-actuator* :cli)
-(defvar *silent-actuators* '(:cli :system-message :emacs))
-
-(defun initialize-actuators ()
-  "Loads actuator routing defaults from environment variables and registers core harness actuators."
-  (let ((def (uiop:getenv "DEFAULT_ACTUATOR"))
-        (silent (uiop:getenv "SILENT_ACTUATORS")))
-    (when def
-      (setf *default-actuator* (intern (string-upcase def) "KEYWORD")))
-    (when silent
-      (setf *silent-actuators*
-            (mapcar (lambda (s) (intern (string-upcase (string-trim '(#\Space) s)) "KEYWORD"))
-                    (str:split "," silent)))))
-  
-  ;; Register core harness actuators
-  (register-actuator :system #'execute-system-action)
-  (register-actuator :tool #'execute-tool-action))
-#+end_src
-
-** Dispatching Actions
-The `dispatch-action` function is the primary router. It identifies the target actuator and executes the requested side-effects.
-
-#+begin_src lisp :tangle ../src/act.lisp
-(defun dispatch-action (action context)
-  "Routes an approved action to its registered physical actuator."
-  (when (and action (listp action))
-    (let* ((target (or (ignore-errors (getf action :target)) *default-actuator*)) 
-           (actuator-fn (gethash target *actuator-registry*)))
-      (if actuator-fn 
-          (funcall actuator-fn action context) 
-          (harness-log "ACT ERROR: No actuator for ~a" target)))))
-#+end_src
-
-** Internal System Actions
-The `:system` actuator handles internal harness commands like code evaluation and dynamic skill loading.
-
-#+begin_src lisp :tangle ../src/act.lisp
-(defun execute-system-action (action context)
-  "Processes internal harness commands. (ACTUATOR)"
-  (declare (ignore context))
-  (let* ((payload (ignore-errors (getf action :payload))) 
-         (cmd (ignore-errors (getf payload :action))))
-    (case cmd
-      (:eval (let ((code (getf payload :code)))
-               (eval (read-from-string code))))
-      (:create-skill (let* ((filename (getf payload :filename)) (content (getf payload :content))
-                            (skills-dir (merge-pathnames "skills/" (asdf:system-source-directory :opencortex))) 
-                            (full-path (merge-pathnames filename skills-dir)))
-                       (with-open-file (out full-path :direction :output :if-exists :supersede) (write-string content out))
-                       (load-skill-from-org full-path)))
-      (:message (harness-log "ACT [System]: ~a" (getf payload :text)))
-      (t (harness-log "ACT ERROR [System]: Unknown command ~s" cmd)))))
-#+end_src
-
-** Cognitive Tool Actuation
-The `:tool` actuator handles the execution of registered cognitive tools.
-
-#+begin_src lisp :tangle ../src/act.lisp
-(defun execute-tool-action (action context)
-  "Executes a registered cognitive tool. (ACTUATOR)"
-  (let* ((payload (getf action :payload))
-         (tool-name (getf payload :tool))
-         (tool-args (getf payload :args))
-         (depth (getf context :depth 0))
-         (tool (gethash (string-downcase (string tool-name)) *cognitive-tools*)))
-    (if tool
-        (handler-case
-            (let* ((clean-args (if (and (listp tool-args) (listp (car tool-args))) (car tool-args) tool-args))
-                   (result (funcall (cognitive-tool-body tool) clean-args)))
-              (list :type :EVENT :depth (1+ depth) :reply-stream (getf context :reply-stream)
-                    :payload (list :sensor :tool-output :result result :tool tool-name)))
-          (error (c)
-            (list :type :EVENT :depth (1+ depth) :reply-stream (getf context :reply-stream)
-                  :payload (list :sensor :tool-error :tool tool-name :message (format nil "~a" c)))))
-        (list :type :EVENT :depth (1+ depth) :reply-stream (getf context :reply-stream)
-              :payload (list :sensor :tool-error :message "Tool not found")))))
-#+end_src
-
-** The Act Gate
-The final stage of the metabolic loop. It performs a "last-mile" safety check before dispatching the action to the registered actuator.
-
-#+begin_src lisp :tangle ../src/act.lisp
-(defun act-gate (signal)
-  "Final Stage: Actuation and feedback generation."
-  (let* ((approved (getf signal :approved-action))
-         (type (getf signal :type))
-         (feedback nil))
-    
-    ;; 1. Last-Mile Safety Check (The Bouncer & Deterministic Gates)
-    (when approved
-      (let ((verified (deterministic-verify approved signal)))
-        (if (and (listp verified) (member (getf verified :type) '(:LOG :EVENT :log :event)))
-            (progn
-              (harness-log "ACT BLOCKED: Action failed last-mile deterministic check.")
-              (setf (getf signal :approved-action) nil)
-              (setf approved nil)
-              (setf feedback verified))
-            (progn
-              (setf (getf signal :approved-action) verified)
-              (setf approved verified)))))
-
-    ;; 2. Actuation Logic
-    (case type
-      (:REQUEST (dispatch-action signal signal))
-      (:EVENT 
-       (when approved
-         (let* ((target (getf approved :target))
-                (result (dispatch-action approved signal)))
-           ;; If the actuator returns a signal (like :tool-output), it becomes the feedback.
-           ;; Otherwise, generate tool-output feedback for non-silent actuators.
-           (cond ((and (listp result) (member (getf result :type) '(:EVENT :LOG)))
-                  (setf feedback result))
-                 ((and result (not (member target *silent-actuators*)))
-                  (setf feedback (list :type :EVENT :depth (1+ (getf signal :depth 0)) 
-                                       :reply-stream (getf signal :reply-stream)
-                                       :payload (list :sensor :tool-output :result result :tool approved)))))))))
-    
-    (setf (getf signal :status) :acted)
-    feedback))
-#+end_src

literate/communication.org

@@ -1,133 +0,0 @@
-#+TITLE: Communication Protocol (communication.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:protocol:
-#+STARTUP: content
-
-* Communication Protocol (communication.lisp)
-** Architectural Intent: Secure Inter-Process Communication & Deterministic Framing
-
-The **communication protocol** defines the exact physical and semantic boundaries for how the isolated Lisp environment talks to the outside world.
-
-The system operates as a perfectly deterministic, highly secure computational engine. When communicating with external processes or actuators—such as an Emacs client, a web dashboard, or a remote Shell script—it cannot rely on unpredictable, "loose" data streams. 
-
-Streaming raw Lisp or JSON over a TCP socket is inherently fragile. If a multi-megabyte Org Abstract Syntax Tree (AST) is fragmented by the operating system's network stack during transmission, a standard stream parser might attempt to evaluate an incomplete string, leading to immediate crashes or desynchronization.
-
-To solve this, we implement the **communication protocol**, which enforces absolute deterministic boundaries around every message.
-
-*** 1. Physical Boundary: Hex-Length Prefixing
-Every message crossing the wire is prefixed with a strict 6-character hexadecimal length string (zero-padded). This creates an unbreakable physical boundary. The system reads exactly the number of bytes specified by the hex length. It will never under-read (crashing on a partial form) and never over-read (consuming bytes meant for the next message). 
-
-*** 2. Actuator-Agnosticism ("Dumb Terminal" Architecture)
-The protocol keeps the Lisp environment completely agnostic of its clients. The system does not care if the client is written in Emacs Lisp, Python, or Rust. Any environment capable of calculating a byte length and opening a TCP socket can interface with the Lisp Machine.
-
-*** 3. Preventing Reader Macro Injection
-Common Lisp's ~read-from-string~ is extremely powerful but dangerous; it allows "reader macros" (like ~#.~) which execute code during the parsing phase. The communication protocol mandates that ~*read-eval*~ is explicitly bound to ~nil~ before any network data is parsed, physically preventing arbitrary code execution.
-
-** Message Framing Logic
-#+begin_src mermaid
-flowchart LR
-    subgraph Client
-        A[Lisp Property List] --> B[Calculate Length]
-        B --> C[Hex Prefix: 6 Chars]
-        C --> D[Concatenate: Length + List]
-    end
-    D -- TCP Socket --> System
-    subgraph System
-        System --> E[Read 6 Hex Chars]
-        E --> F[Read Exact Byte Count]
-        F --> G[Parse S-Expression]
-    end
-#+end_src
-
-** Package Context
-We ensure all protocol logic resides within the isolated system namespace.
-
-#+begin_src lisp :tangle ../src/communication.lisp
-(in-package :opencortex)
-#+end_src
-
-** Actuator Registry
-The system maintains a decoupled registry of target actuators. This allows the system to route messages to Emacs, the Shell, or Web Gateways without hardcoding the routing logic into the protocol itself.
-
-#+begin_src lisp :tangle ../src/communication.lisp
-(defvar *actuator-registry* (make-hash-table :test 'equal)
-  "Global registry mapping target keywords to their physical actuator functions.")
-
-(defun register-actuator (name fn) 
-  "Registers an actuator function. Actuators receive: (ACTION CONTEXT)."
-  (setf (gethash name *actuator-registry*) fn))
-#+end_src
-
-** Message Framing (frame-message)
-The ~frame-message~ function prepares an outgoing Lisp string for transmission. It calculates the byte length, converts it into a 6-character padded hex string, and prefixes it. If ~COMMUNICATION_PROTOCOL_ENFORCE_HMAC~ is enabled in the environment, it also prepends a cryptographic signature to ensure the message hasn't been tampered with.
-
-#+begin_src lisp :tangle ../src/communication.lisp
-(defun frame-message (msg-string)
-  "Prefixes MSG-STRING with a 6-character hex length.
-   If security is enabled, prefixes a 64-char HMAC-SHA256 signature."
-  (let ((len (length msg-string))
-        (enforce-hmac (uiop:getenv "COMMUNICATION_PROTOCOL_ENFORCE_HMAC")))
-    (if (and enforce-hmac (string-equal enforce-hmac "true"))
-        (let ((secret (uiop:getenv "COMMUNICATION_PROTOCOL_HMAC_SECRET")))
-          (unless secret (error "COMMUNICATION_PROTOCOL_HMAC_SECRET is required when security is enabled."))
-          (let* ((key (ironclad:ascii-string-to-byte-array secret))
-                 (hmac (ironclad:make-mac :hmac key :sha256))
-                 (payload-bytes (ironclad:ascii-string-to-byte-array msg-string)))
-            (ironclad:update-mac hmac payload-bytes)
-            (let ((signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-              (format nil "~(~6,'0x~)~a~a" len signature msg-string))))
-        (format nil "~(~6,'0x~)~a" len msg-string))))
-#+end_src
-
-** Message Parsing (parse-message)
-Parsing is the high-security inverse of framing. This function acts as the final perimeter defense. It validates the length, verifies the HMAC integrity, and—most importantly—jails the Lisp reader by disabling ~*read-eval*~. 
-
-#+begin_src lisp :tangle ../src/communication.lisp
-(defun parse-message (framed-string)
-  "Extracts and parses the S-expression from a framed string securely."
-  (when (< (length framed-string) 6)
-    (error "Framed string too short"))
-  (let* ((enforce-hmac (uiop:getenv "COMMUNICATION_PROTOCOL_ENFORCE_HMAC"))
-         (use-hmac (and enforce-hmac (string-equal enforce-hmac "true")))
-         (prefix-len (if use-hmac 70 6)))
-    (when (< (length framed-string) prefix-len)
-      (error "Framed string too short for communication protocol prefix"))
-    
-    (let* ((len-str (subseq framed-string 0 6))
-           (signature (when use-hmac (subseq framed-string 6 70)))
-           (actual-msg (subseq framed-string prefix-len))
-           (expected-len (ignore-errors (parse-integer len-str :radix 16))))
-      (unless expected-len
-        (error "Invalid hex length prefix: ~a" len-str))
-      (unless (= expected-len (length actual-msg))
-        (error "Message length mismatch. Expected ~a, got ~a" expected-len (length actual-msg)))
-      
-      (when use-hmac
-        (let ((secret (uiop:getenv "COMMUNICATION_PROTOCOL_HMAC_SECRET")))
-          (unless secret (error "COMMUNICATION_PROTOCOL_HMAC_SECRET is required when security is enabled."))
-          (let* ((key (ironclad:ascii-string-to-byte-array secret))
-                 (hmac (ironclad:make-mac :hmac key :sha256))
-                 (payload-bytes (ironclad:ascii-string-to-byte-array actual-msg)))
-            (ironclad:update-mac hmac payload-bytes)
-            (let ((expected-signature (ironclad:byte-array-to-hex-string (ironclad:produce-mac hmac))))
-              (unless (string-equal signature expected-signature)
-                (error "communication protocol Integrity Failure: HMAC mismatch"))))))
-      
-      ;; SECURITY: Disable the reader's ability to execute code during parsing
-      (let ((*read-eval* nil))
-        (let ((msg (read-from-string actual-msg)))
-          (validate-communication-protocol-schema msg)
-          msg)))))
-#+end_src
-
-** Handshaking (make-hello-message)
-Every session begins with a standard ~HELLO~ handshake, allowing the system to announce its capabilities and protocol version to the connecting client.
-
-#+begin_src lisp :tangle ../src/communication.lisp
-(defun make-hello-message (version)
-  "Constructs the standard HELLO handshake message."
-  (list :type :EVENT 
-        :payload (list :action :handshake 
-                       :version version 
-                       :capabilities '(:auth :swank :org-ast))))
-#+end_src

literate/context.org

@@ -1,259 +0,0 @@
-#+TITLE: Peripheral Vision (context.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:context:
-#+STARTUP: content
-
-* Peripheral Vision (context.lisp)
-** Architectural Intent: Context Optimization & The Foveal-Peripheral Hybrid
-
-A common failure mode for Large Language Models (LLMs) is the "Lost in the Middle" phenomenon, where the model's reasoning accuracy degrades as its context window becomes saturated with irrelevant data. Naive approaches to context management—such as simple character-count truncation or sliding windows—often sever the structural relationships that define an Org-mode Memex.
-
-The ~opencortex~ harness implements a deterministic, tree-aware solution: the **Foveal-Peripheral Hybrid Model**.
-
-*** 1. The Foveal Focus (High Resolution)
-When the harness prepares a prompt for the Probabilistic Engine, it identifies a "Foveal Focus"—typically the specific Org headline or task the user is currently interacting with. This node, along with its immediate children and semantically relevant neighbors, is rendered at "High Resolution," meaning its full body text, properties, and metadata are included in the prompt.
-
-*** 2. The Peripheral Vision (Low Resolution)
-To maintain global awareness without bloating the context window, the rest of the Memex is rendered at "Low Resolution." The harness recursively walks the Memory and generates a skeletal outline consisting only of titles and IDs. This gives the LLM a "mental map" of the entire system, allowing it to reference other projects or skills without needing to see their full content until they are explicitly brought into focus.
-
-*** 3. Deterministic Tree-Walking
-By leveraging Common Lisp's strengths in recursive tree manipulation, the harness can surgically prune the AST before it ever reaches the LLM. This ensures that the structural hierarchy of the Memex is preserved perfectly, even when the content is compressed.
-
-** The Context Pipeline
-#+begin_src mermaid
-flowchart TD
-    Store[(Memory)] --> Filter[Context Query Filter]
-    Filter --> Identification{Identify Foveal ID}
-    Identification --> Foveal[Render Focus: Full Content]
-    Identification --> Peripheral[Render Outline: Titles Only]
-    Foveal --> Assembly[Assemble Global Awareness String]
-    Peripheral --> Assembly
-    Assembly --> LLM[Probabilistic Engine Proposal]
-#+end_src
-
-* Context Assembly (context.lisp)
-The ~context.lisp~ module provides the deterministic functional layer for querying the Memory and transforming its internal pointers into the precise context strings required for neural reasoning.
-
-** Package Context
-We begin by ensuring we are executing within the correct isolated package namespace.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(in-package :opencortex)
-#+end_src
-
-** Querying the Store (context-query-store)
-A generalized filter for the Memory. This function allows skills to perform high-level semantic sweeps of the Memex based on tags, TODO states, or Org element types. It returns a list of ~org-object~ structures.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-query-store (&key tag todo-state type)
-  "Filters the Memory based on tags, todo states, or types."
-  (let ((results nil))
-    (maphash (lambda (id obj)
-               (declare (ignore id))
-               (let* ((attrs (org-object-attributes obj)) (state (getf attrs :TODO-STATE)) (match t))
-                 (when (and type (not (eq (org-object-type obj) type))) (setf match nil))
-                 (when tag (unless (search tag (format nil "~a" (getf attrs :TAGS)) :test #'string-equal) (setf match nil)))
-                 (when (and todo-state (not (equal state todo-state))) (setf match nil))
-                 (when match (push obj results))))
-             *memory*)
-    results))
-#+end_src
-
-** Active Projects (context-get-active-projects)
-Identifies headlines tagged with ~project~ that have not yet reached a terminal ~DONE~ state. This provides the primary high-level structure for the agent's global awareness.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-get-active-projects ()
-  "Returns headlines tagged as 'project' that are not yet marked DONE."
-  (remove-if (lambda (obj) (equal (getf (org-object-attributes obj) :TODO-STATE) "DONE"))
-             (context-query-store :tag "project" :type :HEADLINE)))
-#+end_src
-
-** Completed Tasks (context-get-recent-completed-tasks)
-Retrieves a list of tasks that have reached the terminal ~DONE~ state. This is useful for providing the agent with historical context or for generating summaries of recent work.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-get-recent-completed-tasks () 
-  "Retrieves recently finished tasks from the store."
-  (context-query-store :todo-state "DONE" :type :HEADLINE))
-#+end_src
-
-** Capability Discovery (context-list-all-skills)
-Provides a sorted list of all currently loaded skills. In a "Self-Writing" environment, the agent must be able to discover and understand its own capabilities. This function provides the metadata necessary for the agent to decide which skill to trigger or how to resolve dependencies.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-list-all-skills ()
-  "Provides a sorted overview of currently loaded system capabilities."
-  (let ((results nil))
-    (maphash (lambda (name skill)
-               (declare (ignore name))
-               (push (list :name (skill-name skill) :priority (skill-priority skill) :dependencies (skill-dependencies skill)) results))
-             *skills-registry*)
-    (sort results #'> :key (lambda (x) (getf x :priority)))))
-#+end_src
-
-** Skill Inspection (context-get-skill-source)
-Reads the raw literate Org source of a specific skill. This is a foundational capability for an agent expected to eventually "self-write" or perform its own maintenance. By reading the literate source, the agent can understand the *intent* behind a skill's logic before proposing a modification. We use the `SKILLS_DIR` environment variable to locate the source files.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-get-skill-source (skill-name)
-  "Reads the raw literate source of a specific skill for inspection."
-  (let* ((filename (format nil "~a.org" skill-name))
-         (skills-dir-str (or (uiop:getenv "SKILLS_DIR") (namestring (merge-pathnames "notes/" (user-homedir-pathname)))))
-         (skills-dir (uiop:ensure-directory-pathname (context-resolve-path skills-dir-str)))
-         (full-path (merge-pathnames filename skills-dir)))
-    (if (uiop:file-exists-p full-path) (uiop:read-file-string full-path) nil)))
-#+end_src
-
-** Harness Logs (context-get-system-logs)
-Retrieves the most recent entries from the harness's internal circular log buffer. This allows the Probabilistic Engine to see recent errors or successful dispatches, enabling it to course-correct or explain failures to the user. The log limit is externalized to `CONTEXT_LOG_LIMIT`.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-get-system-logs (&optional limit)
-  "Retrieves the most recent lines from the harness's internal log."
-  (let ((log-limit (or limit (ignore-errors (parse-integer (uiop:getenv "CONTEXT_LOG_LIMIT"))) 20)))
-    (bt:with-lock-held (*logs-lock*)
-      (let ((count (min log-limit (length *system-logs*)))) 
-        (subseq *system-logs* 0 count)))))
-#+end_src
-
-** AST to Org Rendering (context-render-to-org)
-This is the core engine of the Foveal-Peripheral model. It recursively transforms the internal ~org-object~ graph back into an Org-mode string. 
-
-It implements the following deterministic logic:
-1.  **Depth 1 & 2:** Always rendered (High-level mental map).
-2.  **Foveal Node:** Rendered with full body content.
-3.  **Semantic Neighbors:** Rendered with full content if their similarity score exceeds the threshold.
-4.  **Peripheral Nodes:** Rendered as skeletal headlines (titles and IDs only).
-
-The semantic threshold is externalized to `CONTEXT_SEMANTIC_THRESHOLD`.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-render-to-org (obj &key (depth 1) (foveal-id nil) semantic-threshold (foveal-vector nil))
-  "Recursively renders an org-object and its children to an Org string using a Foveal-Peripheral Hybrid model."
-  (let* ((id (org-object-id obj))
-         (is-foveal (equal id foveal-id))
-         (title (or (getf (org-object-attributes obj) :TITLE) "Untitled"))
-         (content (org-object-content obj))
-         (children (org-object-children obj))
-         (stars (make-string depth :initial-element #\*))
-         (obj-vector (org-object-vector obj))
-         (threshold (or semantic-threshold (ignore-errors (read-from-string (uiop:getenv "CONTEXT_SEMANTIC_THRESHOLD"))) 0.75))
-         (similarity (if (and foveal-vector obj-vector (not is-foveal))
-                         (cosine-similarity foveal-vector obj-vector)
-                         0.0))
-         (is-semantically-relevant (>= similarity threshold))
-         ;; We always render depth 1 and 2 (Projects and main tasks).
-         ;; We always render the foveal node and its immediate children.
-         ;; We render deeper nodes ONLY if they are semantically relevant.
-         (should-render (or (<= depth 2) is-foveal is-semantically-relevant))
-         (output ""))
-    
-    (when should-render
-      (setf output (format nil "~a ~a~%:PROPERTIES:~%:ID: ~a~%" stars title id))
-      (when is-semantically-relevant
-        (setf output (concatenate 'string output (format nil ":SEMANTIC_SCORE: ~,2f~%" similarity))))
-      (setf output (concatenate 'string output (format nil ":END:~%")))
-      
-      ;; Only include full body content if this is the Foveal focus or highly relevant
-      (when (and content (or is-foveal is-semantically-relevant))
-        (setf output (concatenate 'string output content (string #\Newline))))
-      
-      ;; Recursively render children
-      (dolist (child-id children)
-        (let ((child-obj (lookup-object child-id)))
-          (when child-obj
-            ;; If the current node is Foveal, its children should be rendered (depth effectively resets)
-            (let ((next-foveal (if is-foveal child-id foveal-id)))
-              (setf output (concatenate 'string output 
-                                        (context-render-to-org child-obj 
-                                                               :depth (1+ depth) 
-                                                               :foveal-id next-foveal
-                                                               :semantic-threshold threshold
-                                                               :foveal-vector foveal-vector))))))))
-    output))
-#+end_src
-
-** Path Resolution (context-resolve-path)
-A utility function that expands environment variables (like ~$HOME~ or ~$MEMEX_ROOT~) within path strings. This ensures that the agent can interact with files across different machine configurations without hardcoding absolute paths. This version is more robust, supporting multiple environment variables throughout the string.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-resolve-path (path-string)
-  "Expands all environment variables ($VAR) within a path string."
-  (if (and (stringp path-string) (search "$" path-string))
-      (let ((result path-string))
-        (ppcre:do-register-groups (var-name) ("\\$([A-Za-z0-9_]+)" path-string)
-          (let ((var-val (uiop:getenv var-name)))
-            (when var-val
-              (setf result (ppcre:regex-replace (format nil "\\$~a" var-name) result var-val)))))
-        result)
-      path-string))
-#+end_src
-
-** Global Awareness (context-assemble-global-awareness)
-The primary entry point for context generation. This function identifies active projects and the current user focus (captured during the Perceive stage), then invokes the recursive renderer to assemble the pruned Org-mode skeletal outline sent to the LLM.
-
-#+begin_src lisp :tangle ../src/context.lisp
-(defun context-assemble-global-awareness (&optional signal)
-  "Produces a high-level skeletal outline of the current Memory for the LLM."
-  (let* ((foveal-id (or (getf signal :foveal-focus) 
-                        (ignore-errors (getf (getf signal :payload) :target-id))))
-         (projects (context-get-active-projects))
-         (output "GLOBAL MEMEX AWARENESS (Peripheral Vision):
-"))
-    (if projects
-        (dolist (project projects)
-          (setf output (concatenate 'string output
-                                    (context-render-to-org project :foveal-id foveal-id))))
-        (setf output (concatenate 'string output "No active projects found.~%")))
-    output))
-#+end_src
-
-* Phase E: Chaos (Verification)
-Following the Engineering Standards, the peripheral vision extraction and rendering logic must be empirically verified. 
-
-** Test Suite Context
-#+begin_src lisp :tangle ../tests/peripheral-vision-tests.lisp
-(defpackage :opencortex-peripheral-vision-tests
-  (:use :cl :fiveam :opencortex)
-  (:export #:vision-suite))
-(in-package :opencortex-peripheral-vision-tests)
-
-(def-suite vision-suite
-  :description "Verification of Foveal-Peripheral context model.")
-(in-suite vision-suite)
-#+end_src
-
-** Foveal Rendering Test
-Verify that the foveal target is rendered with content, while siblings are skeletal.
-
-#+begin_src lisp :tangle ../tests/peripheral-vision-tests.lisp
-(test test-foveal-rendering
-  "Verify that the foveal target is rendered with content, while siblings are skeletal."
-  (clrhash opencortex::*memory*)
-  (let* ((ast '(:type :HEADLINE :properties (:ID "proj-root" :TITLE "Project" :TAGS "project")
-                :contents ((:type :HEADLINE :properties (:ID "node-foveal" :TITLE "Foveal Node")
-                            :raw-content "FOVEAL CONTENT" :contents nil)
-                           (:type :HEADLINE :properties (:ID "node-peripheral" :TITLE "Peripheral Node")
-                            :raw-content "PERIPHERAL CONTENT" :contents nil)))))
-    (ingest-ast ast)
-    ;; Test both foveal focus in signal top-level and in payload (legacy)
-    (let ((output (context-assemble-global-awareness (list :foveal-focus "node-foveal"))))
-      (is (search "FOVEAL CONTENT" output))
-      (is (search "* Peripheral Node" output))
-      (is (not (search "PERIPHERAL CONTENT" output))))))
-#+end_src
-
-** Awareness Budget Test
-Verify that context-assemble-global-awareness handles multiple projects correctly.
-
-#+begin_src lisp :tangle ../tests/peripheral-vision-tests.lisp
-(test test-awareness-budget
-  "Verify that context-assemble-global-awareness handles multiple projects."
-  (clrhash opencortex::*memory*)
-  (ingest-ast '(:type :HEADLINE :properties (:ID "p1" :TITLE "Project 1" :TAGS "project") :contents nil))
-  (ingest-ast '(:type :HEADLINE :properties (:ID "p2" :TITLE "Project 2" :TAGS "project") :contents nil))
-  (let ((output (context-assemble-global-awareness)))
-    (is (search "Project 1" output))
-    (is (search "Project 2" output))))
-#+end_src

literate/loop.org

@@ -1,99 +0,0 @@
-#+TITLE: The Metabolic Loop (loop.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:loop:
-#+STARTUP: content
-
-* The Metabolic Loop (loop.lisp)
-** Architectural Intent: The Heartbeat
-The Metabolic Loop is the high-level coordinator of the OpenCortex. It orchestrates the flow of energy (information) through the system by calling the three metabolic stages in sequence:
-1. **Perceive:** Sensory intake.
-2. **Reason:** Cognitive processing.
-3. **Act:** Physical side-effects.
-
-** Package and Variables
-The loop requires thread-safe interrupt handling to ensure that the agent can be stopped gracefully without leaving the Lisp image in an inconsistent state.
-
-#+begin_src lisp :tangle ../src/loop.lisp
-(in-package :opencortex)
-
-(defvar *interrupt-flag* nil)
-(defvar *interrupt-lock* (bt:make-lock "harness-interrupt-lock"))
-(defvar *heartbeat-thread* nil)
-#+end_src
-
-** The Metabolic Pipeline
-The `process-signal` function is the core metabolic processor. It iterates through the Perceive-Reason-Act gates until the signal is fully processed or an error state is reached. We have refined the error handling to ensure that memory rollbacks only occur on critical system failures, preventing transient tool errors from wiping short-term cognitive state.
-
-#+begin_src lisp :tangle ../src/loop.lisp
-(defun process-signal (signal)
-  "The entry point to the Metabolic Pipeline: Perceive -> Reason -> Act."
-  (let ((current-signal signal))
-    (loop while current-signal do
-      (let ((depth (getf current-signal :depth 0)))
-        (when (> depth 10) (harness-log "METABOLISM ERROR: Max depth reached.") (return nil))
-        (when (bt:with-lock-held (*interrupt-lock*) *interrupt-flag*)
-          (harness-log "METABOLISM: Interrupted.")
-          (bt:with-lock-held (*interrupt-lock*) (setf *interrupt-flag* nil))
-          (return nil))
-        (handler-case
-            (progn
-              (setf current-signal (perceive-gate current-signal))
-              (setf current-signal (reason-gate current-signal))
-              (setf current-signal (act-gate current-signal)))
-          (error (c)
-            (let ((sensor (ignore-errors (getf (getf current-signal :payload) :sensor))))
-              (harness-log "METABOLISM CRASH [~a]: ~a" (or sensor :unknown) c)
-              ;; Only rollback on critical errors, not standard tool or loop errors
-              (unless (member sensor '(:loop-error :tool-error :syntax-error))
-                (harness-log "CRITICAL ERROR: Initiating Micro-Rollback.")
-                (rollback-memory 0))
-              (if (or (> depth 2) (member sensor '(:loop-error :tool-error)))
-                  (setf current-signal nil)
-                  (setf current-signal (list :type :EVENT :depth (1+ depth) :reply-stream (getf current-signal :reply-stream)
-                                             :payload (list :sensor :loop-error :message (format nil "~a" c) :depth depth)))))))))))
-#+end_src
-
-** Heartbeat Mechanism
-The heartbeat ensures the agent remains "alive" even in the absence of external stimuli, allowing for latent reflection and periodic maintenance. The interval is externalized to the `HEARTBEAT_INTERVAL` environment variable.
-
-#+begin_src lisp :tangle ../src/loop.lisp
-(defun start-heartbeat ()
-  "Starts the background heartbeat thread. Interval is loaded from HEARTBEAT_INTERVAL."
-  (let ((interval (or (ignore-errors (parse-integer (uiop:getenv "HEARTBEAT_INTERVAL"))) 60)))
-    (setf *heartbeat-thread* 
-          (bt:make-thread 
-           (lambda () 
-             (loop 
-               (sleep interval) 
-               ;; inject-stimulus is synchronous for heartbeats, preventing accumulation.
-               (inject-stimulus (list :type :EVENT :payload (list :sensor :heartbeat :unix-time (get-universal-time)))))) 
-           :name "opencortex-heartbeat"))))
-#+end_src
-
-** Main Entry Point
-The `main` function initializes the environment, loads skills, and starts the heartbeat. It now includes a graceful shutdown handler for `SIGINT` (Ctrl+C) and uses `DAEMON_SLEEP_INTERVAL` to control its idle rhythm.
-
-#+begin_src lisp :tangle ../src/loop.lisp
-(defun main ()
-  "Entry point for the Skeleton MVP. Handles initialization and graceful shutdown."
-  (let* ((home (uiop:getenv "HOME"))
-         (env-file (uiop:merge-pathnames* ".local/share/opencortex/.env" (uiop:ensure-directory-pathname home))))
-    (when (uiop:file-exists-p env-file) (cl-dotenv:load-env env-file)))
-  
-  (initialize-actuators)
-  (initialize-all-skills)
-  (start-heartbeat)
-  
-  ;; Graceful shutdown handler for SBCL
-  #+sbcl
-  (sb-sys:enable-interrupt sb-unix:sigint 
-                           (lambda (sig code scp) 
-                             (declare (ignore sig code scp)) 
-                             (harness-log "SHUTDOWN: SIGINT received. Exiting...")
-                             (uiop:quit 0)))
-
-  (let ((sleep-interval (or (ignore-errors (parse-integer (uiop:getenv "DAEMON_SLEEP_INTERVAL"))) 3600)))
-    (loop 
-      (when (bt:with-lock-held (*interrupt-lock*) *interrupt-flag*) (return))
-      (sleep sleep-interval))))
-#+end_src

literate/manifest.org

@@ -1,77 +0,0 @@
-#+TITLE: Manifest (opencortex.asd)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:system:
-#+STARTUP: content
-
-* Manifest (opencortex.asd)
-** Architectural Intent: The ASDF Skeleton
-
-The ~opencortex.asd~ file is the physical blueprint of the Lisp Machine. It uses **Another System Definition Facility (ASDF)** to orchestrate the compilation and loading of all harness modules. 
-
-Traditional Lisp systems often use complex, non-linear dependency graphs. However, the ~opencortex~ harness mandates a strict, linear bootstrap sequence.
-
-*** 1. Strict Serial Loading (:serial t)
-The harness uses the ~:serial t~ flag. This is a critical design choice that ensures every file is compiled and loaded in the exact order it appears in the ~:components~ list. This eliminates "macro-not-found" errors by guaranteeing that the ~package.lisp~ and ~skills.lisp~ (where the core macros are defined) are always established before any behavioral logic or skills are loaded.
-
-*** 2. Isolation of the Verification Suite
-To maintain a "Zero-Overhead" production environment, the testing logic is isolated into a secondary system: ~:opencortex/tests~. This allows the harness to boot in production without loading the ~FiveAM~ framework or the voluminous test data, keeping the memory footprint minimal and the attack surface small.
-
-** The Build Pipeline
-#+begin_src mermaid
-flowchart TD
-    Org[Literate Org Files] -- Tangle --> Lisp[Source .lisp Files]
-    Lisp --> ASDF[ASDF Manifest: .asd]
-    ASDF --> Loader[SBCL Compiler / Loader]
-    Loader --> Image[Live Harness Image]
-    Image -- Build --> Binary[Standalone Binary]
-#+end_src
-
-** Harness System Definition
-This system defines the core "Thin Harness." It includes the protocol, the object store, and the functional loop.
-
-#+begin_src lisp :tangle ../opencortex.asd
-(defsystem :opencortex
-  :name "opencortex"
-  :author "Amr"
-  :version "0.1.0"
-  :license "AGPLv3"
-  :description "The Probabilistic-Deterministic Lisp Machine Harness"
-  :depends-on (:usocket :bordeaux-threads :dexador :uiop :cl-dotenv :cl-ppcre :hunchentoot :ironclad :str :cl-json :uuid)
-  :serial t
-  :components ((:file "src/package")
-               (:file "src/skills")
-               (:file "src/policy")
-               (:file "src/communication-validator")
-               (:file "src/communication")
-               (:file "src/memory")
-               (:file "src/context")
-               (:file "src/probabilistic")
-               (:file "src/perceive")
-               (:file "src/reason")
-               (:file "src/act")
-               (:file "src/loop"))
-  :build-operation "program-op"
-  :build-pathname "opencortex-server"
-  :entry-point "opencortex:main")
-#+end_src
-
-** Verification Suite Definition
-This system contains the empirical tests required by the Engineering Standards. It depends on ~:opencortex~ and the ~FiveAM~ testing framework.
-
-#+begin_src lisp :tangle ../opencortex.asd
-(defsystem :opencortex/tests
-  :depends-on (:opencortex :fiveam)
-  :components ((:file "tests/communication-tests")
-               (:file "tests/pipeline-tests")
-               (:file "tests/act-tests")
-               (:file "tests/boot-sequence-tests")
-               (:file "tests/memory-tests")
-               (:file "tests/immune-system-tests"))
-  :perform (test-op (o s) 
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :communication-protocol-suite :opencortex-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :pipeline-suite :opencortex-pipeline-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :safety-suite :opencortex-safety-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :boot-suite :opencortex-boot-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :memory-suite :opencortex-memory-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :immune-suite :opencortex-immune-system-tests))))
-#+end_src

literate/memory.org

@@ -1,277 +0,0 @@
-#+TITLE: The System Memory (memory.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:memory:
-#+STARTUP: content
-
-* The System Memory (memory.lisp)
-** Architectural Intent: The Single Address Space (Live Memory)
-
-Yes, the Memory module is the cognitive bedrock of the opencortex. It is not a database; it is the agent's live, active "brain" state.
-
-Traditional architectures rely on external databases (SQLite, Vector DBs) which introduce I/O latency and structural impedance. The opencortex architecture chooses a different path: the **Single Address Space**. By treating the entire knowledge base as a graph of Lisp pointers, we achieve microsecond recollection and total structural transparency.
-
-- **Pointer-Based Reasoning:** By loading the entire knowledge graph into a live Common Lisp hash table, we achieve microsecond recollection. The harness doesn't "search a file"; it traverses a memory pointer.
-- **Memory Imaging:** The ability to snapshot the Lisp image allows the agent to resume its entire cognitive state instantly, solving the "Cold Start" problem.
-- **Merkle-Tree Integrity:** Every node in the Memory is cryptographically hashed. By recursively hashing content and children, the root hash provides a single, immutable fingerprint of the entire system state.
-
-** System Architecture
-#+begin_src mermaid
-flowchart TD
-    subgraph LispMachine[Lisp Machine]
-        H[Harness Pipeline] --> OS[(Memory)]
-        S1[Skill: Architect] --> OS
-        S2[Skill: Analyst] --> OS
-        S3[Skill: GTD] --> OS
-        H -- Pointers --> S1
-        H -- Pointers --> S2
-    end
-    subgraph IPCSlow[External Layer]
-        E[Emacs / Actuators] -. communication protocol .-> H
-    end
-#+end_src
-
-** Package Context
-#+begin_src lisp :tangle ../src/memory.lisp
-(in-package :opencortex)
-#+end_src
-
-** The Object Repository
-The `*memory*` is the global hash table that holds every Org element by its unique ID. This is the "live RAM" of the agent's memory.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defvar *memory* (make-hash-table :test 'equal))
-
-(defvar *history-store* (make-hash-table :test 'equal)
-  "Immutable Merkle-Tree versioning store mapping hashes to objects.")
-#+end_src
-
-** The Data Structure (org-object)
-Every element in the Memex (headlines, paragraphs, etc.) is represented by an `org-object` structure. It contains both semantic metadata (attributes, content) and structural metadata (parent/child pointers, Merkle hashes).
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defstruct org-object
-  id type attributes content vector parent-id children version last-sync hash)
-#+end_src
-
-** Merkle Tree Integrity (compute-merkle-hash)
-The `compute-merkle-hash` function ensures the cryptographic integrity of the knowledge graph. A node's hash depends on its own properties and the hashes of all its children. This creates a recursive fingerprint where any change to a single note propagates up to the root hash.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defun compute-merkle-hash (id type attributes content child-hashes)
-  "Computes a SHA-256 Merkle hash for a node based on its core properties and children's hashes."
-  (let* ((alist (loop for (k v) on attributes by #'cddr collect (cons k v)))
-         (sorted-alist (sort alist #'string< :key (lambda (x) (format nil "~a" (car x)))))
-         (attr-string (format nil "~s" sorted-alist))
-         (children-string (format nil "~{~a~}" child-hashes))
-         (data-string (format nil "ID:~a|TYPE:~s|ATTRS:~a|CONTENT:~a|CHILDREN:~a"
-                              id type attr-string (or content "") children-string))
-         (digester (ironclad:make-digest :sha256)))
-    (ironclad:update-digest digester (ironclad:ascii-string-to-byte-array data-string))
-    (ironclad:byte-array-to-hex-string (ironclad:produce-digest digester))))
-#+end_src
-
-** Ingesting the AST (ingest-ast)
-The `ingest-ast` function is the primary bridge between the external world (Emacs/JSON) and the internal Lisp machine. It recursively parses an Org-mode Abstract Syntax Tree (AST) into `org-object` structures and registers them in the store.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defun ingest-ast (ast &optional parent-id)
-  "Parses an Org AST into the recursive Lisp Memory with Merkle hashing."
-  (let* ((type (getf ast :type))
-         (props (getf ast :properties))
-         (id (or (getf props :ID) (format nil "temp-~a" (get-universal-time))))
-         (contents (getf ast :contents))
-         (raw-content (when (eq type :HEADLINE)
-                        (format nil "~a~%~a" (getf props :TITLE) (or (cl:getf ast :raw-content) ""))))
-         (should-embed (and raw-content (equal (getf props :EMBED) "t")))
-         (child-ids nil)
-         (child-hashes nil))
-    (dolist (child contents)
-      (when (listp child)
-        (let ((child-id (ingest-ast child id)))
-          (push child-id child-ids)
-          (let ((child-id-val child-id))
-             (let ((child-obj (lookup-object child-id-val)))
-               (when child-obj (push (org-object-hash child-obj) child-hashes)))))))
-    (setf child-ids (nreverse child-ids))
-    (setf child-hashes (nreverse child-hashes))
-    (let* ((hash (compute-merkle-hash id type props raw-content child-hashes))
-           (existing-obj (gethash hash *history-store*))
-           (obj (or existing-obj
-                    (make-org-object 
-                     :id id :type type :attributes props :content raw-content
-                     :vector (when should-embed (get-embedding raw-content))
-                     :parent-id parent-id :children child-ids
-                     :version (get-universal-time) :last-sync (get-universal-time)
-                     :hash hash))))
-      (unless existing-obj
-        (setf (gethash hash *history-store*) obj))
-      (setf (gethash id *memory*) obj)
-      id)))
-#+end_src
-
-** Memory Snapshots (snapshot-memory)
-Because objects are stored immutably in the `*history-store*`, a snapshot is a lightweight shallow copy of the active `*memory*` pointers. The system maintains a rolling buffer of 20 snapshots, allowing for near-instant, zero-cost rollback.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defvar *object-store-snapshots* nil)
-
-(defun copy-hash-table (hash-table)
-  "Creates a shallow copy of a hash table."
-  (let ((new-table (make-hash-table :test (hash-table-test hash-table) 
-                                    :size (hash-table-size hash-table))))
-    (maphash (lambda (k v) (setf (gethash k new-table) v)) hash-table)
-    new-table))
-
-(defun snapshot-memory ()
-  "Creates a lightweight, Copy-on-Write snapshot using Merkle-Tree pointers."
-  (let ((snapshot (copy-hash-table *memory*)))
-    (push (list :timestamp (get-universal-time) :data snapshot) *object-store-snapshots*)
-    (when (> (length *object-store-snapshots*) 20)
-      (setf *object-store-snapshots* (subseq *object-store-snapshots* 0 20)))
-    (harness-log "MEMORY - CoW Memory snapshot created.")))
-#+end_src
-
-** Memory Rollback (rollback-memory)
-Restores the state of the Memex from one of the previous snapshots.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defun rollback-memory (&optional (index 0))
-  "Restores the Memory to a previously captured snapshot using immutable history pointers."
-  (let ((snapshot (nth index *object-store-snapshots*)))
-    (if snapshot
-        (progn (setf *memory* (copy-hash-table (getf snapshot :data)))
-               (harness-log "MEMORY - Memory rolled back to snapshot ~a" index))
-        (harness-log "MEMORY ERROR - Snapshot ~a not found." index))))
-#+end_src
-
-** Lookup Utilities
-Basic functions for retrieving objects by ID or type.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defun org-id-new ()
-  "Generates a new UUID string for Org-mode identification."
-  (string-downcase (format nil "~a" (uuid:make-v4-uuid))))
-
-(defun lookup-object (id) 
-  "Retrieves an object from the store by its unique ID."
-  (gethash id *memory*))
-
-(defun list-objects-by-type (type)
-  "Returns a list of all objects matching a specific Org element type."
-  (let ((results nil))
-    (maphash (lambda (id obj) (declare (ignore id)) (when (eq (org-object-type obj) type) (push obj results))) *memory*)
-    results))
-#+end_src
-
-** Structural Helpers
-Utility functions for AST traversal and path resolution.
-
-#+begin_src lisp :tangle ../src/memory.lisp
-(defun find-headline-missing-id (ast)
-  "Traverses an AST to find headlines that lack an :ID: property."
-  (when (listp ast)
-    (if (and (eq (getf ast :type) :HEADLINE) (not (getf (getf ast :properties) :ID)))
-        ast
-        (cl:some #'find-headline-missing-id (getf ast :contents)))))
-
-(defun file-name-nondirectory (path)
-  "Extracts the filename from a full path string."
-  (let ((pos (position #\/ path :from-end t))) (if pos (subseq path (1+ pos)) path)))
-#+end_src
-
-* Phase E: Chaos (Verification)
-Following the Engineering Standards, the Memory must be empirically verified through automated testing. The following test suite ensures the mathematical integrity of the Merkle hashes and the behavioral correctness of the immutable versioning and rollback systems.
-
-#+begin_src lisp :tangle ../tests/memory-tests.lisp
-(defpackage :opencortex-memory-tests
-  (:use :cl :fiveam :opencortex)
-  (:export #:memory-suite))
-
-(in-package :opencortex-memory-tests)
-
-(def-suite memory-suite
-  :description "Tests for the Merkle-Tree Memory.")
-
-(in-suite memory-suite)
-
-(test merkle-hash-consistency
-  (let* ((ast1 '(:type :HEADLINE :properties (:ID "test-1" :TITLE "Node 1") :contents nil))
-         (ast2 '(:type :HEADLINE :properties (:ID "test-1" :TITLE "Node 1") :contents nil)))
-    (clrhash *memory*)
-    (let ((id1 (ingest-ast ast1)))
-      (let ((hash1 (org-object-hash (lookup-object id1))))
-        (clrhash *memory*)
-        (let ((id2 (ingest-ast ast2)))
-          (let ((hash2 (org-object-hash (lookup-object id2))))
-            (is (equal hash1 hash2))))))))
-
-(test merkle-hash-cascading
-  (let* ((ast-leaf '(:type :HEADLINE :properties (:ID "leaf" :TITLE "Leaf") :contents nil))
-         (ast-root-full '(:type :HEADLINE :properties (:ID "root" :TITLE "Root") 
-                           :contents ((:type :HEADLINE :properties (:ID "leaf" :TITLE "Leaf") :contents nil))))
-         (id-root (progn (clrhash *memory*) (ingest-ast ast-root-full)))
-         (initial-root-hash (org-object-hash (lookup-object id-root))))
-      
-      ;; Now ingest a modified version (title change)
-      (let* ((ast-root-modified '(:type :HEADLINE :properties (:ID "root" :TITLE "Root") 
-                                 :contents ((:type :HEADLINE :properties (:ID "leaf" :TITLE "Leaf Modified") :contents nil))))
-             (id-root-mod (progn (clrhash *memory*) (ingest-ast ast-root-modified)))
-             (modified-root-hash (org-object-hash (lookup-object id-root-mod))))
-        (is (not (equal initial-root-hash modified-root-hash))))))
-
-(test history-store-immutability
-  "Verify that *history-store* retains old versions even after *memory* updates."
-  (clrhash *memory*)
-  (clrhash *history-store*)
-  (let* ((ast-v1 '(:type :HEADLINE :properties (:ID "test-node" :TITLE "Version 1") :contents nil))
-         (id-v1 (ingest-ast ast-v1))
-         (obj-v1 (lookup-object id-v1))
-         (hash-v1 (org-object-hash obj-v1)))
-    
-    (let* ((ast-v2 '(:type :HEADLINE :properties (:ID "test-node" :TITLE "Version 2") :contents nil))
-           (id-v2 (ingest-ast ast-v2))
-           (obj-v2 (lookup-object id-v2))
-           (hash-v2 (org-object-hash obj-v2)))
-      
-      ;; The active pointer should be v2
-      (is (equal (org-object-hash (lookup-object "test-node")) hash-v2))
-      
-      ;; Both v1 and v2 should exist in the immutable history store
-      (is (not (null (gethash hash-v1 *history-store*))))
-      (is (not (null (gethash hash-v2 *history-store*))))
-      
-      ;; Modifying v2 should not affect v1 in the history store
-      (is (equal (org-object-content (gethash hash-v1 *history-store*)) "Version 1
-"))
-      (is (equal (org-object-content (gethash hash-v2 *history-store*)) "Version 2
-")))))
-
-(test cow-snapshot-and-rollback
-  "Verify that lightweight snapshots can accurately restore previous pointer states."
-  (clrhash *memory*)
-  (clrhash *history-store*)
-  (setf *object-store-snapshots* nil)
-  
-  (let* ((ast-v1 '(:type :HEADLINE :properties (:ID "cow-node" :TITLE "State A") :contents nil))
-         (id-v1 (ingest-ast ast-v1))
-         (hash-v1 (org-object-hash (lookup-object id-v1))))
-    
-    ;; Take a snapshot at State A
-    (snapshot-memory)
-    
-    (let* ((ast-v2 '(:type :HEADLINE :properties (:ID "cow-node" :TITLE "State B") :contents nil))
-           (id-v2 (ingest-ast ast-v2))
-           (hash-v2 (org-object-hash (lookup-object id-v2))))
-      
-      ;; Verify we are currently in State B
-      (is (equal (org-object-hash (lookup-object "cow-node")) hash-v2))
-      
-      ;; Rollback to State A (index 0 because we only took 1 snapshot)
-      (rollback-memory 0)
-      
-      ;; Verify we are back in State A
-      (is (equal (org-object-hash (lookup-object "cow-node")) hash-v1))
-      
-      ;; Verify State B is still safely in the history store (no data loss)
-      (is (not (null (gethash hash-v2 *history-store*)))))))
-#+end_src

literate/package.org

@@ -1,212 +0,0 @@
-#+TITLE: System Interface (package.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:interface:
-#+STARTUP: content
-
-* System Interface (package.lisp)
-The ~package.lisp~ file defines the public API of the ~opencortex~ harness. It serves as the primary membrane between the deterministic core modules and the dynamic world of skills and actuators.
-
-** Architectural Intent: The Package Membrane
-By strictly defining the public interface, we ensure that skills remain decoupled from the harness implementation details. This allows for autonomous replacement of any component (e.g., swapping the Memory or the Probabilistic Engine) without breaking existing skills.
-
-#+begin_src mermaid
-flowchart TD
-    External[Actuators / Clients] -- communication protocol --> Package[Package Membrane: API]
-    Skills[Dynamic Skills] -- API Calls --> Package
-    Package --> Internal[Harness Internal Modules]
-    style Package fill:#f9f,stroke:#333,stroke-width:4px
-#+end_src
-
-** Public API Export
-#+begin_src lisp :tangle ../src/package.lisp
-(defpackage :opencortex
-  (:use :cl)
-  (:export 
-   ;; --- communication protocol ---
-   #:frame-message
-   #:parse-message
-   #:make-hello-message
-   #:validate-communication-protocol-schema
-   
-   ;; --- Daemon Lifecycle ---
-   #:start-daemon
-   #:stop-daemon
-   #:harness-log
-   #:main
-   
-   ;; --- Memory (CLOSOS) ---
-   #:ingest-ast
-   #:lookup-object
-   #:list-objects-by-type
-   #:org-id-new
-   #:*memory*
-   #:*history-store*
-   #:org-object
-   #:make-org-object
-   #:org-object-id
-   #:org-object-type
-   #:org-object-attributes
-   #:org-object-parent-id
-   #:org-object-children
-   #:org-object-version
-   #:org-object-last-sync
-   #:org-object-vector
-   #:org-object-content
-   #:org-object-hash
-   #:snapshot-memory
-   #:rollback-memory
-   
-   ;; --- Context API (Peripheral Vision) ---
-   #:context-query-store
-   #:context-get-active-projects
-   #:context-get-recent-completed-tasks
-   #:context-list-all-skills
-   #:context-get-skill-source
-   #:context-get-system-logs
-   #:context-resolve-path
-   #:context-get-skill-telemetry
-   #:harness-track-telemetry
-   #:context-assemble-global-awareness
-   
-   ;; --- Reactive Signal Pipeline ---
-   #:process-signal
-   #:perceive-gate
-   #:probabilistic-gate
-   #:consensus-gate
-   #:act-gate
-   #:reason-gate
-   #:perceive-gate
-   #:dispatch-gate
-   #:inject-stimulus
-   #:initialize-actuators
-   #:dispatch-action
-   #:register-actuator
-   
-   ;; --- Skill Engine ---
-   #:load-skill-from-org
-   #:initialize-all-skills
-   #:load-skill-with-timeout
-   #:topological-sort-skills
-   #:validate-lisp-syntax
-   #:defskill
-   #:*skills-registry*
-   #:skill
-   #:skill-name
-   #:skill-priority
-   #:skill-dependencies
-   #:skill-trigger-fn
-   #:skill-probabilistic-prompt
-   #:skill-deterministic-fn
-
-   ;; --- Tool Registry ---
-   #:def-cognitive-tool
-   #:*cognitive-tools*
-   #:cognitive-tool
-   #:cognitive-tool-name
-   #:cognitive-tool-description
-   #:cognitive-tool-parameters
-   #:cognitive-tool-guard
-   #:cognitive-tool-body
-
-   ;; --- Emacs Client Registry ---
-   #:*emacs-clients*
-   #:*clients-lock*
-   #:register-emacs-client
-   #:unregister-emacs-client
-
-   ;; --- Probabilistic Engine ---
-   #:ask-probabilistic
-   #:register-probabilistic-backend
-   #:distill-prompt
-   #:*provider-cascade*
-   
-   ;; --- Security Vault ---
-   #:vault-get-secret
-   #:vault-set-secret
-   
-   ;; --- Deterministic Logic ---
-   #:list-objects-with-attribute
-   #:deterministic-verify
-   
-   ;; --- AST Helpers ---
-   #:find-headline-missing-id))
-#+end_src
-
-** Package Implementation
-#+begin_src lisp :tangle ../src/package.lisp
-(in-package :opencortex)
-#+end_src
-
-** Harness Logging State
-The harness maintains a thread-safe circular log buffer to provide context for debugging and neural reasoning.
-
-#+begin_src lisp :tangle ../src/package.lisp
-(defvar *system-logs* nil)
-(defvar *logs-lock* (bt:make-lock "harness-logs-lock"))
-(defvar *max-log-history* 100)
-#+end_src
-
-** Skills Registry
-#+begin_src lisp :tangle ../src/package.lisp
-(defvar *skills-registry* (make-hash-table :test 'equal)
-  "Global registry of all loaded skills.")
-#+end_src
-
-** Skill Telemetry State
-#+begin_src lisp :tangle ../src/package.lisp
-(defvar *skill-telemetry* (make-hash-table :test 'equal))
-(defvar *telemetry-lock* (bt:make-lock "harness-telemetry-lock"))
-#+end_src
-
-** Telemetry Implementation
-The system tracks the performance and reliability of individual skills. This logic is currently preserved in the package layer for future expansion into a dedicated telemetry skill.
-
-#+begin_src lisp :tangle ../src/package.lisp
-(defun harness-track-telemetry (skill-name duration status)
-  "Updates performance metrics for a specific skill. Status should be :success or :rejected."
-  (when skill-name 
-    (bt:with-lock-held (*telemetry-lock*)
-      (let ((entry (or (gethash skill-name *skill-telemetry*) (list :executions 0 :total-time 0 :failures 0))))
-        (incf (getf entry :executions)) 
-        (incf (getf entry :total-time) duration)
-        (when (eq status :rejected) (incf (getf entry :failures))) 
-        (setf (gethash skill-name *skill-telemetry*) entry)))))
-#+end_src
-
-** Cognitive Tool Registry
-The Tool Registry allows the agent to interact with the physical world. Every tool must define a guard (for security) and a body (for execution).
-
-#+begin_src lisp :tangle ../src/package.lisp
-(defvar *cognitive-tools* (make-hash-table :test 'equal))
-
-(defstruct cognitive-tool
-  name
-  description
-  parameters
-  guard
-  body)
-
-(defmacro def-cognitive-tool (name description parameters &key guard body)
-  "Registers a new cognitive tool into the global registry. Parameters must be a list of property lists."
-  `(setf (gethash (string-downcase (string ',name)) *cognitive-tools*)
-         (make-cognitive-tool :name (string-downcase (string ',name))
-                              :description ,description
-                              :parameters ',parameters
-                              :guard ,guard
-                              :body ,body)))
-#+end_src
-
-** Harness Logging Implementation
-Centralized logging function. It simultaneously writes to standard output and the in-memory circular buffer.
-
-#+begin_src lisp :tangle ../src/package.lisp
-(defun harness-log (msg &rest args)
-  "Centralized logging for the harness."
-  (let ((formatted-msg (apply #'format nil msg args)))
-    (bt:with-lock-held (*logs-lock*)
-      (push formatted-msg *system-logs*)
-      (when (> (length *system-logs*) *max-log-history*)
-        (setq *system-logs* (subseq *system-logs* 0 *max-log-history*))))
-    (format t "~a~%" formatted-msg)
-    (finish-output)))
-#+end_src

literate/perceive.org

@@ -1,82 +0,0 @@
-#+TITLE: Stage 1: Perceive (perceive.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:perceive:
-#+STARTUP: content
-
-* Stage 1: Perceive (perceive.lisp)
-** Architectural Intent: Sensory Ingestion
-The Perceive stage is the "sensory cortex" of the OpenCortex. It takes raw stimuli from the outside world (keyboard events, chat messages, heartbeats, or system interrupts) and normalizes them into internal **Signals**.
-
-** Async Sensor Routing
-To prevent blocking the main pipeline, certain sensors (like user commands or chat messages) are processed asynchronously in their own threads.
-
-#+begin_src lisp :tangle ../src/perceive.lisp
-(in-package :opencortex)
-
-(defvar *async-sensors* '(:chat-message :delegation :user-command)
-  "List of sensors that should be processed asynchronously to avoid blocking gateways.")
-#+end_src
-
-** Foveal Focus State
-The system tracks the user's current point of interaction to provide context to the reasoning engine.
-
-#+begin_src lisp :tangle ../src/perceive.lisp
-(defvar *foveal-focus-id* nil
-  "The Org ID of the node the user is currently interacting with.")
-#+end_src
-
-** Stimulus Injection
-The entry point for raw messages. It determines if the signal should be processed synchronously or asynchronously.
-
-#+begin_src lisp :tangle ../src/perceive.lisp
-(defun inject-stimulus (raw-message &key stream (depth 0))
-  "Enqueues a raw message into the reactive signal pipeline."
-  (let* ((payload (getf raw-message :payload)) 
-         (sensor (getf payload :sensor))
-         (async-p (or (getf payload :async-p) (member sensor *async-sensors*))))
-    (when stream (setf (getf raw-message :reply-stream) stream))
-    (if async-p 
-        (bt:make-thread 
-         (lambda () 
-           (restart-case (handler-bind ((error (lambda (c) (harness-log "ASYNC ERROR: ~a" c) (invoke-restart 'skip-event))))
-                           (process-signal raw-message)) 
-             (skip-event () nil))) 
-         :name "opencortex-async-task")
-        (restart-case (handler-bind ((error (lambda (c) (harness-log "SYSTEM ERROR: ~a" c) (invoke-restart 'skip-event)))) 
-                        (process-signal raw-message))
-          (skip-event () (harness-log "SYSTEM RECOVERY: Stimulus dropped.~%"))))))
-#+end_src
-
-** The Perceive Gate
-The initial stage of the metabolic loop. It logs the signal, performs selective memory snapshots, and updates the Memory graph based on incoming AST updates.
-
-#+begin_src lisp :tangle ../src/perceive.lisp
-(defun perceive-gate (signal)
-  "Initial processing: Normalizes raw stimuli and updates memory."
-  (let* ((payload (getf signal :payload))
-         (type (getf signal :type))
-         (sensor (getf payload :sensor)))
-    (harness-log "GATE [Perceive]: ~a (~a)" type (or sensor "no-sensor"))
-    
-    (cond ((eq type :EVENT)
-           (case sensor
-             (:buffer-update 
-              (let ((ast (getf payload :ast))) 
-                (when ast 
-                  (snapshot-memory)
-                  (ingest-ast ast))))
-             (:point-update 
-              (let ((element (getf payload :element))) 
-                (when element 
-                  (snapshot-memory)
-                  (setf *foveal-focus-id* (ignore-errors (getf element :id)))
-                  (ingest-ast element))))
-             (:interrupt 
-              (bt:with-lock-held (*interrupt-lock*) (setf *interrupt-flag* t)))))
-          ((eq type :RESPONSE)
-           (harness-log "GATE [Perceive]: Act Result -> ~a" (getf payload :status))))
-           
-    (setf (getf signal :status) :perceived)
-    (setf (getf signal :foveal-focus) *foveal-focus-id*)
-    signal))
-#+end_src

literate/reason.org

@@ -1,119 +0,0 @@
-#+TITLE: Stage 2: Reason (reason.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:reason:
-#+STARTUP: content
-
-* Stage 2: Reason (reason.lisp)
-** Architectural Intent: Unified Cognition
-The Reason stage is the cognitive engine of the OpenCortex. It unifies two distinct reasoning modes:
-1. **Probabilistic Reasoning:** Consulting neural models (LLMs) to generate action proposals based on current context.
-2. **Deterministic Reasoning:** Running those proposals through a series of deterministic safety gates (Policy, Invariants, and Skill-specific validation) to ensure alignment and security.
-
-** Package and Registry
-We initialize the probabilistic backends and the provider cascade which determines the order in which models are consulted.
-
-#+begin_src lisp :tangle ../src/reason.lisp
-(in-package :opencortex)
-
-(defvar *probabilistic-backends* (make-hash-table :test 'equal))
-(defvar *provider-cascade* nil)
-(defvar *model-selector-fn* nil)
-(defvar *consensus-enabled-p* nil)
-
-(defun register-probabilistic-backend (name fn)
-  "Registers a neural provider (e.g., :gemini, :anthropic) with its calling function."
-  (setf (gethash name *probabilistic-backends*) fn))
-#+end_src
-
-** Neural Dispatch (Probabilistic)
-The `probabilistic-call` function manages the cascade of neural providers. If the primary provider fails, it automatically falls back to the next one in the list.
-
-#+begin_src lisp :tangle ../src/reason.lisp
-(defun probabilistic-call (prompt &key (system-prompt "You are the Probabilistic engine.") (cascade nil) (context nil))
-  "Dispatches a neural request through the provider cascade. Returns a Lisp plist or a failure log."
-  (let ((backends (or cascade *provider-cascade*)))
-    (or (dolist (backend backends)
-          (let ((backend-fn (gethash backend *probabilistic-backends*)))
-            (when backend-fn
-              (harness-log "PROBABILISTIC: Attempting backend ~a..." backend)
-              (let* ((model (when *model-selector-fn* (funcall *model-selector-fn* backend context)))
-                     (result (if model 
-                                 (funcall backend-fn prompt system-prompt :model model)
-                                 (funcall backend-fn prompt system-prompt))))
-                ;; If the result is valid and doesn't contain a failure log, return it.
-                (unless (or (null result) 
-                            (and (stringp result) (search ":LOG" result)))
-                  (return result))))))
-        ;; Final fallback if all backends in the cascade fail.
-        (list :type :LOG :payload (list :text "Neural Cascade Failure: All providers exhausted.")))))
-#+end_src
-
-** Cognitive Proposal (Think)
-The `think` function represents the "intuitive" side of the agent. It identifies the active skill, assembles the global context, and asks the probabilistic engine for a structured action proposal.
-
-#+begin_src lisp :tangle ../src/reason.lisp
-(defun think (context)
-  "Generates a Lisp action proposal based on current context."
-  (let* ((active-skill (find-triggered-skill context))
-         (tool-belt (generate-tool-belt-prompt))
-         (global-context (context-assemble-global-awareness))
-         (system-logs (context-get-system-logs))
-         (assistant-name (or (uiop:getenv "MEMEX_ASSISTANT") "Agent")))
-    (if active-skill
-        (let* ((prompt-generator (skill-probabilistic-prompt active-skill))
-               (raw-prompt (when prompt-generator (funcall prompt-generator context)))
-               (system-prompt (format nil "IDENTITY: Actuator for ~a. MANDATE: ONE Lisp plist. ~a ~a RECENT_LOGS: ~a" 
-                                      assistant-name global-context tool-belt system-logs)))
-          (if (and raw-prompt (> (length raw-prompt) 1))
-              (let* ((thought (probabilistic-call raw-prompt :system-prompt system-prompt :context context))
-                     ;; Ensure we are working with a string for read-from-string
-                     (cleaned (if (stringp thought) (string-trim '(#\Space #\Newline #\Tab) thought) thought)))
-                (if (stringp cleaned)
-                    (handler-case (read-from-string cleaned)
-                      (error (c) (list :type :EVENT :payload (list :sensor :syntax-error :code cleaned :error (format nil "~a" c)))))
-                    cleaned))
-              (list :type :LOG :payload (list :text (format nil "Skill '~a' triggered (Deterministic only)" (skill-name active-skill))))))
-        nil)))
-#+end_src
-
-** Deterministic Verification
-Once a proposal is generated, it MUST pass through the deterministic gates. Every skill can register a gate that inspects and potentially modifies or blocks the proposed action.
-
-#+begin_src lisp :tangle ../src/reason.lisp
-(defun deterministic-verify (proposed-action context)
-  "Iterates through all skill deterministic-gates sorted by priority."
-  (let ((current-action proposed-action)
-        (skills nil))
-    ;; 1. Collect and sort active gates
-    (maphash (lambda (name skill) (declare (ignore name)) (when (skill-deterministic-fn skill) (push skill skills))) *skills-registry*)
-    (setf skills (sort skills #'> :key #'skill-priority))
-    
-    ;; 2. Execute gates sequentially if their trigger allows
-    (dolist (skill skills)
-      (let ((trigger (skill-trigger-fn skill))
-            (gate (skill-deterministic-fn skill)))
-        (when (or (null trigger) (ignore-errors (funcall trigger context)))
-          (setf current-action (funcall gate current-action context))
-          ;; If any gate returns a LOG or EVENT, it has intercepted the action.
-          (when (and (listp current-action) (member (getf current-action :type) '(:LOG :EVENT :log :event)))
-            (harness-log "DETERMINISTIC: Intercepted by skill '~a'" (skill-name skill))
-            (return-from deterministic-verify current-action)))))
-    current-action))
-#+end_src
-
-** The Reason Gate
-The entry point for the Reason stage. It orchestrates the transition from probabilistic "thought" to deterministic "verification."
-
-#+begin_src lisp :tangle ../src/reason.lisp
-(defun reason-gate (signal)
-  "Unified Stage: Combines Probabilistic proposals and Deterministic verification."
-  ;; Only process events that haven't been reasoned yet.
-  (unless (eq (getf signal :type) :EVENT) (return-from reason-gate signal))
-  
-  (let ((candidate (think signal)))
-    (if candidate
-        (setf (getf signal :approved-action) (deterministic-verify candidate signal))
-        (setf (getf signal :approved-action) nil))
-    (setf (getf signal :status) :reasoned)
-    signal))
-#+end_src

literate/setup.org

@@ -1,134 +0,0 @@
-#+TITLE: Setup & Onboarding (setup.org)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:setup:onboarding:
-#+STARTUP: content
-
-* Overview: The Zero-to-One Experience
-The *Setup & Onboarding* process ensures that users can boot the ~opencortex~ Lisp Machine with zero friction.
-
-* 1. The Unified Entrypoint (opencortex.sh)
-#+begin_src bash :tangle ../opencortex.sh :shebang "#!/bin/bash"
-set -e
-
-PORT=9105
-HOST=${1:-localhost}
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-YELLOW='\033[0;33m'
-NC='\033[0m'
-
-command_exists() { command -v "$1" >/dev/null 2>&1; }
-
-# --- Bootstrap Mode ---
-bootstrap_opencortex() {
-    echo -e "${BLUE}=== OpenCortex: Zero-to-One Bootstrapper ===${NC}"
-    if [ -d ".git" ]; then
-        return
-    fi
-
-    TARGET_DIR="opencortex"
-    if [ ! -d "$TARGET_DIR" ]; then
-        echo -e "${BLUE}Cloning repository into $TARGET_DIR...${NC}"
-        git clone http://10.10.10.201:3001/amr/opencortex.git "$TARGET_DIR"
-    fi
-    
-    cd "$TARGET_DIR"
-    git submodule update --init --recursive
-    
-    echo -e "${GREEN}✓ Repository prepared.${NC}"
-    
-    if [ -t 0 ]; then
-        ./scripts/onboard-baremetal.sh
-    else
-        ./scripts/onboard-baremetal.sh < /dev/tty 2>/dev/null || ./scripts/onboard-baremetal.sh < /dev/null
-    fi
-    
-    echo -e "${GREEN}✓ Setup phase complete.${NC}"
-    exit 0
-}
-
-if [ ! -d ".git" ]; then
-    bootstrap_opencortex
-fi
-
-# ... (Local Mode)
-if [ -f "opencortex.asd" ] || [ -d "literate" ]; then
-    if [ ! -f .env ]; then ./scripts/onboard-baremetal.sh; fi
-    echo -e "${BLUE}Starting OpenCortex via SBCL...${NC}"
-    sbcl --non-interactive \
-         --eval "(load \"~/quicklisp/setup.lisp\")" \
-         --eval "(push "$(pwd)/" asdf:*central-registry*) (ql:quickload :opencortex)" \
-         --eval "(opencortex:main)"
-fi
-#+end_src
-
-* 2. The Baremetal Path (onboard-baremetal.sh)
-#+begin_src bash :tangle ../scripts/onboard-baremetal.sh :shebang "#!/bin/bash"
-# OpenCortex Final-Mile Installer (Bulletproof Edition)
-RED='\033[0;31m'; GREEN='\033[0;32m'; BLUE='\033[0;34m'; YELLOW='\033[0;33m'; NC='\033[0m'
-
-echo -e "${BLUE}=== OpenCortex: Baremetal Power-User Setup ===${NC}"
-
-prompt_user() {
-    local prompt="$1"
-    local default="$2"
-    local var_name="$3"
-    local result=""
-    echo -n -e "${YELLOW}$prompt (default: $default): ${NC}" >&2
-    if read -t 5 result; then :; else result="$default"; echo -e "${BLUE} [Auto-Selected: $default]${NC}" >&2; fi
-    val=${result:-$default}
-    eval "$var_name=\"$val\""
-}
-
-# 1. Dependencies
-if ! command -v sbcl >/dev/null 2>&1; then
-    echo -e "${BLUE}Installing dependencies...${NC}"
-    sudo apt-get update && sudo apt-get install -y sbcl emacs git curl socat || true
-fi
-
-# 2. Quicklisp
-if [ ! -d "$HOME/quicklisp" ]; then
-    curl -O https://beta.quicklisp.org/quicklisp.lisp
-    sbcl --non-interactive --load quicklisp.lisp --eval "(quicklisp-quickstart:install)" --eval "(ql-util:without-prompting (ql:add-to-init-file))"
-    rm quicklisp.lisp
-fi
-
-# 3. Tangling
-echo -e "${BLUE}Tangling source files...${NC}"
-mkdir -p src
-for f in literate/*.org; do
-    echo "  - Tangling $f"
-    emacs --batch --eval "(require 'org)" --eval "(org-babel-tangle-file \"$f\")" >/dev/null 2>&1
-done
-
-if [ -f "src/package.lisp" ]; then
-    echo -e "${GREEN}✓ Core tangled successfully.${NC}"
-else
-    echo -e "${RED}✗ Tangle failed!${NC}"
-fi
-
-# 4. Config
-if [ ! -f .env ]; then cp .env.example .env; fi
-prompt_user "What is your name?" "User" "USER_NAME"
-prompt_user "What shall we name your Assistant?" "OpenCortex" "AGENT_NAME"
-prompt_user "Select provider (1:Gemini, 2:OpenRouter)" "1" "LLM_CHOICE"
-
-sed -i "s/MEMEX_USER=.*/MEMEX_USER=\"$USER_NAME\"/g" .env
-sed -i "s/MEMEX_ASSISTANT=.*/MEMEX_ASSISTANT=\"$AGENT_NAME\"/g" .env
-
-# Final Path Alignment
-ROOT_DIR=$(pwd)
-sed -i "s|MEMEX_DIR=.*|MEMEX_DIR=\"$(dirname $ROOT_DIR)\"|g" .env
-sed -i "s|SKILLS_DIR=.*|SKILLS_DIR=\"$ROOT_DIR/skills\"|g" .env
-
-mkdir -p "$HOME/.local/bin"
-ln -sf "$ROOT_DIR/opencortex.sh" "$HOME/.local/bin/opencortex"
-echo -e "${GREEN}✓ Installed 'opencortex' command to ~/.local/bin${NC}"
-
-echo -e "\n${GREEN}==============================================${NC}"
-echo -e "${GREEN}    OpenCortex Installation Complete!        ${NC}"
-echo -e "${GREEN}==============================================${NC}"
-echo -e "To start: opencortex"
-#+end_src

literate/skills.org

@@ -1,448 +0,0 @@
-#+TITLE: The Skill Engine (skills.lisp)
-#+AUTHOR: Amr
-#+FILETAGS: :harness:skills:
-#+STARTUP: content
-
-* The Skill Engine (skills.lisp)
-** Architectural Intent: Late-Binding Intelligence
-
-A static, hardcoded architecture is inherently fragile. To build a autonomous agent that can evolve alongside its user, the harness must be a "Thin Shell" that delegates its capabilities to dynamic, hot-reloadable modules known as **Skills**. This is the core of our **Thin Harness / Thick Skill Microkernel Architecture**.
-
-Skills unify the **"Why"** (Literate Org documentation) and the **"How"** (Functional Lisp implementation). This allows the harness to "learn" new behaviors without a full system restart, enabling a continuous evolutionary loop where the agent can eventually inspect and improve its own code.
-
-*** The True Microkernel (Decoupled Core Skills)
-Historically, "core" skills (like State Persistence or Gateways) were statically compiled into the harness for performance. We have fundamentally decoupled this. Now, *all* behavioral skills are pure user-space dynamic modules. 
-
-**** MANDATE: Dynamic Loading (No Tangling)
-Skills are defined as single-file Literate Org notes. Unlike the core harness, **Skills MUST NOT use :tangle headers.** 
-
-Instead of being compiled into static source files, skills are:
-1. **Discovered:** The harness scans the `skills/` directory for `.org` files.
-2. **Parsed:** The harness extracts Lisp code blocks directly from the Org AST.
-3. **Jailed:** Each skill is evaluated inside its own temporary, isolated package namespace.
-4. **Hot-Loaded:** Skills can be added, modified, or removed at runtime without restarting the Lisp image.
-
-This ensures the agent can safely read, write, and repair its own capabilities without breaking the physical file structure. If a user wishes to swap the IPFS persistence skill for an AWS S3 one, they simply swap the `.org` file; no kernel recompilation is required.
-
-*** Dormant Verification (Tests)
-Because skills are no longer statically compiled into the core `opencortex` ASDF system, their associated `FiveAM` test blocks are currently dormant during a standard static build. The tests still exist within the literate `.org` files as verifiable documentation, but executing them requires either dynamic evaluation at runtime or a dedicated test-loader skill.
-
-*** 1. The Package Jailing Principle
-Every skill is evaluated within its own dedicated Common Lisp package (namespace). This "Jailing" prevents symbol collisions between disparate skills and ensures that a bug in one module cannot easily corrupt the internal state of another.
-
-*** 2. Deterministic Load Ordering
-Skills often depend on one another. The harness implements a deterministic topological sorting algorithm to ensure that dependencies are loaded before the skills that require them.
-
-** Skill Architecture
-#+begin_src mermaid
-flowchart TD
-    Registry[Skills Registry] --> S1[Skill: System Policy]
-    Registry --> S2[Skill: LLM Gateway]
-    Registry --> S3[Skill: Token Accountant]
-    S2 -- Depends On --> S1
-    S3 -- Depends On --> S2
-    
-    subgraph Jailing[Package Jailing]
-        P1[Package: OPENCORTEX.SKILLS.S1]
-        P2[Package: OPENCORTEX.SKILLS.S2]
-        P3[Package: OPENCORTEX.SKILLS.S3]
-    end
-    
-    S1 --> P1
-    S2 --> P2
-    S3 --> P3
-#+end_src
-
-** Package Context
-We begin by ensuring we are in the correct isolated harness namespace.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(in-package :opencortex)
-#+end_src
-
-** Skill Metadata (defstruct skill)
-The core data structure representing an agent capability. It includes the trigger condition, the probabilistic prompt generator, and the deterministic safety gate.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defstruct skill name priority dependencies trigger-fn probabilistic-prompt deterministic-fn)
-#+end_src
-
-** Skill Catalog Tracking
-The harness maintains a stateful tracking table for all skill files discovered in the environment (~notes/org-skill-*.org~).
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defvar *skill-catalog* (make-hash-table :test 'equal)
-  "A stateful tracking table for all skill files discovered in the environment.")
-
-(defstruct skill-entry 
-  filename 
-  (status :discovered) ;; :discovered, :loading, :ready, :failed
-  error-log
-  (load-time 0))
-#+end_src
-
-** Skill Selection (find-triggered-skill)
-The primary dispatcher for the Probabilistic Engine. It iterates through the registry to find the highest-priority skill whose trigger function matches the current cognitive context.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun find-triggered-skill (context)
-  "Returns the highest priority skill whose trigger condition matches the context."
-  (let ((triggered nil))
-    (maphash (lambda (name skill) 
-               (declare (ignore name)) 
-               (when (ignore-errors (funcall (skill-trigger-fn skill) context)) 
-                 (push skill triggered))) 
-             *skills-registry*)
-    (first (sort triggered #'> :key #'skill-priority))))
-#+end_src
-
-** Skill Definition Macro (defskill)
-The interface used within Org files to register new capabilities. Note that dependencies are explicitly quoted to prevent premature evaluation during the macro expansion phase.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defmacro defskill (name &key priority dependencies trigger probabilistic deterministic)
-  "Registers a new skill into the global registry."
-  `(setf (gethash (string-downcase (string ,name)) *skills-registry*)
-         (make-skill :name (string-downcase (string ,name)) 
-                     :priority (or ,priority 10) 
-                     :dependencies ',dependencies
-                     :trigger-fn ,trigger 
-                     :probabilistic-prompt ,probabilistic 
-                     :deterministic-fn ,deterministic)))
-#+end_src
-
-** Dependency Resolution (resolve-skill-dependencies)
-Recursively flattens the dependency graph for a given skill. This is used during hot-unloading to ensure that dependent skills are also refreshed.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun resolve-skill-dependencies (skill-name)
-  "Recursively resolves dependencies for a given skill name."
-  (let ((resolved nil) (seen nil))
-    (labels ((visit (name) 
-               (unless (member name seen :test #'equal) 
-                 (push name seen)
-                 (let ((skill (gethash (string-downcase (string name)) *skills-registry*)))
-                   (when skill 
-                     (dolist (dep (skill-dependencies skill)) 
-                       (visit dep))))
-                 (push name resolved))))
-      (visit skill-name) 
-      (nreverse resolved))))
-#+end_src
-
-** Metadata Parsing (parse-skill-metadata)
-A robust, low-level scanner that extracts `#+DEPENDS_ON:` and `:ID:` tags from an Org file. This allows the harness to calculate the load order without needing to parse the full Org AST, which would create a boot-time circularity.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun parse-skill-metadata (filepath)
-  "Extracts ID and DEPENDS_ON tags using robust regex scanning."
-  (let ((dependencies nil)
-        (id nil)
-        (content (uiop:read-file-string filepath)))
-    ;; Extract ID
-    (multiple-value-bind (match regs)
-        (ppcre:scan-to-strings "(?im:^:ID:\\s*([^\\s\\r\\n]+))" content)
-      (when match (setf id (aref regs 0))))
-    ;; Extract all DEPENDS_ON lines
-    (ppcre:do-register-groups (deps-string)
-        ("(?im:^#\\+DEPENDS_ON:\\s*(.*))" content)
-      (let ((deps (ppcre:split "\\s+" (string-trim " " deps-string))))
-        (setf dependencies (append dependencies (mapcar (lambda (s) (string-trim "[] " s)) deps)))))
-    (values id (remove-if (lambda (s) (= 0 (length s))) dependencies))))
-#+end_src
-
-** Topological Sorting (topological-sort-skills)
-This is the core algorithm of the boot sequence. It uses a **Depth-First Search (DFS)** to resolve the skill dependency graph. 
-
-It performs three critical roles:
-1.  **Load Ordering:** Ensures that "foundational" skills (like the LLM Gateway) are loaded before high-level "behavioral" skills.
-2.  **ID Resolution:** Correct maps Org `:ID:` properties to filepaths.
-3.  **Cycle Detection:** It uses a recursion stack to detect circular dependencies (e.g., A depends on B, B depends on A) and errors out safely before the Lisp image hangs.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun topological-sort-skills (skills-dir)
-  "Returns a list of skill filepaths sorted by dependency (dependencies first)."
-  (let ((files (uiop:directory-files skills-dir "org-skill-*.org"))
-        (adj (make-hash-table :test 'equal))
-        (name-to-file (make-hash-table :test 'equal))
-        (id-to-file (make-hash-table :test 'equal))
-        (result nil)
-        (visited (make-hash-table :test 'equal))
-        (stack (make-hash-table :test 'equal)))
-    (dolist (file files)
-      (let ((filename (pathname-name file)))
-        (multiple-value-bind (id deps) (parse-skill-metadata file)
-          (setf (gethash (string-downcase filename) name-to-file) file)
-          (when id (setf (gethash (string-downcase id) id-to-file) file))
-          (setf (gethash (string-downcase filename) adj) deps))))
-    (labels ((visit (file)
-               (let* ((filename (pathname-name file))
-                      (node-key (string-downcase filename)))
-                 (unless (gethash node-key visited)
-                   (setf (gethash node-key stack) t)
-                   (dolist (dep (gethash node-key adj))
-                     (let* ((is-id-p (uiop:string-prefix-p "id:" (string-downcase dep)))
-                            (dep-key (string-downcase (if is-id-p (subseq dep 3) dep)))
-                            (dep-file (if is-id-p 
-                                          (gethash dep-key id-to-file)
-                                          (or (gethash dep-key id-to-file)
-                                              (gethash dep-key name-to-file)))))
-                       (when dep-file
-                         (let ((dep-filename (pathname-name dep-file)))
-                           (if (gethash (string-downcase dep-filename) stack)
-                               (error "Circular dependency detected: ~a -> ~a" filename dep-filename)
-                               (visit dep-file))))))
-                   (setf (gethash node-key stack) nil)
-                   (setf (gethash node-key visited) t)
-                   (push file result)))))
-      (let ((filenames (sort (mapcar #'pathname-name files) #'string<)))
-        (dolist (name filenames)
-          (let ((file (gethash (string-downcase name) name-to-file)))
-            (when file (visit file)))))
-      (nreverse result))))
-#+end_src
-
-** Syntax Validation (validate-lisp-syntax)
-A pre-flight safety check. Before evaluating any code from an Org file, the harness attempts to ~read~ the entire string. If the reader encounters a syntax error (like an unclosed parenthesis), the load is aborted before the Lisp image can crash.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun validate-lisp-syntax (code-string)
-  "Checks if a string contains valid, readable Common Lisp forms."
-  (handler-case 
-      (let ((*read-eval* nil)) 
-        (with-input-from-string (stream (format nil "(progn ~a)" code-string))
-          (loop for form = (read stream nil :eof) until (eq form :eof)) 
-          (values t nil)))
-    (error (c) (values nil (format nil "~a" c)))))
-#+end_src
-
-** Jailed Loading (load-skill-from-org)
-The core "hot-loading" mechanism. It extracts Lisp blocks from an Org file and evaluates them within a "Jail" (an isolated package).
-
-*** The Jailing Algorithm:
-1.  **Isolation:** It generates a package name based on the filename (e.g., ~OPENCORTEX.SKILLS.CORE-LOGIC~).
-2.  **Namespace Protection:** It inherits external symbols from the ~OPENCORTEX~ package, allowing the skill to use the harness API, but keeps its internal helper functions local.
-3.  **Block Filtering:** It explicitly ignores blocks that contain ~:tangle~, ensuring that harness-level code (which is already in ~src/~) is not accidentally re-evaluated as skill logic.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun load-skill-from-org (filepath)
-  "Parses and evaluates Lisp blocks from an Org file into a jailed package."
-  (let* ((skill-base-name (pathname-name filepath))
-         (entry (or (gethash skill-base-name *skill-catalog*) (make-skill-entry :filename skill-base-name))))
-    (setf (skill-entry-status entry) :loading)
-    (setf (gethash skill-base-name *skill-catalog*) entry)
-    
-    (handler-case
-        (let* ((content (uiop:read-file-string filepath)) 
-               (lines (uiop:split-string content :separator '(#\Newline)))
-               (in-lisp-block nil) 
-               (lisp-code "") 
-               (pkg-name (intern (string-upcase (format nil "OPENCORTEX.SKILLS.~a" skill-base-name)) :keyword)))
-          
-          (dolist (line lines)
-            (let ((clean-line (string-trim '(#\Space #\Tab #\Return) line)))
-              (cond ((uiop:string-prefix-p "#+begin_src lisp" (string-downcase clean-line))
-                     ;; Only load blocks that are NOT tangled to src/ or elsewhere
-                     (if (search ":tangle" (string-downcase clean-line))
-                         (setf in-lisp-block nil)
-                         (setf in-lisp-block t)))
-                    ((uiop:string-prefix-p "#+end_src" (string-downcase clean-line))
-                     (setf in-lisp-block nil))
-                    (in-lisp-block 
-                     (unless (or (uiop:string-prefix-p ":PROPERTIES:" (string-upcase clean-line))
-                                 (uiop:string-prefix-p ":END:" (string-upcase clean-line)))
-                       (setf lisp-code (concatenate 'string lisp-code line (string #\Newline))))))))
-          
-          (if (= (length lisp-code) 0)
-              (progn (setf (skill-entry-status entry) :ready) t) ;; Valid empty skill
-              (progn
-                ;; PRE-FLIGHT: Syntax Validation
-                (multiple-value-bind (valid-p err) (validate-lisp-syntax lisp-code)
-                  (unless valid-p
-                    (error "Syntax Error: ~a" err)))
-                
-                (harness-log "HARNESS: Jailing skill '~a' in package ~a" skill-base-name pkg-name)
-                (unless (find-package pkg-name)
-                  (let ((new-pkg (make-package pkg-name :use '(:cl))))
-                    (do-external-symbols (sym (find-package :opencortex)) (shadowing-import sym new-pkg))))
-                
-                (let ((*read-eval* nil) (*package* (find-package pkg-name)))
-                  (eval (read-from-string (format nil "(progn ~a)" lisp-code))))
-                
-                (setf (skill-entry-status entry) :ready)
-                t)))
-      (error (c)
-        (let ((msg (format nil "~a" c)))
-          (harness-log "LOADER ERROR in skill '~a': ~a" skill-base-name msg)
-          (setf (skill-entry-status entry) :failed)
-          (setf (skill-entry-error-log entry) msg)
-          nil)))))
-#+end_src
-
-** Safe Loading with Timeout (load-skill-with-timeout)
-Wraps the skill loader in a thread with a hard timeout to prevent a single malformed skill from hanging the entire boot sequence.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun load-skill-with-timeout (filepath timeout-seconds)
-  "Loads a skill Org file with a hard execution timeout."
-  (let* ((finished nil)
-         (thread (bt:make-thread (lambda () 
-                                   (if (load-skill-from-org filepath)
-                                       (setf finished t)
-                                       (setf finished :error)))
-                                 :name (format nil "loader-~a" (pathname-name filepath))))
-         (start-time (get-internal-real-time))
-         (timeout-units (truncate (* timeout-seconds internal-time-units-per-second))))
-    (loop 
-      (when (eq finished t) (return :success))
-      (when (eq finished :error) (return :error))
-      (unless (bt:thread-alive-p thread) (return :error))
-      (when (> (- (get-internal-real-time) start-time) timeout-units)
-        (harness-log "HARNESS: Timing out skill ~a..." (pathname-name filepath))
-        #+sbcl (sb-thread:terminate-thread thread)
-        #-sbcl (bt:destroy-thread thread)
-        (return :timeout))
-      (sleep 0.05))))
-#+end_src
-
-** Initializing All Skills (initialize-all-skills)
-The `initialize-all-skills` function is the unified orchestrator for the system boot sequence. It enforces the **Verification Lock**:
-1. **Mandatory Check:** It reads the `MANDATORY_SKILLS` environment variable and ensures every required skill exists in the source directory.
-2. **Topological Boot:** It resolves inter-skill dependencies to ensure policies and actuators are loaded in the correct order.
-3. **Timed Loading:** Every skill is loaded with a 5-second timeout.
-4. **Boot Halt:** If a *mandatory* skill fails to load (e.g., due to a syntax error), the entire system halts with a `BOOT FAILURE` to prevent an unaligned or unsecure state.
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun initialize-all-skills ()
-  "Scans the directory defined by SKILLS_DIR and hot-loads skills using topological order."
-  (let* ((env-path (uiop:getenv "SKILLS_DIR"))
-         (skills-dir-str (or env-path (namestring (merge-pathnames "notes/" (user-homedir-pathname)))))
-         (resolved-path (context-resolve-path skills-dir-str))
-         (skills-dir (if resolved-path (uiop:ensure-directory-pathname resolved-path) nil)))
-    
-    (unless (and skills-dir (uiop:directory-exists-p skills-dir))
-      (harness-log "HARNESS ERROR: Skills directory not found: ~a" skills-dir-str)
-      (return-from initialize-all-skills nil))
-
-    (let ((sorted-files (topological-sort-skills skills-dir)))
-      ;; MANDATE: Configurable mandatory skills must be present for a safe boot
-      (let* ((mandatory-env (uiop:getenv "MANDATORY_SKILLS"))
-             (mandatory-skills (if mandatory-env 
-                                   (mapcar (lambda (s) (string-trim '(#\Space) s)) 
-                                           (uiop:split-string mandatory-env :separator '(#\,)))
-                                   '("org-skill-policy" "org-skill-bouncer"))))
-        (dolist (req mandatory-skills)
-          (unless (member req sorted-files :key #'pathname-name :test #'string-equal)
-            (error "BOOT FAILURE: Mandatory skill '~a' not found in skills directory." req)))
-      
-        (harness-log "==================================================")
-        (harness-log " LOADER: Initializing ~a skills..." (length sorted-files))
-      
-        (dolist (file sorted-files)
-          (let* ((skill-name (pathname-name file))
-                 (is-mandatory (member skill-name mandatory-skills :test #'string-equal)))
-            (harness-log " LOADER: Loading ~a..." skill-name)
-            (let ((status (load-skill-with-timeout file 5)))
-              (unless (eq status :success)
-                (if is-mandatory
-                    (error "BOOT FAILURE: Mandatory skill '~a' failed to load (Status: ~a)." skill-name status)
-                    (harness-log "LOADER WARNING: Skill '~a' failed to load." skill-name))))))
-      
-        ;; Final Summary
-        (let ((ready 0) (failed 0))
-          (maphash (lambda (k v) 
-                     (declare (ignore k))
-                     (if (eq (skill-entry-status v) :ready) (incf ready) (incf failed)))
-                   *skill-catalog*)
-          (harness-log " LOADER: Boot Complete. [Ready: ~a] [Failed: ~a]" ready failed)
-          (harness-log "==================================================")
-          (values ready failed))))))
-#+end_src
-
-** Toolbelt Prompt Generation (generate-tool-belt-prompt)
-Every cognitive tool registered by a skill is automatically documented and injected into the LLM system prompt. This ensures that the agent is always aware of its current physical capabilities.
-
-#+begin_src mermaid
-flowchart LR
-    Registry[(Tool Registry)] --> Generator[Prompt Generator]
-    Generator --> Prompt[Final System Prompt]
-    subgraph Actuators
-        ToolA[Shell]
-        ToolB[Emacs]
-        ToolC[Grep]
-    end
-    ToolA --> Registry
-    ToolB --> Registry
-    ToolC --> Registry
-#+end_src
-
-#+begin_src lisp :tangle ../src/skills.lisp
-(defun generate-tool-belt-prompt ()
-  "Aggregates all registered cognitive tools into a descriptive prompt."
-  (let ((output (format nil "AVAILABLE TOOLS:
-You can call tools by returning a Lisp plist: (:target :tool :action :call :tool <name> :args (...))
-
-EXAMPLES:
-(:target :tool :action :call :tool \"eval\" :args (:code \"(+ 1 1)\"))
-(:target :tool :action :call :tool \"grep-search\" :args (:pattern \"autonomousty\"))
-(:target :tool :action :call :tool \"shell\" :args (:cmd \"ls -la\"))
-
----
-")))
-    (maphash (lambda (name tool)
-               (setf output (concatenate 'string output
-                                         (format nil "- ~a: ~a~%  Parameters: ~s~%~%"
-                                                 name
-                                                 (cognitive-tool-description tool)
-                                                 (cognitive-tool-parameters tool)))))
-             *cognitive-tools*)
-    output))
-#+end_src
-
-** The Default Tool Belt
-The harness provides a baseline set of cognitive tools that enable core system interaction.
-
-*** The Eval Tool (Internal Inspection)
-#+begin_src lisp :tangle ../src/skills.lisp
-(def-cognitive-tool :eval "Evaluates raw Common Lisp code in the harness image. Use this for complex calculations or internal state inspection."
-  ((:code :type :string :description "The Lisp code to evaluate"))
-  :guard (lambda (args context)
-           (declare (ignore context))
-           (let ((code (getf args :code)))
-             (let ((harness-pkg (find-package :opencortex.skills.org-skill-lisp-validator)))
-               (if harness-pkg 
-                   (uiop:symbol-call :opencortex.skills.org-skill-lisp-validator :lisp-validator-validate code)
-                   t))))
-  :body (lambda (args)
-          (let ((code (getf args :code)))
-            (handler-case (let ((result (eval (read-from-string code))))
-                            (format nil "~s" result))
-              (error (c) (format nil "ERROR: ~a" c))))))
-#+end_src
-
-*** The Grep Tool (File Discovery)
-#+begin_src lisp :tangle ../src/skills.lisp
-(def-cognitive-tool :grep-search "Searches for a pattern in the project files."
-  ((:pattern :type :string :description "The regex pattern to search for")
-   (:dir :type :string :description "Directory to search in (default is project root)"))
-  :body (lambda (args)
-          (let ((pattern (getf args :pattern))
-                (dir (or (getf args :dir) (uiop:getenv "MEMEX_DIR"))))
-            (uiop:run-program (list "grep" "-r" "-n" "--exclude-dir=node_modules" pattern dir) 
-                              :output :string :ignore-error-status t))))
-#+end_src
-
-*** The Shell Tool (Machine Actuation)
-#+begin_src lisp :tangle ../src/skills.lisp
-(def-cognitive-tool :shell "Executes a shell command on the local machine. Use this for file operations, system checks, or running tests."
-  ((:cmd :type :string :description "The full bash command to execute"))
-  :guard (lambda (args context)
-           (declare (ignore context))
-           (let ((cmd (getf args :cmd)))
-             (not (or (search "rm -rf /" cmd) (search ":(){ :|:& };:" cmd)))))
-  :body (lambda (args)
-          (let ((cmd (getf args :cmd)))
-            (multiple-value-bind (out err code)
-                (uiop:run-program (list "bash" "-c" cmd) :output :string :error-output :string :ignore-error-status t)
-              (format nil "EXIT-CODE: ~a~%~%STDOUT:~%~a~%~%STDERR:~%~a" code out err)))))
-#+end_src

opencortex.asd

@@ -1,39 +0,0 @@
-(defsystem :opencortex
-  :name "opencortex"
-  :author "Amr"
-  :version "0.1.0"
-  :license "AGPLv3"
-  :description "The Probabilistic-Deterministic Lisp Machine Harness"
-  :depends-on (:usocket :bordeaux-threads :dexador :uiop :cl-dotenv :cl-ppcre :hunchentoot :ironclad :str :cl-json :uuid)
-  :serial t
-  :components ((:file "src/package")
-               (:file "src/skills")
-               (:file "src/policy")
-               (:file "src/communication-validator")
-               (:file "src/communication")
-               (:file "src/memory")
-               (:file "src/context")
-               (:file "src/probabilistic")
-               (:file "src/perceive")
-               (:file "src/reason")
-               (:file "src/act")
-               (:file "src/loop"))
-  :build-operation "program-op"
-  :build-pathname "opencortex-server"
-  :entry-point "opencortex:main")
-
-(defsystem :opencortex/tests
-  :depends-on (:opencortex :fiveam)
-  :components ((:file "tests/communication-tests")
-               (:file "tests/pipeline-tests")
-               (:file "tests/act-tests")
-               (:file "tests/boot-sequence-tests")
-               (:file "tests/memory-tests")
-               (:file "tests/immune-system-tests"))
-  :perform (test-op (o s) 
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :communication-protocol-suite :opencortex-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :pipeline-suite :opencortex-pipeline-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :safety-suite :opencortex-safety-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :boot-suite :opencortex-boot-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :memory-suite :opencortex-memory-tests))
-             (uiop:symbol-call :fiveam :run! (uiop:find-symbol* :immune-suite :opencortex-immune-system-tests))))

opencortex.sh

@@ -1,67 +0,0 @@
-#!/bin/bash
-set -e
-
-PORT=9105
-HOST=${1:-localhost}
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-YELLOW='\033[0;33m'
-NC='\033[0m'
-
-command_exists() { command -v "$1" >/dev/null 2>&1; }
-
-# --- Bootstrap Mode ---
-bootstrap_opencortex() {
-    echo -e "${BLUE}=== OpenCortex: Zero-to-One Bootstrapper ===${NC}"
-    if [ -d ".git" ]; then
-        return
-    fi
-
-    TARGET_DIR="opencortex"
-    if [ ! -d "$TARGET_DIR" ]; then
-        echo -e "${BLUE}Cloning repository into $TARGET_DIR...${NC}"
-        git clone http://10.10.10.201:3001/amr/opencortex.git "$TARGET_DIR"
-    fi
-    
-    cd "$TARGET_DIR"
-    git submodule update --init --recursive
-    
-    echo -e "${GREEN}✓ Repository prepared.${NC}"
-    
-    if [ -t 0 ]; then
-        ./scripts/onboard-baremetal.sh
-    else
-        ./scripts/onboard-baremetal.sh < /dev/tty 2>/dev/null || ./scripts/onboard-baremetal.sh < /dev/null
-    fi
-    
-    echo -e "${GREEN}✓ Setup phase complete.${NC}"
-    exit 0
-}
-
-if [ ! -d ".git" ]; then
-    bootstrap_opencortex
-fi
-
-# 1. Try to drop straight into the CLI chat
-if command_exists socat && socat - TCP:$HOST:$PORT,connect-timeout=1 2>/dev/null; then
-    echo -e "${BLUE}Connected to autonomous brain at $HOST:$PORT...${NC}"
-    socat READLINE,history=$HOME/.org_agent_history TCP:$HOST:$PORT
-    exit 0
-fi
-
-# 2. Local repository detection and launch
-if [ -f "opencortex.asd" ] || [ -d "literate" ]; then
-    if [ ! -f .env ]; then
-        ./scripts/onboard-baremetal.sh
-    fi
-    
-    echo -e "${BLUE}Starting OpenCortex via SBCL...${NC}"
-    # EXPLICITLY push current directory to ASDF registry
-    sbcl --non-interactive \
-         --eval "(load \"~/quicklisp/setup.lisp\")" \
-         --eval "(push \"$(pwd)/\" asdf:*central-registry*)" \
-         --eval "(ql:quickload :opencortex)" \
-         --eval "(opencortex:main)"
-fi

org/channel-cli.org

@@ -0,0 +1,72 @@
+#+TITLE: SKILL: CLI Gateway (org-skill-cli-gateway.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:gateway:cli:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-cli.lisp
+
+* Overview
+The CLI Gateway is the simplest interface to Passepartout — raw stdin/stdout over TCP. It connects to the daemon's framed protocol and translates between terminal input/output and the plist-based communication format. No TUI, no ncurses, no dependencies beyond a TCP socket. Every other gateway (TUI, Emacs, Telegram) builds on this same protocol.
+
+** Contract
+
+1. (channel-cli-input text): wraps text in a ~:user-input~ envelope
+   with ~:source :CLI~ and injects into the pipeline via
+   ~stimulus-inject~.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** CLI Command Handling
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun channel-cli-input (text)
+  "Processes raw text from the command line."
+  (stimulus-inject (list :type :EVENT 
+                         :payload (list :sensor :user-input :text text) 
+                         :meta (list :source :CLI))))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-channel-cli
+  :priority 100
+  :trigger (lambda (ctx) (eq (getf (getf ctx :meta) :source) :CLI))
+  :deterministic (lambda (action ctx) (declare (ignore ctx)) action))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-channel-cli-tests
+  (:use :cl :passepartout)
+  (:export #:cli-suite))
+
+(in-package :passepartout-channel-cli-tests)
+
+(fiveam:def-suite cli-suite :description "Verification of the CLI Gateway")
+(fiveam:in-suite cli-suite)
+
+(fiveam:test test-channel-cli-input-format
+  "Contract 1: channel-cli-input injects a properly formed signal without error."
+  (handler-case
+      (progn (channel-cli-input "hello") (fiveam:pass))
+    (error (c)
+      (fiveam:fail "channel-cli-input crashed: ~a" c))))
+#+end_src
+
+** Load-Time Sanity Check
+
+Verifies the function exists and can be called at load time without
+depending on FiveAM macro resolution in the jailed package.
+
+#+begin_src lisp
+(handler-case
+    (progn (channel-cli-input "test-load") (log-message "CLI: Load-time test OK"))
+  (error (c) (log-message "CLI: Load-time test FAILED: ~a" c)))
+#+end_src

org/channel-discord.org

@@ -0,0 +1,90 @@
+#+TITLE: Channel Discord (channel-discord.org)
+#+AUTHOR: Agent
+#+FILETAGS: :channel:discord:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-discord.lisp
+
+* Channel Discord
+
+Extracted from gateway-messaging in v0.5.0. Isolated platform — Discord-specific poll and send logic.
+
+* Overview
+
+The Discord channel provides bidirectional communication via the Discord REST API
+and Gateway WebSocket. Messages received from Discord channels are injected into
+the cognitive pipeline as ~:user-input~ signals with ~:source :discord~. Outbound
+messages route through the actuator registry when the pipeline targets ~:discord~.
+
+The channel uses two functions: ~discord-poll~ (inbound sensor, REST polling)
+and ~discord-send~ (outbound actuator, REST POST). Both retrieve the bot token
+from the credentials vault (~vault-get-secret :discord~). HITL commands are
+intercepted before injection so approval flows work identically across all channels.
+
+** Contract
+
+1. (discord-get-token): returns the Discord bot token from the vault
+   (via ~vault-get-secret :discord~), or nil if not configured.
+2. (discord-poll): polls configured channels via GET /channels/{id}/messages,
+   injects each non-bot message as a ~:user-input~ stimulus with
+   ~:source :discord~. Handles JSON parse failures and API errors
+   gracefully. HITL commands are intercepted before injection.
+3. (discord-send action context): sends a message via POST /channels/{id}/messages.
+   Extracts ~:channel-id~ and ~:text~ from the action plist. Uses bot token
+   authentication. Logs send failures without crashing the pipeline.
+
+* Implementation
+
+#+begin_src lisp
+(in-package :passepartout)
+(defun discord-get-token ()
+  (vault-get-secret :discord))
+
+(defun discord-send (action context)
+  "Sends a message via Discord REST API."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (meta (getf action :meta))
+         (channel-id (or (getf meta :channel-id) (getf payload :chat-id)))
+         (text (or (getf payload :text) (getf action :text)))
+         (token (discord-get-token)))
+    (when (and token channel-id text)
+      (handler-case
+          (dex:post (format nil "https://discord.com/api/v10/channels/~a/messages" channel-id)
+                    :headers '(("Authorization" . ,(format nil "Bot ~a" token))
+                               ("Content-Type" . "application/json"))
+                    :content (cl-json:encode-json-to-string
+                              `((content . ,text))))
+        (error (c) (log-message "DISCORD ERROR: ~a" c))))))
+
+(defun discord-poll ()
+  "Polls Discord via HTTP GET /channels/{id}/messages. In production,
+a WebSocket connection to the Gateway is preferred for real-time events."
+  (let* ((token (discord-get-token)))
+    (when token
+      (handler-case
+          (dolist (channel '("channel-id-here"))  ;; configured channel IDs
+            (let* ((last-id (getf (gethash "discord" *gateway-configs*) :last-update-id 0))
+                   (url (format nil "https://discord.com/api/v10/channels/~a/messages?after=~a"
+                               channel last-id))
+                   (response (dex:get url :headers
+                                       `(("Authorization" . ,(format nil "Bot ~a" token))))))
+              (let ((messages (ignore-errors
+                               (cdr (assoc :message
+                                      (cl-json:decode-json-from-string response))))))
+                (dolist (msg (and (listp messages) messages))
+                  (let* ((id (cdr (assoc :id msg)))
+                         (content (cdr (assoc :content msg)))
+                         (author (cdr (assoc :author msg)))
+                         (author-id (cdr (assoc :id author)))
+                         (is-bot (cdr (assoc :bot author))))
+                    (when (and id content (not is-bot))
+                      (setf (getf (gethash "discord" *gateway-configs*) :last-update-id) id)
+                      (unless (ignore-errors (hitl-handle-message content :discord))
+                        (stimulus-inject
+                         (list :type :EVENT
+                               :meta (list :source :discord :chat-id channel)
+                               :payload (list :sensor :user-input :text content))))))))))
+        (error (c) (log-message "DISCORD POLL ERROR: ~a" c))))))
+#+end_src
+
+
+#+end_src

org/channel-shell.org

@@ -0,0 +1,135 @@
+#+TITLE: SKILL: Shell Actuator (org-skill-shell-actuator.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:actuator:shell:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-shell.lisp
+
+* Overview: The Physical Actuator
+
+The Shell Actuator is the agent's hand in the physical world. Given a shell command, it executes it via ~bash -c~ and returns the output. This is how the agent installs packages, reads files, runs scripts, and interacts with any Unix tool.
+
+Because shell execution is the highest-risk operation in the system, the Shell Actuator is protected by multiple safety layers:
+1. The Dispatcher's shell safety gate blocks destructive commands (~rm -rf /~, ~dd~, ~mkfs~)
+2. The Dispatcher's injection gate blocks backtick and ~$()~ patterns
+3. The Dispatcher's network exfil gate blocks connections to unwhitelisted hosts
+4. The actuator enforces a timeout (default 30s) so hanging commands don't freeze the agent
+5. The actuator caps output (default 100KB) so infinite output doesn't exhaust memory
+6. (v0.4.3) When ~bwrap~ (Bubblewrap) is available, commands execute inside a Linux namespace sandbox with network and IPC isolation
+
+** Contract
+
+1. (bwrap-available-p): returns T if ~bwrap~ is installed and usable, NIL otherwise.
+   Cached at load time via ~which bwrap~.
+2. (bwrap-wrap-command cmd timeout memex-dir): returns a command list suitable for
+   ~uiop:run-program~ — wraps ~cmd~ in a ~bwrap~ sandbox with ~--unshare-net~,
+   ~--unshare-ipc~, ~--ro-bind~ for system dirs, and ~--bind~ for the memex and /tmp.
+3. (actuator-shell-execute action context): when ~bwrap~ is available, wraps the
+   command through the sandbox. When ~bwrap~ is unavailable, falls back to the
+   existing ~timeout bash -c~ behavior.
+
+* Implementation
+
+** Shell Execution (actuator-shell-execute)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(in-package :passepartout)
+
+(defvar *bwrap-available* nil
+  "Set to T at load time if the bwrap binary is found in PATH.")
+
+(defvar *bwrap-base-args*
+  '("--ro-bind" "/usr" "/usr"
+    "--ro-bind" "/lib" "/lib"
+    "--ro-bind" "/bin" "/bin"
+    "--ro-bind" "/etc" "/etc"
+    "--bind" "/tmp" "/tmp"
+    "--unshare-net"
+    "--unshare-ipc")
+  "Base bwrap arguments for the sandbox. --bind ~/memex ~/memex is added dynamically.")
+
+(defun bwrap-available-p ()
+  "Returns T if bwrap (bubblewrap) is installed and usable."
+  *bwrap-available*)
+
+(defun bwrap-wrap-command (cmd timeout memex-dir)
+  "Wrap CMD in a bwrap sandbox with network and IPC isolation.
+Returns a list suitable for uiop:run-program."
+  `("bwrap"
+    ,@*bwrap-base-args*
+    "--bind" ,memex-dir ,memex-dir
+    "timeout" ,(format nil "~a" timeout)
+    "bash" "-c" ,cmd))
+
+;; Initialize at load time
+(setf *bwrap-available*
+      (= 0 (nth-value 2 (uiop:run-program '("which" "bwrap") :output nil :error-output nil :ignore-error-status t))))
+
+(defun actuator-shell-execute (action context)
+  "Executes a shell command via the OS timeout binary with output limit.
+When bwrap is available, wraps the command in a Linux namespace sandbox."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (cmd (getf payload :cmd))
+         (timeout-sym (find-symbol "*DISPATCHER-SHELL-TIMEOUT*" :passepartout))
+         (timeout (or (getf payload :timeout) (if timeout-sym (symbol-value timeout-sym) 30)))
+         (max-sym (find-symbol "*DISPATCHER-SHELL-MAX-OUTPUT*" :passepartout))
+         (max-output (or (getf payload :max-output) (if max-sym (symbol-value max-sym) 100000)))
+         (memex-dir (or (uiop:getenv "MEMEX_DIR") (namestring (merge-pathnames "memex/" (user-homedir-pathname))))))
+    (log-message "ACT [Shell]: ~a (timeout: ~as)~@[ bwrap: enabled~]" cmd timeout (and *bwrap-available* " (bwrap)"))
+    (let ((cmdline (if *bwrap-available*
+                       (bwrap-wrap-command cmd timeout memex-dir)
+                       (list "timeout" (format nil "~a" timeout) "bash" "-c" cmd))))
+      (multiple-value-bind (out err code)
+          (uiop:run-program cmdline
+                            :output :string :error-output :string
+                            :ignore-error-status t)
+        (cond
+          ((= code 124) (format nil "ERROR: Command timed out after ~a seconds" timeout))
+          ((> (length out) max-output)
+           (format nil "~a~%... (output truncated to ~a chars)" (subseq out 0 max-output) max-output))
+          ((= code 0) out)
+          (t (format nil "ERROR [~a]: ~a" code err)))))))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(register-actuator :shell #'actuator-shell-execute)
+
+(defskill :passepartout-channel-shell
+  :priority 50
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-shell-actuator-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:shell-actuator-suite))
+
+(in-package :passepartout-shell-actuator-tests)
+
+(def-suite shell-actuator-suite :description "Verification of the Shell Actuator")
+(in-suite shell-actuator-suite)
+
+(test test-bwrap-wrap-command
+  "Contract 2: bwrap-wrap-command returns properly formatted command list."
+  (let ((cmdline (passepartout::bwrap-wrap-command "echo hello" 30 "/home/user/memex")))
+    (is (member "bwrap" cmdline :test #'string=))
+    (is (member "--unshare-net" cmdline :test #'string=))
+    (is (member "--unshare-ipc" cmdline :test #'string=))
+    (is (member "echo hello" cmdline :test #'string=))))
+
+(test test-bwrap-available-p-returns-boolean
+  "Contract 1: bwrap-available-p returns T or NIL."
+  (let ((avail (passepartout::bwrap-available-p)))
+    (is (typep avail 'boolean))))
+
+(test test-actuator-shell-execute-echo
+  "Contract 3: actuator-shell-execute runs echo and returns output."
+  (let* ((action '(:type :REQUEST :target :shell :payload (:cmd "echo hello")))
+         (result (passepartout::actuator-shell-execute action nil)))
+    (is (stringp result))
+    (is (search "hello" result :test #'char-equal))))
+#+end_src

org/channel-signal.org

@@ -0,0 +1,82 @@
+#+TITLE: Channel Signal (channel-signal.org)
+#+AUTHOR: Agent
+#+FILETAGS: :channel:signal:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-signal.lisp
+
+* Channel Signal
+
+Extracted from gateway-messaging in v0.5.0. Isolated platform — Signal-specific poll and send logic.
+
+* Overview
+
+The Signal channel provides bidirectional communication via the ~signal-cli~ CLI tool.
+Messages received from Signal contacts are injected into the cognitive pipeline
+as ~:user-input~ signals with ~:source :signal~. Outbound messages route through
+the actuator registry when the pipeline targets ~:signal~.
+
+The channel uses two functions: ~signal-poll~ (inbound sensor) and ~signal-send~
+(outbound actuator). Both retrieve the Signal account identifier from the
+credentials vault. HITL commands (~/approve~, ~/deny~) are intercepted before
+injection so approval flows work identically across all channels.
+
+** Contract
+
+1. (signal-get-account): returns the Signal phone number from the vault
+   (via ~vault-get-secret :signal~), or nil if not configured.
+2. (signal-poll): queries ~signal-cli receive --json~ for new messages,
+   injects each non-system message as a ~:user-input~ stimulus with
+   ~:source :signal~. Handles JSON parse failures and network errors
+   gracefully (logs and continues). HITL commands are intercepted before
+   injection.
+3. (signal-send action context): sends a message via ~signal-cli send~.
+   Extracts ~:chat-id~ and ~:text~ from the action plist. Logs send
+   failures without crashing the pipeline.
+
+* Implementation
+
+#+begin_src lisp
+(in-package :passepartout)
+(defun signal-get-account ()
+  (vault-get-secret :signal))
+
+(defun signal-poll ()
+  "Polls Signal for new messages and injects them into the harness."
+  (let ((account (signal-get-account)))
+    (when account
+      (handler-case
+          (let* ((output (uiop:run-program (list "signal-cli" "-u" account "receive" "--json")
+                                            :output :string :error-output :string :ignore-error-status t))
+                 (lines (cl-ppcre:split "\\\\n" output)))
+            (dolist (line lines)
+              (when (and line (> (length line) 0))
+                (let* ((json (ignore-errors (cl-json:decode-json-from-string line)))
+                       (envelope (cdr (assoc :envelope json)))
+                       (source (cdr (assoc :source envelope)))
+                       (data-message (cdr (assoc :data-message envelope)))
+                       (text (cdr (assoc :message data-message))))
+                  (when (and source text)
+                    (log-message "SIGNAL: Received message from ~a" source)
+                    (unless (ignore-errors (hitl-handle-message text :signal))
+                      (stimulus-inject
+                       (list :type :EVENT
+                             :meta (list :source :signal :chat-id source)
+                             :payload (list :sensor :user-input :text text)))))))))
+        (error (c) (log-message "SIGNAL POLL ERROR: ~a" c))))))
+
+(defun signal-send (action context)
+  "Sends a message via Signal."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (meta (getf action :meta))
+         (chat-id (or (getf meta :chat-id) (getf payload :chat-id) (getf action :chat-id)))
+         (text (or (getf payload :text) (getf action :text)))
+         (account (signal-get-account)))
+    (when (and account chat-id text)
+      (handler-case
+          (uiop:run-program (list "signal-cli" "-u" account "send" "-m" text chat-id)
+                            :output :string :error-output :string)
+        (error (c) (log-message "SIGNAL ERROR: ~a" c))))))
+#+end_src
+
+
+#+end_src

org/channel-slack.org

@@ -0,0 +1,86 @@
+#+TITLE: Channel Slack (channel-slack.org)
+#+AUTHOR: Agent
+#+FILETAGS: :channel:slack:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-slack.lisp
+
+* Channel Slack
+
+Extracted from gateway-messaging in v0.5.0. Isolated platform — Slack-specific poll and send logic.
+
+* Overview
+
+The Slack channel provides bidirectional communication via the Slack Web API
+(chat.postMessage for outbound, conversations.history for inbound polling).
+Messages from Slack channels are injected into the cognitive pipeline as
+~:user-input~ signals with ~:source :slack~. Outbound messages route through
+the actuator registry when the pipeline targets ~:slack~.
+
+The channel uses two functions: ~slack-poll~ (inbound sensor) and ~slack-send~
+(outbound actuator). Both retrieve the bot token from the credentials vault.
+HITL commands are intercepted before injection so approval flows work identically
+across all channels.
+
+** Contract
+
+1. (slack-get-token): returns the Slack bot token from the vault
+   (via ~vault-get-secret :slack~), or nil if not configured.
+2. (slack-poll): polls configured channels via conversations.history,
+   injects each non-bot message as a ~:user-input~ stimulus with
+   ~:source :slack~. Handles API errors gracefully. HITL commands are
+   intercepted before injection.
+3. (slack-send action context): sends a message via chat.postMessage.
+   Extracts ~:channel-id~ and ~:text~ from the action plist. Uses Bearer
+   token authentication. Logs send failures without crashing the pipeline.
+
+* Implementation
+
+#+begin_src lisp
+(in-package :passepartout)
+(defun slack-get-token ()
+  (vault-get-secret :slack))
+
+(defun slack-send (action context)
+  "Sends a message via Slack Web API."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (meta (getf action :meta))
+         (channel (or (getf meta :channel-id) (getf payload :chat-id)))
+         (text (or (getf payload :text) (getf action :text)))
+         (token (slack-get-token)))
+    (when (and token channel text)
+      (handler-case
+          (dex:post "https://slack.com/api/chat.postMessage"
+                    :headers `(("Authorization" . ,(format nil "Bearer ~a" token))
+                               ("Content-Type" . "application/json; charset=utf-8"))
+                    :content (cl-json:encode-json-to-string
+                              `((channel . ,channel) (text . ,text))))
+        (error (c) (log-message "SLACK ERROR: ~a" c))))))
+
+(defun slack-poll ()
+  "Polls Slack for new messages via conversations.history."
+  (let* ((token (slack-get-token)))
+    (when token
+      (dolist (channel '("general"))  ;; configured channel IDs
+        (handler-case
+            (let* ((url (format nil "https://slack.com/api/conversations.history?channel=~a&limit=5" channel))
+                   (response (dex:get url :headers
+                                       `(("Authorization" . ,(format nil "Bearer ~a" token))))))
+              (let* ((json (ignore-errors (cl-json:decode-json-from-string response)))
+                     (ok (cdr (assoc :ok json)))
+                     (messages (cdr (assoc :messages json))))
+                (when (and ok messages (listp messages))
+                  (dolist (msg messages)
+                    (let* ((text (cdr (assoc :text msg)))
+                           (user (cdr (assoc :user msg)))
+                           (ts (cdr (assoc :ts msg))))
+                      (when (and text user (not (string= user "USLACKBOT")))
+                        (unless (ignore-errors (hitl-handle-message text :slack))
+                          (stimulus-inject
+                           (list :type :EVENT
+                                 :meta (list :source :slack :chat-id channel)
+                                 :payload (list :sensor :user-input :text text))))))))))
+          (error (c) (log-message "SLACK POLL ERROR: ~a" c)))))))
+#+end_src
+
+
+#+end_src

org/channel-telegram.org

@@ -0,0 +1,90 @@
+#+TITLE: Channel Telegram (channel-telegram.org)
+#+AUTHOR: Agent
+#+FILETAGS: :channel:telegram:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-telegram.lisp
+
+* Channel Telegram
+
+Extracted from gateway-messaging in v0.5.0. Isolated platform — Telegram-specific poll and send logic.
+
+* Overview
+
+The Telegram channel provides bidirectional communication via the Telegram Bot
+API. Messages from Telegram chats are injected into the cognitive pipeline as
+~:user-input~ signals with ~:source :telegram~. Outbound messages route through
+the actuator registry when the pipeline targets ~:telegram~.
+
+The channel uses two functions: ~telegram-poll~ (inbound sensor, getUpdates
+with offset tracking) and ~telegram-send~ (outbound actuator, sendMessage).
+Both retrieve the bot token from the credentials vault. The polling offset
+(~:last-update-id~ in ~*gateway-configs*~) prevents duplicate processing across
+poll cycles. HITL commands are intercepted before injection so approval flows
+work identically across all channels.
+
+** Contract
+
+1. (telegram-get-token): returns the Telegram bot token from the vault
+   (via ~vault-get-secret :telegram~), or nil if not configured.
+2. (telegram-poll): polls getUpdates with offset tracking (prevents
+   duplicate processing), injects each message as a ~:user-input~ stimulus
+   with ~:source :telegram~. Updates ~:last-update-id~ per cycle. Handles
+   API and JSON parse errors gracefully. HITL commands are intercepted
+   before injection.
+3. (telegram-send action context): sends a message via sendMessage.
+   Extracts ~:chat-id~ and ~:text~ from the action plist. Logs send
+   failures without crashing the pipeline.
+
+* Implementation
+
+#+begin_src lisp
+(in-package :passepartout)
+(defun telegram-get-token ()
+  (vault-get-secret :telegram))
+
+(defun telegram-poll ()
+  "Polls Telegram for new messages and injects them into the harness."
+  (let* ((token (telegram-get-token)))
+    (when token
+      (let* ((last-id (getf (gethash "telegram" *gateway-configs*) :last-update-id 0))
+             (url (format nil "https://api.telegram.org/bot~a/getUpdates?offset=~a"
+                          token (1+ last-id))))
+        (handler-case
+            (let* ((response (dex:get url))
+                   (json (cl-json:decode-json-from-string response))
+                   (updates (cdr (assoc :result json))))
+              (dolist (update updates)
+                (let* ((update-id (cdr (assoc :update--id update)))
+                       (message (cdr (assoc :message update)))
+                       (chat (cdr (assoc :chat message)))
+                       (chat-id (cdr (assoc :id chat)))
+                       (text (cdr (assoc :text message))))
+                  (setf (getf (gethash "telegram" *gateway-configs*) :last-update-id) update-id)
+                  (when (and text chat-id)
+                    (log-message "TELEGRAM: Received message from ~a" chat-id)
+                    (unless (ignore-errors (hitl-handle-message text :telegram))
+                      (stimulus-inject
+                       (list :type :EVENT
+                             :meta (list :source :telegram :chat-id (format nil "~a" chat-id))
+                             :payload (list :sensor :user-input :text text))))))))
+          (error (c) (log-message "TELEGRAM POLL ERROR: ~a" c)))))))
+
+(defun telegram-send (action context)
+  "Sends a message via Telegram."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (meta (getf action :meta))
+         (chat-id (or (getf meta :chat-id) (getf payload :chat-id) (getf action :chat-id)))
+         (text (or (getf payload :text) (getf action :text)))
+         (token (telegram-get-token)))
+    (when (and token chat-id text)
+      (handler-case
+          (let ((url (format nil "https://api.telegram.org/bot~a/sendMessage" token)))
+            (dex:post url
+                      :headers '(("Content-Type" . "application/json"))
+                      :content (cl-json:encode-json-to-string
+                                `((chat_id . ,chat-id) (text . ,text)))))
+        (error (c) (log-message "TELEGRAM ERROR: ~a" c))))))
+#+end_src
+
+
+#+end_src

org/channel-tui-state.org

@@ -0,0 +1,367 @@
+#+TITLE: Passepartout TUI — Model
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-state.lisp
+
+* Model
+
+The TUI state is a single plist accessed via ~st~ / ~(setf st)~.
+All state mutation flows through event handlers in the controller.
+
+** Contract
+
+1. (init-state): returns a fresh state plist with ~:msgs~ list,
+   ~:input~ buffer, ~:dirty~ flag, ~:busy~ flag, and ~:connection~ status.
+2. (add-msg role content &key gate-trace): appends a message object
+   to the ~:messages~ vector (v0.3.3), tagged with timestamp, role,
+   and optional gate-trace from the daemon (v0.4.0).
+3. (queue-event ev): thread-safely enqueues an event for the
+   reader loop. (drain-queue) returns and clears the queue.
+
+** Package + State
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-state.lisp
+(defpackage :passepartout.channel-tui
+  (:use :cl :passepartout :usocket :bordeaux-threads)
+  (:export :tui-main :st :add-msg :now
+           :queue-event :drain-queue :init-state
+            :view-status :view-chat :view-input :redraw
+            :input-panel-top
+            :on-key :process-key-event :input-text :on-daemon-msg :send-daemon
+            :connect-daemon :disconnect-daemon
+            :*theme* :theme-color :theme-switch))
+(in-package :passepartout.channel-tui)
+
+(defvar *state* nil)
+(defvar *event-queue* nil)
+(defvar *event-lock* (bt:make-lock "tui-event-lock"))
+
+(defvar *theme* (cl-tty.theme:make-theme)
+  "The active theme instance. Populated by cl-tty.theme:load-preset.
+
+Semantic keys (all presets define these):
+  :user-fg, :user-bg, :user-border, :agent-border, :agent-header, :agent-fg,
+  :system, :input-prompt, :input-fg, :hint, :status-bg, :status-fg,
+  :bg, :bg-panel, :bg-element, :bg-input, :text-muted,
+  :dot-connected, :dot-disconnected, :error,
+  :tool-running, :tool-done, :tool-error,
+  :thinking-bg, :symbolic-border, :separator, :accent, :dim.")
+
+(cl-tty.theme:define-preset :amber
+  :dark (:user-fg "#fab283" :user-bg "#1e1e1e" :user-border "#fab283"
+          :agent-border "#c0a080" :agent-header "#d4956a" :agent-fg "#e8e8e8"
+          :system "#808080"
+          :input-prompt "#fab283" :input-fg "#e8e8e8" :hint "#606060"
+          :status-bg "#141414" :status-fg "#e8e8e8"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7fd88f" :dot-disconnected "#e06c75"
+          :error "#e06c75"
+          :tool-running "#fab283" :tool-done "#7fd88f" :tool-error "#e06c75"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#fab283" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :gold
+  :dark (:user-fg "#ffd700" :user-bg "#1e1e1e" :user-border "#ffd700"
+          :agent-border "#c0a080" :agent-header "#d4a574" :agent-fg "#e8e8e8"
+          :system "#808080"
+          :input-prompt "#ffd700" :input-fg "#e8e8e8" :hint "#606060"
+          :status-bg "#141414" :status-fg "#ffd700"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7fd88f" :dot-disconnected "#e06c75"
+          :error "#e06c75"
+          :tool-running "#ffd700" :tool-done "#7fd88f" :tool-error "#e06c75"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#ffd700" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :terracotta
+  :dark (:user-fg "#e87a5d" :user-bg "#1e1e1e" :user-border "#e87a5d"
+          :agent-border "#c0a080" :agent-header "#d4956a" :agent-fg "#e0c8b0"
+          :system "#808080"
+          :input-prompt "#e87a5d" :input-fg "#e0c8b0" :hint "#606060"
+          :status-bg "#141414" :status-fg "#d4956a"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#6cb85c" :dot-disconnected "#d94a3a"
+          :error "#d94a3a"
+          :tool-running "#e87a5d" :tool-done "#6cb85c" :tool-error "#d94a3a"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#e87a5d" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :sepia
+  :dark (:user-fg "#c4a882" :user-bg "#1e1e1e" :user-border "#c4a882"
+          :agent-border "#c0a080" :agent-header "#b89870" :agent-fg "#d4c4a8"
+          :system "#808080"
+          :input-prompt "#c4a882" :input-fg "#d4c4a8" :hint "#606060"
+          :status-bg "#141414" :status-fg "#b89870"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7aac5c" :dot-disconnected "#c84a3a"
+          :error "#c84a3a"
+          :tool-running "#c4a882" :tool-done "#7aac5c" :tool-error "#c84a3a"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#c4a882" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :nord-warm
+  :dark (:user-fg "#d4a574" :user-bg "#1e1e1e" :user-border "#d4a574"
+          :agent-border "#c0a080" :agent-header "#c49870" :agent-fg "#e0d0c0"
+          :system "#808080"
+          :input-prompt "#d08770" :input-fg "#e0d0c0" :hint "#606060"
+          :status-bg "#141414" :status-fg "#c8a080"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7cb860" :dot-disconnected "#d06050"
+          :error "#d06050"
+          :tool-running "#d08770" :tool-done "#7cb860" :tool-error "#d06050"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#d4a574" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :monokai-warm
+  :dark (:user-fg "#e6b87d" :user-bg "#1e1e1e" :user-border "#e6b87d"
+          :agent-border "#c0a080" :agent-header "#d4a06a" :agent-fg "#d8c8b0"
+          :system "#808080"
+          :input-prompt "#e6b87d" :input-fg "#d8c8b0" :hint "#606060"
+          :status-bg "#141414" :status-fg "#cc9966"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7ab85c" :dot-disconnected "#d94a3a"
+          :error "#d94a3a"
+          :tool-running "#e6b87d" :tool-done "#7ab85c" :tool-error "#d94a3a"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#e6b87d" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :gruvbox-warm
+  :dark (:user-fg "#d8a657" :user-bg "#1e1e1e" :user-border "#d8a657"
+          :agent-border "#c0a080" :agent-header "#c8a070" :agent-fg "#e0c8a8"
+          :system "#808080"
+          :input-prompt "#d8a657" :input-fg "#e0c8a8" :hint "#606060"
+          :status-bg "#141414" :status-fg "#c8a070"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1e1e1e"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#7ab85c" :dot-disconnected "#d94a3a"
+          :error "#d94a3a"
+          :tool-running "#d8a657" :tool-done "#7ab85c" :tool-error "#d94a3a"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3c3c3c" :accent "#d8a657" :dim "#606060")
+  :light nil)
+(cl-tty.theme:define-preset :light-amber
+  :dark (:user-fg "#d4a574" :user-bg "#f5f0eb" :user-border "#c4956a"
+          :agent-border "#c0a090" :agent-header "#b88050" :agent-fg "#3a3a3a"
+          :system "#606060"
+          :input-prompt "#c4956a" :input-fg "#3a3a3a" :hint "#a0a0a0"
+          :status-bg "#e8e0d8" :status-fg "#5a5a5a"
+          :bg "#f5f0eb" :bg-panel "#e8e0d8" :bg-element "#f0ebe5"
+          :bg-input "#ffffff" :text-muted "#909090"
+          :dot-connected "#6cb85c" :dot-disconnected "#c84a3a"
+          :error "#c84a3a"
+          :tool-running "#c4956a" :tool-done "#6cb85c" :tool-error "#c84a3a"
+          :thinking-bg "#e8e0d8" :symbolic-border "#a09080"
+          :separator "#d0c8c0" :accent "#b88050" :dim "#a0a0a0")
+  :light nil)
+(cl-tty.theme:define-preset :catppuccin
+  :dark (:user-fg "#fab387" :user-bg "#1e1e2e" :user-border "#fab387"
+          :agent-border "#a6adc8" :agent-header "#cba6f7" :agent-fg "#cdd6f4"
+          :system "#808080"
+          :input-prompt "#fab387" :input-fg "#cdd6f4" :hint "#6c7086"
+          :status-bg "#181825" :status-fg "#bac2de"
+          :bg "#11111b" :bg-panel "#181825" :bg-element "#1e1e2e"
+          :bg-input "#2e2e2e" :text-muted "#6c7086"
+          :dot-connected "#a6e3a1" :dot-disconnected "#f38ba8"
+          :error "#f38ba8"
+          :tool-running "#fab387" :tool-done "#a6e3a1" :tool-error "#f38ba8"
+          :thinking-bg "#363a4f" :symbolic-border "#6c7086"
+          :separator "#313244" :accent "#fab387" :dim "#585b70")
+  :light nil)
+(cl-tty.theme:define-preset :tokyonight
+  :dark (:user-fg "#ff9e64" :user-bg "#1a1b26" :user-border "#ff9e64"
+          :agent-border "#7982a8" :agent-header "#7aa2f7" :agent-fg "#a9b1d6"
+          :system "#808080"
+          :input-prompt "#ff9e64" :input-fg "#a9b1d6" :hint "#565f89"
+          :status-bg "#16161e" :status-fg "#9aa5ce"
+          :bg "#0f0f18" :bg-panel "#16161e" :bg-element "#1a1b26"
+          :bg-input "#2e2e2e" :text-muted "#565f89"
+          :dot-connected "#9ece6a" :dot-disconnected "#db4b4b"
+          :error "#db4b4b"
+          :tool-running "#ff9e64" :tool-done "#9ece6a" :tool-error "#db4b4b"
+          :thinking-bg "#363b54" :symbolic-border "#565f89"
+          :separator "#292e42" :accent "#ff9e64" :dim "#444b6a")
+  :light nil)
+(cl-tty.theme:define-preset :dracula
+  :dark (:user-fg "#ff9580" :user-bg "#1e1f2b" :user-border "#ff9580"
+          :agent-border "#c0c0e0" :agent-header "#bd93f9" :agent-fg "#f8f8f2"
+          :system "#808080"
+          :input-prompt "#ff9580" :input-fg "#f8f8f2" :hint "#6272a4"
+          :status-bg "#191a24" :status-fg "#e0e0e0"
+          :bg "#0f101a" :bg-panel "#191a24" :bg-element "#1e1f2b"
+          :bg-input "#2e2e2e" :text-muted "#6272a4"
+          :dot-connected "#50fa7b" :dot-disconnected "#ff5555"
+          :error "#ff5555"
+          :tool-running "#ff9580" :tool-done "#50fa7b" :tool-error "#ff5555"
+          :thinking-bg "#3a3b50" :symbolic-border "#6272a4"
+          :separator "#34354a" :accent "#ff9580" :dim "#5a5b7a")
+  :light nil)
+(cl-tty.theme:define-preset :gemini
+  :dark (:user-fg "#87afff" :user-bg "#1a1a1a" :user-border "#87afff"
+          :agent-border "#d0d0d0" :agent-header "#d7afff" :agent-fg "#ffffff"
+          :system "#808080"
+          :input-prompt "#87afff" :input-fg "#ffffff" :hint "#606060"
+          :status-bg "#141414" :status-fg "#afafaf"
+          :bg "#000000" :bg-panel "#141414" :bg-element "#1a1a1a"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#d7ffd7" :dot-disconnected "#ff87af"
+          :error "#ff87af"
+          :tool-running "#87afff" :tool-done "#d7ffd7" :tool-error "#ff87af"
+          :thinking-bg "#3a3a3a" :symbolic-border "#707070"
+          :separator "#3a3a3a" :accent "#87afff" :dim "#5f5f5f")
+  :light nil)
+(cl-tty.theme:define-preset :mono
+  :dark (:user-fg "#e0e0e0" :user-bg "#1a1a1a" :user-border "#808080"
+          :agent-border "#a0a0a0" :agent-header "#c0c0c0" :agent-fg "#d0d0d0"
+          :system "#808080"
+          :input-prompt "#ffffff" :input-fg "#d0d0d0" :hint "#606060"
+          :status-bg "#141414" :status-fg "#b0b0b0"
+          :bg "#0a0a0a" :bg-panel "#141414" :bg-element "#1a1a1a"
+          :bg-input "#2e2e2e" :text-muted "#808080"
+          :dot-connected "#a0a0a0" :dot-disconnected "#808080"
+          :error "#808080"
+          :tool-running "#e0e0e0" :tool-done "#a0a0a0" :tool-error "#808080"
+          :thinking-bg "#3a3a3a" :symbolic-border "#808080"
+          :separator "#303030" :accent "#ffffff" :dim "#505050")
+  :light nil)
+
+;; Load default theme at startup
+(cl-tty.theme:load-preset *theme* :amber)
+
+(defun theme-save ()
+  "Persist current theme to disk."
+  (let ((path (merge-pathnames ".cache/passepartout/theme.lisp"
+                               (user-homedir-pathname))))
+    (ensure-directories-exist path)
+    (cl-tty.theme:save-theme *theme* path)))
+
+(defun theme-load ()
+  "Load persisted theme from disk. Called at startup."
+  (let ((path (merge-pathnames ".cache/passepartout/theme.lisp"
+                               (user-homedir-pathname))))
+    (unless (cl-tty.theme:load-theme *theme* path)
+      (cl-tty.theme:load-preset *theme* :amber))))
+
+(defun theme-switch (name)
+  "Switch to a named theme preset. Returns the preset name or nil if not found."
+  (let ((key (intern (string-upcase (string name)) :keyword)))
+    (cl-tty.theme:load-preset *theme* key)
+    (theme-save)
+    (setf (st :dirty) (list t t t))
+    key))
+
+(defun theme-color (role)
+  "Returns a hex color string for a semantic role via cl-tty.theme."
+  (or (cl-tty.theme:theme-color *theme* role)
+      "#FFFFFF"))
+
+(defun st (key) (getf *state* key))
+(defun (setf st) (val key) (setf (getf *state* key) val))
+
+(defun init-state ()
+  (setf *state*
+        (list :running t :mode :chat :connected nil :stream nil
+              :input-history nil :input-hpos 0
+              :text-input (cl-tty.input:make-text-input
+                           :on-submit #'handle-submit
+                           :on-cancel #'handle-cancel
+                           :on-tab #'handle-tab
+                           :on-history #'handle-history)
+              :messages (make-array 16 :adjustable t :fill-pointer 0)
+               :scroll-offset 0 :busy nil
+              :pending-ctrl-x nil
+              :scroll-at-bottom t :scroll-notify nil
+              :streaming-text nil :url-buffer nil            ; v0.7.1
+              :collapsed-gates nil                          ; v0.7.2
+              :search-mode nil :search-query ""           ; v0.7.2
+              :search-matches nil :search-match-idx 0
+               :sidebar-mode :auto                       ; v0.8.0: :auto/:visible/:hidden
+               :sidebar-width 42                           ; v0.8.0
+               :expand-tool-calls nil                      ; v0.8.0
+               :mcp-count 0                                ; v0.8.0
+               :kill-ring nil                               ; v0.9.0
+               :dialog-stack nil                           ; v0.8.0
+               :minibuffer-active nil                      ; v0.8.0
+                :command-palette-active nil                 ; v0.8.0
+                :command-palette-dialog nil                 ; v0.8.0
+                :session-cost 0.0                          ; v0.9.0
+                :daemon-version nil                        ; filled by handshake
+                :dirty (list nil nil nil))))
+#+END_SRC
+
+** Helpers
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-state.lisp
+(defun now ()
+  (multiple-value-bind (s m h) (get-decoded-time)
+    (declare (ignore s))
+    (format nil "~2,'0d:~2,'0d" h m)))
+
+(defun add-msg (role content &key gate-trace panel)
+  (vector-push-extend (list :role role :content content :time (now) :gate-trace gate-trace :panel panel) (st :messages))
+  ;; v0.7.0: notify when scrolled up and new msg arrives
+  (unless (st :scroll-at-bottom)
+    (setf (st :scroll-notify) t))
+  (setf (st :dirty) (list t t nil)))
+#+END_SRC
+
+** Slash Commands
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-state.lisp
+(defvar *slash-commands*
+  '((:title "/eval <expr> — Evaluate Lisp"        :value "/eval")
+    (:title "/undo — Undo last operation"           :value "/undo")
+    (:title "/redo — Redo last operation"           :value "/redo")
+    (:title "/reconnect — Re-establish daemon"     :value "/reconnect")
+    (:title "/quit — Save history and exit"        :value "/quit")
+    (:title "/q — Quick quit"                       :value "/q")
+    (:title "/why — Show last gate trace"           :value "/why")
+    (:title "/tags — List tag severities"           :value "/tags")
+    (:title "/audit <id> — Inspect memory"          :value "/audit")
+    (:title "/audit verify — Memory integrity"      :value "/audit verify")
+    (:title "/rewind <n> — Rewind to snapshot"     :value "/rewind")
+    (:title "/sessions — Show memory snapshots"    :value "/sessions")
+    (:title "/resume <n> — Resume from snapshot"   :value "/resume")
+    (:title "/theme [name] — Show/switch theme"    :value "/theme")
+    (:title "/context — Show context summary"      :value "/context")
+    (:title "/search <query> — Search messages"    :value "/search")
+    (:title "/help — Show commands"                 :value "/help")
+    (:title "/help <topic> — Search manual"         :value "/help "))
+  "Slash commands for minibuffer select-dialog.")
+
+(defvar *daemon-commands*
+  '((:title "Status — Daemon health info"          :value (:action :status))
+    (:title "Stats — Daemon statistics"              :value (:action :stats))
+    (:title "Ping — Daemon reachability"             :value (:action :ping))
+    (:title "Test Provider — Check connection"      :value (:action :provider-test))
+    (:title "Discover Models — List available"       :value (:action :provider-models))
+    (:title "Memory Snapshot — Capture state"        :value (:action :memory-snapshot))
+    (:title "Memory Rebuild — Rebuild indices"       :value (:action :memory-rebuild))
+    (:title "Memory Compact — Optimize storage"      :value (:action :memory-compact))
+    (:title "Reload Config — Reload configuration"   :value (:action :reload-config))
+    (:title "Reload Identity — Reload identity file" :value (:action :reload-identity))
+    (:title "List Skills — Available skills"         :value (:action :list-skills))
+    (:title "Help — Show daemon help"                :value (:action :help)))
+  "Daemon commands for the command palette (Ctrl+P).")
+
+(defun all-commands ()
+  "Merge slash commands, daemon commands, and menu entries into one unified list."
+  (append *menu-entries* *slash-commands* *daemon-commands*))
+
+(defvar *menu-entries*
+  '((:title "/config — LLM providers, cascade, network, folders, identity"
+     :value :config-menu
+     :action passepartout.channel-tui::show-config-main-menu))
+  "Special menu entries with actions (open submenus).")
+#+END_SRC
+
+** Event Queue
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-state.lisp
+(defun queue-event (ev)
+  (bt:with-lock-held (*event-lock*) (push ev *event-queue*)))
+
+(defun drain-queue ()
+  (bt:with-lock-held (*event-lock*)
+    (let ((evs (nreverse *event-queue*)))
+      (setf *event-queue* nil) evs)))
+#+END_SRC

org/channel-tui-view.org

@@ -0,0 +1,517 @@
+#+TITLE: Passepartout TUI — View
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+
+* View
+
+|Pure render functions. Each takes the cl-tty backend and current state.
+|State is read via ~(st :key)~ — no mutation here.
+
+** Contract
+
+1. (view-status fb w h): no-op. Status bar is a clean black line.
+2. (view-chat fb w h): renders scrolled chat messages. User messages
+   get amber left border (│), agent messages no border, streaming
+   agent gets grey left border. Gate traces/tool calls use ╎ prefix.
+3. (view-input fb w h): renders expanding light grey input box,
+    multi-line word-wrapped prompt, hint bar at h-2. Text and cursor
+   rendered by cl-tty.input text-input's render method.
+4. (view-sidebar fb w h): renders sidebar panels using ~sidebar-lines~.
+5. (sidebar-lines): builds a flat list of (text . color-key) pairs for
+   the sidebar: gate trace, rules, cost, files, version.
+6. (msg->pairs msg index bordered-w unbordered-w is-search): converts
+    a message to renderable ~(border border-color text text-color &optional bg)~
+    lines. Handles markdown, gate trace, tool calls, search highlight.
+7. (render-pair fb hpad y pair): draws one message line pair.
+8. (redraw fb w h): wraps view-status/chat/input in begin-sync/end-sync,
+   dispatches per dirty flags, fills global :bg first.
+9. ~cl-tty.box:char-width~ for terminal column width.
+   ASCII < 128 = 1. CJK, fullwidth, emoji = 2. Combining marks = 0.
+   Tab = 8. Used by cl-tty.box:word-wrap for accurate line counting.
+10. (sidebar-visible-p w): returns T if sidebar should show given width W
+    and current :sidebar-mode (:auto >120, :visible always, :hidden never).
+
+** Status Bar
+
+The status bar, as of v0.4.0, renders Passepartout's three differentiator
+visualizations — data only available because of the deterministic gate
+architecture:
+
+- *Rule counter* (~Rules:N~): the number of pending HITL actions from the
+  Dispatcher's ~*hitl-pending*~ hash table. The user watches this tick up
+  as they teach the agent their preferences through approve/deny decisions.
+- *Focus map* (~[Focus: <id>]~): the foveal focus from the daemon's signal
+  context. Shows the user what the agent is currently looking at.
+- *Gate trace* (not rendered in status bar — attached to individual
+  messages via ~:gate-trace~ field for future collapsible rendering per
+  message).
+
+All three enrichments cost 0 LLM tokens — they are daemon-state queries
+that the TUI actuator attaches to the response plist before transmission.
+
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(in-package :passepartout.channel-tui)
+
+(defun sidebar-visible-p (w)
+  "Compute whether sidebar should be shown given terminal width W
+and current sidebar mode (:auto/:visible/:hidden)."
+  (let ((mode (st :sidebar-mode)))
+    (or (eq mode :visible)
+        (and (eq mode :auto) (> w 120)))))
+
+(defun view-status (fb w h)
+  (declare (ignore fb w h))
+  ;; Status bar is now a clean black line — blends with global :bg.
+  ;; No clock, no dot, no text. Everything clean.
+  )
+
+(defun input-panel-top (chat-w h)
+  "Compute the top row of the input panel based on current input text."
+  (let* ((hpad 2)
+         (inner-w (- chat-w (* 2 hpad)))
+         (prompt-w (- inner-w 2))
+         (text (cl-tty.input:text-input-value (st :text-input)))
+         (lines (cl-tty.box:word-wrap text prompt-w))
+         (n-lines (max 1 (length lines)))
+         (panel-rows (max 4 (+ n-lines 2))))
+    (- h 4 panel-rows -1)))
+#+end_src
+
+;; Build simple tab-like blocks
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(in-package :passepartout.channel-tui)
+
+(defun msg->pairs (msg index bordered-w unbordered-w is-search)
+  "Convert a message to a list of (border-str border-color text-str text-color &optional bg) lines."
+  (let* ((role (getf msg :role))
+         (content (getf msg :content))
+         (cs (if is-search (cl-tty.markdown:search-highlight content (st :search-query)) content))
+         (pairs nil)
+         (think-bg (theme-color :thinking-bg))
+         (sym-bdr (theme-color :symbolic-border))
+         (agent-bdr (theme-color :agent-border))
+         (user-bdr (theme-color :user-border))
+         (user-fg (theme-color :user-fg))
+         (agent-fg (theme-color :agent-fg))
+         (system-fg (theme-color :system)))
+    (case role
+      (:user
+       (dolist (l (cl-tty.box:word-wrap cs bordered-w))
+         (push (list "│" user-bdr l user-fg) pairs)))
+      (:agent
+       (let* ((streaming (getf msg :streaming))
+              (think-rect (if streaming think-bg nil))
+              (bdr (if streaming nil agent-bdr))
+              (bstr (if streaming nil "│"))
+              (wrap-w (if streaming unbordered-w bordered-w))
+              (nodes (cl-tty.markdown:parse-blocks cs))
+              (raw-body (or (and nodes (cl-tty.markdown:render-md nodes)) (list "")))
+              (body (mapcan (lambda (l) (cl-tty.box:word-wrap l wrap-w)) raw-body)))
+         (dolist (l body)
+           (push (list bstr bdr l agent-fg think-rect) pairs))))
+      (t (dolist (l (cl-tty.box:word-wrap cs unbordered-w))
+           (push (list nil nil l system-fg) pairs))))
+    ;; Gate trace
+    (let ((gt (getf msg :gate-trace)))
+      (when (and gt (eq role :agent))
+        (if (member index (st :collapsed-gates))
+            (push (list "│" sym-bdr (format nil "Gate trace: ~a gates" (length gt)) sym-bdr) pairs)
+            (dolist (entry (passepartout::gate-trace-lines gt))
+              (let ((ec (theme-color (getf (cdr entry) :fgcolor))))
+                (dolist (l (cl-tty.box:word-wrap (car entry) bordered-w))
+                  (push (list "│" sym-bdr l ec) pairs)))))))
+    ;; Tool calls
+    (let ((tc (getf msg :tool-calls)))
+      (when tc
+        (if (member index (st :collapsed-tools))
+            (let* ((n (or (getf (first tc) :name) "tool"))
+                   (d (or (getf (first tc) :duration) 0.0)))
+              (push (list "│" (theme-color :tool-done) (format nil "~a … ~,1fs" n d) (theme-color :tool-done)) pairs))
+            (dolist (call tc)
+              (let* ((name (or (getf call :name) "tool"))
+                     (dur (or (getf call :duration) 0.0))
+                     (st (getf call :status))
+                     (out (getf call :output))
+                     (bc (theme-color
+                          (cond ((eq st :running) :tool-running)
+                                ((eq st :error) :tool-error)
+                                (t :tool-done))))
+                     (pfx (cond ((eq st :error) "✗") ((eq st :running) "●") (t "✓")))
+                     (ol (when out (cl-tty.box:word-wrap out bordered-w))))
+                (push (list "│" bc (format nil "~a ~a  ~,1fs" pfx name dur) bc) pairs)
+                (dolist (l ol)
+                  (push (list "│" bc l bc) pairs)))))))
+    (nreverse pairs)))
+
+(defun render-pair (fb hpad y pair)
+  "Draw a single (border-str border-color text-str text-color &optional bg) line."
+  (destructuring-bind (bstr bcolor tstr tcolor &optional rect-bg) pair
+    (when rect-bg
+      (cl-tty.backend:draw-rect fb 0 y 1 1 :bg rect-bg))
+    (let ((has-border (and bstr (> (length bstr) 0))))
+      (when has-border
+        (cl-tty.backend:draw-text fb hpad y bstr bcolor (theme-color :bg)))
+      (cl-tty.backend:draw-text fb (+ hpad (if has-border 2 0)) y tstr tcolor (theme-color :bg)))))
+
+(defun view-chat (fb w h)
+  (let* ((w (or (and (numberp w) (> w 0) w) 80))
+         (h (or (and (numberp h) (> h 0) h) 24))
+         (hpad 2)
+         (sidebar-w (if (sidebar-visible-p w) (or (st :sidebar-width) 42) 0))
+         (chat-w (- w sidebar-w))
+         (msgs (st :messages)) (total (length msgs))
+         (panel-top (input-panel-top chat-w h))
+         (max-lines (max 0 panel-top)) (is-search (st :search-mode))
+         (bordered-w (- chat-w (* 2 hpad) 2))
+         (unbordered-w (- chat-w (* 2 hpad)))
+         (y 0))
+    ;; Search header
+    (when is-search
+      (let* ((matches (st :search-matches)) (idx (st :search-match-idx))
+             (query (st :search-query))
+             (hdr (format nil "Search: ~d matches for '~a' (~d/~d) — Esc to exit"
+                          (length matches) query (1+ idx) (length matches))))
+        (cl-tty.backend:draw-text fb hpad y hdr (theme-color :accent) nil)
+        (incf y) (decf max-lines)))
+    ;; Build all message lines once
+    (let* ((msg-lines (map 'vector
+                           (lambda (msg i) (msg->pairs msg i bordered-w unbordered-w is-search))
+                           msgs
+                           (make-array total :initial-contents (loop for i below total collect i))))
+           (heights (map 'vector #'length msg-lines))
+           (scroll-skip (st :scroll-offset))
+           (i 0))
+      ;; Forward scan: skip messages scrolled past, then render visible ones
+      (loop while (< i total)
+            do (let ((hgt (aref heights i)))
+                 (if (> scroll-skip 0)
+                     (decf scroll-skip hgt)
+                     (let ((msg-y y))
+                       (dolist (pair (aref msg-lines i))
+                         (when (>= msg-y panel-top) (return))
+                         (render-pair fb hpad msg-y pair)
+                         (incf msg-y))
+                       (setf y (1+ msg-y))  ;; +1 spacer between messages
+                       (when (>= y panel-top) (return)))))
+            (incf i)))))
+#+END_SRC
+
+** Input Line
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(defun view-input (fb w h)
+  (let* ((w (or (and (numberp w) (> w 0) w) 80))
+         (h (or (and (numberp h) (> h 0) h) 24))
+         (hpad 2)
+         (sidebar-w (if (sidebar-visible-p w) (or (st :sidebar-width) 42) 0))
+         (chat-w (- w sidebar-w))
+         (inner-w (- chat-w (* 2 hpad)))
+         (prompt-w (- inner-w 2))
+         (input (st :text-input))
+         (n-lines (max 1 (length (cl-tty.box:word-wrap (cl-tty.input:text-input-value input) prompt-w))))
+          (panel-rows (max 4 (+ n-lines 2)))
+          (panel-top (input-panel-top chat-w h))
+         (bg-i (theme-color :bg-input))
+         (hint-fg (theme-color :hint)))
+    ;; Fill input panel
+    (cl-tty.backend:draw-rect fb hpad panel-top inner-w panel-rows :bg bg-i)
+    ;; Speaker lines for all input rows
+    (dotimes (r panel-rows)
+      (cl-tty.backend:draw-text fb hpad (+ panel-top r) "│" (theme-color :input-prompt) nil))
+    ;; Render text-input widget (word-wrap + cursor)
+    (let ((ln (cl-tty.layout:make-layout-node)))
+      (setf (cl-tty.layout:layout-node-x ln) (+ hpad 2)
+            (cl-tty.layout:layout-node-y ln) (1+ panel-top)
+            (cl-tty.layout:layout-node-width ln) prompt-w)
+      (setf (cl-tty.input:text-input-layout-node input) ln)
+      (cl-tty.box:render input fb))
+    ;; Hint bar at h-2
+    (let* ((focal (or (st :foveal-id) "-"))
+           (focal-str (format nil "F:~a" focal))
+           (mcp-str (format nil "MCP:~d" (or (st :mcp-count) 0)))
+           (left-str (format nil "~a  ~a" focal-str mcp-str))
+           (msg-count (max 1 (length (st :messages))))
+           (ctx-est (* msg-count 60))
+           (ctx-limit 8192)
+           (ctx-pct (min 100 (floor (* 100 ctx-est) ctx-limit)))
+           (ctx-tok (if (< ctx-est 1000)
+                        (format nil "~d" ctx-est)
+                        (format nil "~dK" (floor ctx-est 1000))))
+           (ctx-str (format nil "~a (~d%%)" ctx-tok ctx-pct))
+           (hint-str "ctrl+p | /help")
+           (ctx-fg (cond ((< ctx-pct 50) (theme-color :tool-done))
+                         ((< ctx-pct 80) (theme-color :input-prompt))
+                         (t (theme-color :error))))
+           (hint-x (- chat-w (length hint-str) 2))
+           (ctx-x (- hint-x 1 (length ctx-str))))
+      (cl-tty.backend:draw-text fb hpad (- h 2) left-str hint-fg (theme-color :bg))
+      (cl-tty.backend:draw-text fb ctx-x (- h 2) ctx-str ctx-fg (theme-color :bg))
+      (cl-tty.backend:draw-text fb hint-x (- h 2) hint-str hint-fg (theme-color :bg)))))
+#+end_src
+
+** Sidebar
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(defun sidebar-lines ()
+  "Collect all sidebar lines as (text . color-key) pairs."
+  (let* ((msgs (st :messages))
+         (last-gt (loop for i from (1- (length msgs)) downto 0
+                        for m = (aref msgs i)
+                        when (getf m :gate-trace)
+                        return (getf m :gate-trace)))
+         (blocked (loop for i below (length msgs)
+                        for m = (aref msgs i)
+                        sum (loop for g in (getf m :gate-trace)
+                                  count (eq (getf g :result) :blocked))))
+         (ver (or (st :daemon-version) ""))
+         (ver-label (if (> (length ver) 0) (format nil "passepartout ~a" ver) "passepartout"))
+         (dot (if (st :connected) "●" "○"))
+         (dot-color (if (st :connected) :dot-connected :dot-disconnected)))
+    (append
+     ;; Gate Trace
+     (list (cons "GATE TRACE" :accent))
+     (if last-gt
+         (mapcan (lambda (g)
+                   (let* ((name (getf g :gate))
+                          (result (getf g :result))
+                          (reason (getf g :reason))
+                          (glyph (case result (:passed "✓") (:blocked "✗") (:approval "→") (t "?")))
+                          (color (case result
+                                   (:passed :tool-done)
+                                   (:blocked :error)
+                                   (:approval :input-prompt)
+                                   (t :dim))))
+                     (if reason
+                         (list (cons (format nil "  ~a ~a" glyph name) color)
+                               (cons (format nil "    ~a" reason) :dim))
+                         (list (cons (format nil "  ~a ~a" glyph name) color)))))
+                 last-gt)
+         (list (cons "  (none)" :dim)))
+     ;; Rules
+     (list (cons "" nil))
+     (list (cons "RULES" :accent))
+     (list (cons (format nil "  ~d active" (or (st :rule-count) 0)) :agent-fg))
+     (list (cons (format nil "  ~d blocked" blocked)
+                  (if (> blocked 0) :error :dim)))
+     ;; Cost
+     (list (cons "" nil))
+     (list (cons "COST" :accent))
+     (list (cons (format nil "  $~,2f" (or (st :session-cost) 0.0)) :status-fg))
+     ;; Files
+     (list (cons "" nil))
+     (list (cons "FILES" :accent))
+     (list (cons "  (not yet)" :dim))
+     ;; spacer
+     (list (cons "" nil))
+     ;; Version footer — rendered at h-2, not in the loop
+     (list (cons (format nil "~a ~a" dot ver-label) dot-color)))))
+
+(defun view-sidebar (fb w h)
+  (let* ((w (or (and (numberp w) (> w 0) w) 80))
+         (h (or (and (numberp h) (> h 0) h) 24))
+         (x (- w (or (st :sidebar-width) 42)))
+         (lines (sidebar-lines))
+         (content-lines (butlast lines))
+         (footer-line (car (last lines))))
+    (cl-tty.backend:draw-rect fb x 0 (- w x) (1- h) :bg (theme-color :bg-panel))
+    (loop for (text . color-key) in content-lines
+          for y from 0
+          when text
+            do (cl-tty.backend:draw-text fb (+ x 2) y text
+                                          (if color-key (theme-color color-key) (theme-color :dim))
+                                          (theme-color :bg-panel)))
+    ;; Version footer at h-2
+    (when footer-line
+      (cl-tty.backend:draw-text fb (+ x 2) (- h 2) (car footer-line)
+                                (theme-color (cdr footer-line))
+                                (theme-color :bg-panel)))))
+#+END_SRC
+
+** Redraw (dirty-flag dispatch)
+#+begin_src lisp
+(defun redraw (fb w h)
+  (setq w (or (and (numberp w) (> w 0) w) 80)
+        h (or (and (numberp h) (> h 0) h) 24))
+  (when (or (first (st :dirty)) (second (st :dirty)) (third (st :dirty)))
+    (handler-case
+        (progn
+          (cl-tty.backend:with-frame (fb)
+            (cl-tty.backend:draw-rect fb 0 0 w h :bg (theme-color :bg))
+            (view-status fb w h)
+            (view-chat fb w h)
+            (view-input fb w h)
+            (when (sidebar-visible-p w)
+              (view-sidebar fb w h)))
+          (setf (st :dirty) (list nil nil nil)))
+      (error (c)
+        (add-msg :system (format nil "* Render error: ~a *" c))))))
+
+#+END_SRC
+
+* v0.7.2 — Gate Trace
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(in-package :passepartout)
+
+(defun gate-trace-lines (trace)
+  "Convert gate-trace plist to display lines."
+  (let ((lines nil))
+    (dolist (entry trace)
+      (let* ((gate (getf entry :gate))
+             (result (getf entry :result))
+             (reason (getf entry :reason))
+             (name (or gate "unknown"))
+             (color (case result
+                       (:passed :tool-done)
+                       (:blocked :error)
+                       (:approval :accent)
+                       (t :dim)))
+             (prefix (case result
+                       (:passed "  \u2713 ")
+                       (:blocked "  \u2717 ")
+                       (:approval "  \u2192 ")
+                       (t "  ? ")))
+             (text (format nil "~a~a~@[~a~]~@[~a~]"
+                           prefix name
+                           (when reason (format nil ": ~a" reason))
+                           (if (eq result :approval) " (HITL required)" ""))))
+        (push (cons text (list :fgcolor color)) lines)))
+    (nreverse lines)))
+#+END_SRC
+
+* Test Suite
+#+BEGIN_SRC lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui-view.lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-tui-view-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:tui-view-suite))
+
+(in-package :passepartout-tui-view-tests)
+
+(def-suite tui-view-suite :description "TUI view rendering helpers")
+(in-suite tui-view-suite)
+
+(test test-markdown-bold
+  "parse-inline detects **bold**."
+  (let ((nodes (cl-tty.markdown:parse-inline "hello **world**!")))
+    (is (= 3 (length nodes)))
+    (is (eq :bold (getf (second nodes) :type)))))
+
+(test test-markdown-plain
+  "parse-inline returns text node for plain input."
+  (let ((nodes (cl-tty.markdown:parse-inline "plain")))
+    (is (= 1 (length nodes)))
+    (is (eq :text (getf (first nodes) :type)))))
+
+(test test-markdown-url
+  "parse-inline returns text nodes including URLs (no built-in auto-link)."
+  (let ((nodes (cl-tty.markdown:parse-inline "see https://example.com for more")))
+    (is (>= (length nodes) 1))))
+
+(test test-markdown-blocks
+  "parse-blocks detects code blocks."
+  (let* ((text (format nil "before~%```lisp~%(+ 1 2)~%```~%after"))
+         (nodes (cl-tty.markdown:parse-blocks text)))
+    (is (= 3 (length nodes)))
+    (is (eq :code-block (getf (second nodes) :type)))
+    (is (string= "(+ 1 2)" (string-trim '(#\Space #\Newline)
+                              (getf (second nodes) :content))))))
+
+(test test-markdown-blocks-no-close
+  "parse-blocks returns code-block even when unclosed."
+  (let* ((text "```~%unclosed code")
+         (nodes (cl-tty.markdown:parse-blocks text)))
+    (is (eq :code-block (getf (first nodes) :type)))))
+
+(test test-syntax-highlight
+  "highlight-code returns segment pairs for Lisp code."
+  (let ((result (cl-tty.markdown:highlight-code "(defun foo (x) (+ x 1))" "lisp")))
+    (is (listp result))
+    (is (> (length result) 0))))
+
+(test test-syntax-highlight-keyword
+  "highlight-code classifies keywords."
+  (let ((result (cl-tty.markdown:highlight-code "(let ((x 1)) (+ x 2))" "lisp")))
+    (is (find :keyword result :key #'cdr))))
+
+(test test-syntax-highlight-function
+  "highlight-code classifies function calls."
+  (let ((result (cl-tty.markdown:highlight-code "(+ 1 2)" "lisp")))
+    (is (listp result))
+    (is (> (length result) 0))))
+
+(test test-gate-trace-lines-passed
+  "Contract 9: gate-trace-lines for passed gate."
+  (let ((lines (passepartout::gate-trace-lines
+                '((:gate "path" :result :passed)))))
+    (is (= 1 (length lines)))
+    (is (eq :tool-done (getf (cdar lines) :fgcolor)))))
+
+(test test-gate-trace-lines-blocked
+  "Contract 9: gate-trace-lines for blocked gate."
+  (let ((lines (passepartout::gate-trace-lines
+                '((:gate "shell" :result :blocked :reason "rm")))))
+    (is (= 1 (length lines)))
+    (is (search "rm" (caar lines)))))
+
+(test test-gate-trace-lines-approval
+  "Contract 9: gate-trace-lines for approval gate."
+  (let ((lines (passepartout::gate-trace-lines
+                '((:gate "network" :result :approval)))))
+    (is (= 1 (length lines)))
+    (is (search "HITL" (caar lines)))))
+
+(test test-init-state-has-collapsed-gates
+  "Contract v0.7.2: init-state includes :collapsed-gates field."
+  (passepartout.channel-tui::init-state)
+  (let ((cg (passepartout.channel-tui::st :collapsed-gates)))
+    (is (null cg))))
+
+(test test-sidebar-state
+  "Contract v0.8.0: init-state includes :sidebar-mode (:auto) and :sidebar-width (42)."
+  (passepartout.channel-tui::init-state)
+  (is (eq :auto (passepartout.channel-tui::st :sidebar-mode)))
+  (is (= 42 (passepartout.channel-tui::st :sidebar-width))))
+
+(defun sidebar-visible-p (w)
+  "Compute whether sidebar should be shown given terminal width W
+and current sidebar mode."
+  (let ((mode (passepartout.channel-tui::st :sidebar-mode)))
+    (or (eq mode :visible)
+        (and (eq mode :auto) (> w 120)))))
+
+(test test-sidebar-auto-wide
+  "Contract v0.8.0: sidebar auto-shows when terminal > 120 cols."
+  (passepartout.channel-tui::init-state)
+  (setf (passepartout.channel-tui::st :sidebar-mode) :auto)
+  (is (sidebar-visible-p 140))
+  (is (not (sidebar-visible-p 100))))
+
+(test test-sidebar-visible-mode
+  "Contract v0.8.0: :visible mode shows sidebar regardless of width."
+  (passepartout.channel-tui::init-state)
+  (setf (passepartout.channel-tui::st :sidebar-mode) :visible)
+  (is (sidebar-visible-p 40))
+  (is (sidebar-visible-p 140)))
+
+(test test-sidebar-hidden-mode
+  "Contract v0.8.0: :hidden mode hides sidebar regardless of width."
+  (passepartout.channel-tui::init-state)
+  (setf (passepartout.channel-tui::st :sidebar-mode) :hidden)
+  (is (not (sidebar-visible-p 140)))
+  (is (not (sidebar-visible-p 40))))
+
+(test test-status-bar-tokens
+  "v0.9.0: status bar uses :status-fg and :status-bg theme tokens."
+  (is (stringp (passepartout.channel-tui:theme-color :status-fg)))
+  (is (stringp (passepartout.channel-tui:theme-color :status-bg))))
+
+(test test-new-theme-keys
+  "v0.10.0: theme has all zone keys."
+  (is (stringp (passepartout.channel-tui:theme-color :bg)))
+  (is (stringp (passepartout.channel-tui:theme-color :bg-panel)))
+  (is (stringp (passepartout.channel-tui:theme-color :bg-element)))
+  (is (stringp (passepartout.channel-tui:theme-color :bg-input)))
+  (is (stringp (passepartout.channel-tui:theme-color :agent-border)))
+  (is (stringp (passepartout.channel-tui:theme-color :thinking-bg)))
+  (is (stringp (passepartout.channel-tui:theme-color :symbolic-border)))
+  (is (stringp (passepartout.channel-tui:theme-color :text-muted))))
+#+END_SRC

org/channel-tui.org

@@ -0,0 +1,173 @@
+#+TITLE: Passepartout TUI
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui.lisp
+
+* TUI
+
+Direct-rendering TUI using cl-tty backend + framebuffer. Layout by
+~compute-layout~. Three zones: status (3 lines), chat, input.
+
+#+begin_src lisp :tangle /home/user/.local/share/passepartout/lisp/channel-tui.lisp
+(in-package :cl-user)
+
+(ql:quickload :cl-tty :silent t)
+(ql:quickload :passepartout :silent t)
+(ql:quickload :usocket :silent t)
+(ql:quickload :bordeaux-threads :silent t)
+
+(defpackage :passepartout.tui
+  (:use :cl :cl-tty.backend :cl-tty.input :cl-tty.rendering :cl-tty.layout)
+  (:export #:tui-main))
+(in-package :passepartout.tui)
+
+(defvar *messages* (make-array 0 :fill-pointer 0 :adjustable t))
+(defvar *daemon-stream* nil)
+(defvar *event-queue* nil)
+(defvar *event-lock* (bt:make-lock "tui-event"))
+(defvar *streaming-text* nil)
+(defvar *input-buf* nil)
+(defvar *cursor-pos* 0)
+(defvar *connected* nil)
+(defvar *running* t)
+
+;; Input
+(defun input-insert-char (ch)
+  (let ((pos *cursor-pos*))
+    (setf *input-buf* (concatenate 'list (subseq *input-buf* 0 pos) (list ch)
+                                   (subseq *input-buf* pos)))
+    (incf *cursor-pos*)))
+
+(defun input-delete-char ()
+  (when (and *input-buf* (> *cursor-pos* 0))
+    (setf *input-buf* (nconc (subseq *input-buf* 0 (1- *cursor-pos*))
+                              (subseq *input-buf* *cursor-pos*)))
+    (decf *cursor-pos*)))
+
+(defun input-string () (coerce (reverse *input-buf*) 'string))
+
+(defun input-submit ()
+  (let ((text (string-trim '(#\Space) (input-string))))
+    (when (> (length text) 0)
+      (vector-push-extend (list :role :user :content text) *messages*)
+      (send-daemon `(:type :event :payload (:sensor :user-input :text ,text)))
+      (setf *input-buf* nil *cursor-pos* 0))))
+
+;; Daemon
+(defun send-daemon (msg)
+  (let ((s *daemon-stream*))
+    (when (and s (open-stream-p s))
+      (handler-case
+          (let ((str (prin1-to-string msg)))
+            (format s "~6,'0X~A" (length str) str)
+            (finish-output s))
+        (error () nil)))))
+
+(defun connect-daemon (&optional (host "127.0.0.1") (port 9105))
+  (handler-case
+      (let ((s (usocket:socket-connect host port :timeout 5)))
+        (setf *daemon-stream* (usocket:socket-stream s) *connected* t)
+        (bt:make-thread (lambda () (reader-loop)) :name "tui-reader")
+        (vector-push-extend '(:role :system :content "* Connected *") *messages*))
+    (error (c)
+      (vector-push-extend (list :role :system :content
+                                (format nil "* Connection failed: ~A *" c))
+                          *messages*))))
+
+(defun reader-loop ()
+  (loop while *running*
+        for msg = (handler-case
+                      (let* ((hdr (make-string 6)) (n 0))
+                        (loop while (< n 6)
+                              do (let ((ch (read-char *daemon-stream* nil)))
+                                   (unless ch (return-from reader-loop nil))
+                                   (setf (char hdr n) ch) (incf n)))
+                        (let* ((len (parse-integer hdr :radix 16 :junk-allowed t))
+                               (buf (make-string (or len 0))))
+                          (when (and len (> len 0))
+                            (loop for i from 0 below len
+                                  do (let ((ch (read-char *daemon-stream* nil)))
+                                       (unless ch (return-from reader-loop nil))
+                                       (setf (char buf i) ch)))
+                            (let ((*read-eval* nil)) (read-from-string buf)))))
+                    (error () nil))
+        if msg do (bt:with-lock-held (*event-lock*) (push msg *event-queue*))
+        else do (sleep 0.5)))
+
+;; Render
+(defun render-frame (fb w h)
+  (backend-clear fb)
+  (let ((fg (if *connected* "#00FF00" "#FF4444")))
+    (draw-text fb 1 1
+      (format nil " Passepartout  ~a  [CHAT]  msgs:~d"
+              (if *connected* "● Connected" "○ Disconnected")
+              (length *messages*))
+      fg nil)
+    (draw-text fb 1 2 " Ctrl+P: palette  Ctrl+Q: quit  /help: help" "#888888" nil))
+  (let ((y 4))
+    (loop for i from (1- (length *messages*)) downto 0
+          for msg = (aref *messages* i)
+          do (let* ((role (getf msg :role))
+                    (content (getf msg :content))
+                    (fg (case role (:user "#00FF00") (:agent "#FFFFFF")
+                                 (:system "#FFFF00") (t "#888888")))
+                    (pfx (case role (:user "> ") (:agent "  ") (:system "* ") (t "  ")))))
+               (draw-text fb 1 y (concatenate 'string pfx content) fg nil)
+               (incf y))
+          (when (> y (- h 3)) (loop-finish))))
+  (draw-text fb 1 (- h 1) (concatenate 'string "> " (input-string)) "#FFFFFF" "#0F3460"))
+
+;; Event loop
+(defun tui-main ()
+  (setf *running* t *messages* (make-array 0 :fill-pointer 0 :adjustable t))
+  (connect-daemon)
+  (with-raw-terminal
+    (with-terminal (be w h)
+      (let ((prev-fb (make-framebuffer w h))
+            (curr-fb (make-framebuffer w h)))
+        (loop while *running* do
+          (bt:with-lock-held (*event-lock*)
+            (dolist (msg (nreverse *event-queue*))
+              (let* ((payload (getf msg :payload)) (text (getf payload :text))
+                     (type (getf msg :type)))
+                (cond
+                  ((and (eq type :stream-chunk) text (not (string= text "")))
+                   (if *streaming-text*
+                       (setf *streaming-text* (concatenate 'string *streaming-text* text))
+                       (setf *streaming-text* text
+                             *messages* (let ((v (make-array (1+ (length *messages*))
+                                               :fill-pointer (1+ (length *messages*))
+                                               :adjustable t)))
+                                         (loop for i below (length *messages*)
+                                               do (setf (aref v i) (aref *messages* i)))
+                                         (setf (aref v (length *messages*))
+                                               (list :role :thinking :content text))
+                                         v))))
+                  ((and (eq type :stream-chunk) (string= text ""))
+                   (setf *streaming-text* nil))
+                  (text
+                   (vector-push-extend (list :role :agent :content text) *messages*)))))
+            (setf *event-queue* nil))
+          (multiple-value-bind (type data) (read-event be :timeout 0)
+            (declare (ignore type))
+            (when (key-event-p data)
+              (let ((k (key-event-key data)))
+                (cond
+                  ((eq k :escape) (when *streaming-text* (setf *streaming-text* nil)))
+                  ((eq k :enter) (input-submit))
+                  ((eq k :backspace) (input-delete-char))
+                  ((eq k :left) (when (> *cursor-pos* 0) (decf *cursor-pos*)))
+                  ((eq k :right) (when (< *cursor-pos* (length *input-buf*))
+                                   (incf *cursor-pos*)))
+                  ((eq k :ctrl-u) (setf *input-buf* nil *cursor-pos* 0))
+                  ((eq k :ctrl-a) (setf *cursor-pos* 0))
+                  ((eq k :ctrl-e) (setf *cursor-pos* (length *input-buf*)))
+                  ((eq k :ctrl-d) (when (null *input-buf*) (setf *running* nil)))
+                  ((eq k :ctrl-q) (setf *running* nil))
+                  (t (let ((chr (when (keywordp k)
+                                   (let ((s (string k)))
+                                     (when (= (length s) 1) (char-downcase (char s 0)))))))
+                       (when chr (input-insert-char chr))))))))
+          (render-frame curr-fb w h)
+          (flush-framebuffer prev-fb curr-fb be)
+          (rotatef prev-fb curr-fb)
+          (sleep 0.05))))))
+#+end_src

org/core-act.org

@@ -0,0 +1,528 @@
+#+TITLE: Stage 3: Act (act.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:act:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-act.lisp
+
+* Overview: Architectural Intent
+
+The Act stage is where cognition meets reality. After the Probabilistic engine proposes an action and the Deterministic engine verifies it, Act executes it through the appropriate actuator.
+
+An actuator is a function that takes (action context) and performs a physical operation: send a message to the TUI, execute a shell command, call a Telegram API, write to a file. Actuators are registered in a global hash table (~*actuator-registry*~) and dispatched by name.
+
+The key architectural choice: **actuators are not privileged**. The same dispatch mechanism that routes to :shell or :file also routes to :telegram or :signal. There is no special handling for dangerous actuators — safety is enforced at the Reason stage by the deterministic engine, not by Act. This means:
+
+1. Adding a new actuator requires no changes to the core — just register it
+2. Safety is centralized in the deterministic gates, not scattered across actuator implementations
+3. Every actuator benefits from the same security checks (the Dispatcher, the Policy)
+
+** Why Dispatch-Action Verifies Again?
+
+The Reason stage already ran every proposed action through the deterministic engine. So why does ~loop-gate-act~ call ~cognitive-verify~ again?
+
+Because a skill's deterministic gate runs during Reason, but between Reason and Act, the action might have been transformed by the pipeline (metadata added, format normalized). The last-mile verification catches any transformation that might have introduced an unsafe property. It's the same philosophy as "trust but verify" — the second check is cheap and catches a class of bugs that would otherwise be silent data corruption.
+
+** Contract
+
+1. (loop-gate-act signal): the final pipeline stage. Handles HITL
+   ~:approval-required~ (suspends action), runs last-mile
+   ~cognitive-verify~ on approved actions, dispatches via
+   ~action-dispatch~, sets ~:status :acted~, returns feedback.
+2. (act-gate signal): thin alias for ~loop-gate-act~.
+3. (action-dispatch approved signal): routes approved actions to
+    registered actuators by ~:target~ keyword.
+ 4. (tui-enrich-response action context): enriches the outgoing action
+    plist with sidebar fields — ~:block-counts~, ~:context-usage~,
+    ~:modified-files~, ~:session-cost~ (v0.8.0) — plus existing
+    ~:rule-count~ and ~:foveal-id~ (v0.4.0). Each field is
+    ~fboundp~-guarded; missing skills produce nil. Called from the
+    ~:tui~ actuator lambda.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Actuator Configuration
+
+~*actuator-default*~ determines where actions go when no explicit target is specified. Defaults to ~:cli~.
+
+~*actuator-silent*~ lists actuator targets that don't generate tool-output feedback. For example, sending a message to the CLI or Emacs doesn't need to produce a tool-output event — the user can see the message directly. This prevents redundant feedback loops.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *actuator-default* :cli
+  "The actuator used when no explicit target is specified.")
+
+#+end_src
+** *actuator-silent*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *actuator-silent* '(:cli :system-message :emacs)
+  "List of actuators that don't generate tool-output feedback.")
+
+#+end_src
+** actuator-initialize
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun actuator-initialize ()
+  "Register core actuators and load configuration."
+  (let ((def (uiop:getenv "DEFAULT_ACTUATOR"))
+        (silent (uiop:getenv "SILENT_ACTUATORS")))
+    (when def
+      (setf *actuator-default* (intern (string-upcase def) :keyword)))
+    (when silent
+      (setf *actuator-silent*
+            (mapcar (lambda (s) (intern (string-upcase (string-trim '(#\Space) s)) :keyword))
+                    (uiop:split-string silent :separator '(#\,))))))
+
+  (register-actuator :system #'action-system-execute)
+  (register-actuator :tool #'action-tool-execute)
+
+  (register-actuator :tui (lambda (action context)
+                             (declare (ignore context))
+                             (let* ((meta (getf action :meta))
+                                    (stream (getf meta :reply-stream)))
+                               (when (and stream (open-stream-p stream))
+                                 ;; Enrich response with differentiator visualization data
+                              (setf (getf (getf action :payload) :rule-count)
+                                    (if (boundp '*hitl-pending*)
+                                        (hash-table-count *hitl-pending*)
+                                        0))
+                                 (setf (getf (getf action :payload) :foveal-id)
+                                       (getf context :foveal-id))
+                                 ;; v0.8.0: sidebar enrichment via fboundp guards
+                                 (when (fboundp 'dispatcher-block-counts-summary)
+                                   (setf (getf (getf action :payload) :block-counts)
+                                         (dispatcher-block-counts-summary)))
+                                 (when (fboundp 'context-usage-percentage)
+                                   (setf (getf (getf action :payload) :context-usage)
+                                         (context-usage-percentage)))
+                                 (when (fboundp 'tool-modified-files-summary)
+                                   (setf (getf (getf action :payload) :modified-files)
+                                         (tool-modified-files-summary)))
+                                 (when (fboundp 'cost-session-summary)
+                                   (setf (getf (getf action :payload) :session-cost)
+                                         (cost-session-summary)))
+                                 (format stream "~a" (frame-message action))
+                                 (finish-output stream))))))
+#+end_src
+
+** TUI Differentiator Enrichment (v0.4.0, extended v0.8.0)
+
+The TUI actuator is the last point in the pipeline before the response leaves the daemon. It enriches the action plist with fields that power the TUI's differentiator visualizations:
+
+- ~:rule-count~ = ~(hash-table-count *hitl-pending*)~ — the number of pending HITL actions. The user watches this counter tick as they teach the agent their preferences. (v0.4.0)
+- ~:foveal-id~ = the current foveal focus from the signal context — enables the TUI's focus map status line. (v0.4.0)
+- ~:gate-trace~ — already attached by ~cognitive-verify~, flows through the action plist unchanged. (v0.4.0)
+
+v0.8.0 adds four sidebar fields via ~fboundp~ guards — same pattern as
+~core-reason.lisp~'s calls into token-economics, awareness, and time skills.
+Each field degrades gracefully to nil when its source skill is not loaded:
+
+- ~:block-counts~ = ~(dispatcher-block-counts-summary)~ — per-gate block tallies from ~security-dispatcher~. Powers the sidebar's Protection panel.
+- ~:context-usage~ = ~(context-usage-percentage)~ — token budget percentage from ~token-economics~. Powers the sidebar's Context gauge.
+- ~:modified-files~ = ~(tool-modified-files-summary)~ — files modified this turn from ~programming-tools~. Powers the sidebar's Files panel.
+- ~:session-cost~ = ~(cost-session-summary)~ — cumulative cost data from ~cost-tracker~. Powers the sidebar's Cost panel.
+
+The enrichment is added inside the existing ~:tui~ actuator lambda (one block
+after the ~:rule-count~ and ~:foveal-id~ enrichment). No new actuator is
+registered; no new ASDF component is added. The contract is: each field
+arrives via ~fboundp~ guard and is silently nil when unavailable.
+
+** Action Dispatch (action-dispatch)
+
+Routes an approved action to its registered actuator. The target is resolved in priority order:
+
+1. The explicit ~:target~ field on the action
+2. The source of the original signal (reply to the sender)
+3. The default actuator (~:cli~)
+
+Heartbeats are silently dropped here — they should never generate an actuation.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun action-dispatch (action context)
+  "Route an approved action to its registered actuator."
+  (let ((payload (proto-get action :payload)))
+    (when (eq (proto-get payload :sensor) :heartbeat)
+      (return-from action-dispatch nil))
+
+    (when (and action (listp action))
+      (let* ((meta (proto-get context :meta))
+             (source (proto-get meta :source))
+             (raw-target (or (proto-get action :target) source *actuator-default*))
+             (target (intern (string-upcase (string raw-target)) :keyword))
+             ;; If target is :SYSTEM and we have a live reply-stream, route to :TUI instead
+             (actual-target (if (and (eq target :system)
+                                     (getf meta :reply-stream)
+                                     (ignore-errors (open-stream-p (getf meta :reply-stream))))
+                               :tui
+                               target))
+             (actuator-fn (gethash actual-target *actuator-registry*)))
+        (when (and meta (null (getf action :meta)))
+          (setf (getf action :meta) meta))
+        (if actuator-fn
+            (funcall actuator-fn action context)
+            (log-message "ACT ERROR: No actuator registered for '~s'" actual-target))))))
+#+end_src
+
+** System Actuator (action-system-execute)
+
+Handles internal harness commands: ~:eval~ (execute arbitrary Lisp) and ~:message~ (log to the harness log). This is how the deterministic engine communicates results back to the user.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun action-system-execute (action context)
+  "Execute internal harness commands."
+  (declare (ignore context))
+  (let* ((payload (getf action :payload))
+         (cmd (getf payload :action)))
+    (case cmd
+      (:eval
+       (eval (let ((*read-eval* nil)) (read-from-string (getf payload :code)))))
+      (:message
+       (log-message "ACT [System]: ~a" (getf payload :text)))
+      (t
+       (log-message "ACT ERROR [System]: Unknown command '~s'" cmd)))))
+#+end_src
+
+** Tool Actuator (action-tool-execute)
+
+Executes a registered cognitive tool. Cognitive tools are registered via ~def-cognitive-tool~ in the package.lisp and are the primary way the LLM interacts with the outside world.
+
+The function handles:
+- Tool dispatch by name (case-insensitive lookup)
+- Argument normalization (if the arguments are nested in a list, they're flattened)
+- Result formatting (structured results are sent back to the source)
+- Error handling (tool errors produce ~:tool-error~ events, not crashes)
+
+The tool's return value is packed into a ~:tool-output~ event and fed back into the pipeline, where it becomes the next perception. This is how the agent "sees" the result of its actions.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun action-tool-execute (action context)
+  "Execute a registered cognitive tool."
+  (let* ((payload (getf action :payload))
+         (tool-name (getf payload :tool))
+         (tool-args (getf payload :args))
+         (depth (getf context :depth 0))
+         (meta (getf context :meta))
+         (source (getf meta :source))
+         (tool (gethash (string-downcase (string tool-name)) *cognitive-tool-registry*)))
+    ;; v0.7.2: snapshot before destructive tool execution
+    (when (and tool (not (cognitive-tool-read-only-p tool)))
+      (undo-snapshot))
+    (if tool
+        (handler-case
+            (let* ((clean-args (if (and (listp tool-args) (listp (car tool-args))) (car tool-args) tool-args))
+                   (is-read-only (cognitive-tool-read-only-p tool))
+                   (cache-key (when is-read-only (tool-cache-key tool-name clean-args)))
+                   (cached (when cache-key (gethash cache-key *tool-cache*)))
+                   (raw-result (if cached
+                                   (progn (log-message "TOOL-CACHE: hit for ~a" tool-name) cached)
+                                   (let* ((res (call-with-tool-timeout tool-name
+                                                (lambda () (funcall (cognitive-tool-body tool) clean-args)))))
+                                     (when (and is-read-only cache-key)
+                                       (setf (gethash cache-key *tool-cache*) res))
+                                     res))))
+              ;; Timeout: propagate error
+              (when (and (listp raw-result) (eq (getf raw-result :status) :error))
+                (return-from action-tool-execute
+                  (list :TYPE :EVENT :DEPTH (1+ depth) :META meta
+                        :PAYLOAD (list :SENSOR :tool-error :TOOL tool-name
+                                      :MESSAGE (getf raw-result :message)))))
+              (when source
+                (action-dispatch (list :TYPE :REQUEST :TARGET source 
+                                       :PAYLOAD (list :ACTION :MESSAGE :TEXT (tool-result-format tool-name raw-result)))
+                                context))
+              (list :TYPE :EVENT :DEPTH (1+ depth) :META meta
+                    :PAYLOAD (list :SENSOR :tool-output :RESULT raw-result :TOOL tool-name)))
+          (error (c)
+            (list :TYPE :EVENT :DEPTH (1+ depth) :META meta
+                  :PAYLOAD (list :SENSOR :tool-error :TOOL tool-name :MESSAGE (format nil "~a" c)))))
+        (list :TYPE :EVENT :DEPTH (1+ depth) :META meta
+               :PAYLOAD (list :SENSOR :tool-error :MESSAGE (format nil "Tool '~a' not found" tool-name))))))
+#+end_src
+
+** v0.7.2 — Tool Execution Hardening
+#+begin_src lisp
+(defvar *tool-timeouts* (make-hash-table :test 'equal)
+  "Per-tool timeout in seconds. Default 120s.")
+
+;; Defaults: shell=300s, search-files=30s, eval-form=10s
+(setf (gethash "shell" *tool-timeouts*) 300)
+(setf (gethash "search-files" *tool-timeouts*) 30)
+(setf (gethash "eval-form" *tool-timeouts*) 10)
+
+(defun tool-timeout (tool-name)
+  "Return timeout for tool-name, default 120 seconds."
+  (gethash (string-downcase (string tool-name)) *tool-timeouts* 120))
+
+(defun call-with-tool-timeout (tool-name fn)
+  "Execute FN within the timeout for TOOL-NAME.
+On timeout, returns (:status :error :message ...)."
+  (let ((timeout (tool-timeout tool-name)))
+    (handler-case
+        (sb-ext:with-timeout timeout
+          (funcall fn))
+      (sb-ext:timeout (c)
+        (declare (ignore c))
+        (list :status :error :message
+              (format nil "Timed out after ~a second~:p" timeout))))))
+
+(defun verify-write (filepath expected-content)
+  "Verify that FILEPATH contains EXPECTED-CONTENT after write.
+Returns T on match, logs and returns NIL on mismatch or read error."
+  (handler-case
+      (let ((actual (uiop:read-file-string filepath)))
+        (if (string= expected-content actual)
+            t
+            (progn
+              (log-message "WRITE-VERIFY: Mismatch in ~a" filepath)
+              nil)))
+    (error (c)
+      (log-message "WRITE-VERIFY: Cannot read ~a: ~a" filepath c)
+      nil)))
+
+;; v0.7.2: read-only tool response cache
+(defvar *tool-cache* (make-hash-table :test 'equal)
+  "Cache for read-only tool results. Key: tool-name$sxhash-args. Cleared per session.")
+
+(defun tool-cache-key (tool-name args)
+  "Build a cache key from TOOL-NAME and ARGS."
+  (format nil "~a$~a" (string-downcase (string tool-name)) (sxhash args)))
+
+(defun tool-cache-clear ()
+  "Clear the read-only tool response cache."
+  (clrhash *tool-cache*))
+#+end_src
+
+** Tool Result Formatting (tool-result-format)
+
+Converts a tool's return value into a human-readable string for display to the user. Handles structured results (plists with ~:status~, ~:content~, ~:message~) and plain values.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun tool-result-format (tool-name result)
+  "Format a tool result for display."
+  (if (listp result)
+      (let ((status (getf result :status))
+            (content (getf result :content))
+            (msg (getf result :message)))
+        (cond
+          ((and (eq status :success) content) (format nil "~a" content))
+          ((and (eq status :error) msg) (format nil "ERROR [~a]: ~a" tool-name msg))
+          (t (format nil "TOOL [~a] RESULT: ~s" tool-name result))))
+      (format nil "TOOL [~a] RESULT: ~a" tool-name result)))
+#+end_src
+
+** Act Gate (Stage 3)
+
+The final stage of the metabolic pipeline. It receives a signal that has been reasoned (has an ~:approved-action~) and dispatches it.
+
+The gate runs a last-mile deterministic check on the approved action before execution. This catches any issues introduced during pipeline processing (e.g., metadata added by Perceive that changes the action's format).
+
+After dispatch, the gate captures any feedback produced by the actuation (tool output, error events) and returns it to the loop for the next cognitive cycle.
+
+*** loop-gate-act
+
+The main act pipeline stage.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun loop-gate-act (signal)
+  "Final stage of the metabolic pipeline: Actuation.
+For approval-required actions, creates a Flight Plan instead of executing."
+  (let* ((approved (getf signal :approved-action))
+         (signal-status (getf signal :status))
+         (type (getf signal :type))
+         (meta (getf signal :meta))
+         (source (getf meta :source))
+         (feedback nil))
+    ;; HITL: if the approved action requires human approval,
+    ;; create a Flight Plan (Emacs) and HITL entry (all gateways).
+    (when (and approved
+               (eq (getf approved :level) :approval-required))
+      (let* ((payload (getf approved :payload))
+             (blocked-action (getf payload :action))
+             (hitl (hitl-create blocked-action)))
+        (log-message "ACT: Action requires approval — creating Flight Plan + HITL (~a)" (getf hitl :token))
+        (dispatcher-flight-plan-create blocked-action)
+        (setf (getf signal :status) :suspended)
+        (action-dispatch (list :target source
+                               :payload (list :text (getf hitl :message)))
+                         signal)
+        (setf approved nil)
+        (setf feedback nil)))
+    (when approved
+      (let* ((original-type (getf approved :type))
+             (verified (cognitive-verify approved signal)))
+        (if (and (listp verified) (member (getf verified :type) '(:LOG :EVENT))
+                 (not (eq (getf verified :level) :approval-required))
+                 (not (member original-type '(:LOG :EVENT))))
+            (progn
+              (log-message "ACT BLOCKED: Action failed last-mile deterministic check.")
+              (setf (getf signal :approved-action) nil)
+              (setf feedback verified))
+            (progn
+              (setf (getf signal :approved-action) verified)
+              (setf approved verified)))))
+
+    (case type
+      (:REQUEST (action-dispatch signal signal))
+      (:LOG (action-dispatch signal signal))
+      (:EVENT
+       (if approved
+           (let* ((target (getf approved :target))
+                  (result (action-dispatch approved signal)))
+             (cond
+               ((and (listp result) (member (getf result :type) '(:EVENT :LOG)))
+                (setf feedback result))
+               ((and result (not (member target *actuator-silent*)))
+                (setf feedback (list :type :EVENT :depth (1+ (getf signal :depth 0)) :meta meta
+                                    :payload (list :sensor :tool-output :result result :tool approved))))))
+           (when source (action-dispatch signal signal)))))
+    (setf (getf signal :status) :acted)
+    feedback))
+#+end_src
+
+*** act-gate (backward-compatibility alias)
+
+The pipeline gate was originally named ~act-gate~. Code that still
+uses the old name can call this alias. New code should call
+~loop-gate-act~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun act-gate (signal)
+  (loop-gate-act signal))
+#+end_src
+
+* Test Suite
+Verifies that the act gate correctly processes an approved action and sets the signal status to ~:acted~.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-pipeline-act-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:pipeline-act-suite))
+
+(in-package :passepartout-pipeline-act-tests)
+
+(def-suite pipeline-act-suite :description "Test suite for Act pipeline")
+(in-suite pipeline-act-suite)
+
+(test test-loop-gate-act-basic
+  "Contract 1: approved action reaches :acted status via loop-gate-act."
+  (clrhash passepartout::*skill-registry*)
+  (let* ((signal (list :type :EVENT :status nil :depth 0 :approved-action '(:target :cli :payload (:text "Hello"))))
+          (result (loop-gate-act signal)))
+    (is (eq :acted (getf signal :status)))
+    (is (null result))))
+
+(test test-loop-gate-act-no-approved-action
+  "Contract 1: signal with no approved-action still reaches :acted status."
+  (clrhash passepartout::*skill-registry*)
+  (let* ((signal (list :type :EVENT :status nil :depth 0)))
+    (loop-gate-act signal)
+    (is (eq :acted (getf signal :status)))))
+
+(test test-loop-gate-act-last-mile-reject
+  "Contract 1: last-mile cognitive-verify rejection blocks approved-action."
+  (clrhash passepartout::*skill-registry*)
+  (passepartout::defskill :mock-blocker
+    :priority 50
+    :trigger (lambda (ctx) (declare (ignore ctx)) t)
+    :deterministic (lambda (action ctx)
+                    (declare (ignore ctx action))
+                    (list :type :LOG :payload (list :text "Last-mile block"))))
+  (let* ((signal (list :type :EVENT :status nil :depth 0
+                        :approved-action '(:type :REQUEST :target :cli :payload (:text "blocked")))))
+    (loop-gate-act signal)
+    (is (eq :acted (getf signal :status)))
+    (is (null (getf signal :approved-action)))))
+
+(test test-loop-gate-act-preserves-meta
+  "Contract 1: signal metadata is not mutated by loop-gate-act."
+  (clrhash passepartout::*skill-registry*)
+  (let* ((meta '(:source :tui :session "s1"))
+         (signal (list :type :EVENT :status nil :depth 0 :meta meta
+                        :approved-action '(:target :cli :payload (:text "test")))))
+    (loop-gate-act signal)
+    (is (equal meta (getf signal :meta)))))
+
+(test test-action-dispatch-routes
+  "Contract 3: action-dispatch routes to registered actuators without crashing."
+  (actuator-initialize)
+  (let ((result (action-dispatch '(:type :REQUEST :target :system :payload (:action :eval :code "(+ 1 2)"))
+                                  '(:type :EVENT :depth 0))))
+    (is (numberp result) "eval should return a number")))
+
+(test test-tool-timeout-shell
+  "Contract v0.7.2: shell timeout is 300 seconds."
+  (is (= 300 (passepartout::tool-timeout "shell"))))
+
+(test test-tool-timeout-unknown
+  "Contract v0.7.2: unknown tool gets default 120s."
+  (is (= 120 (passepartout::tool-timeout "nonexistent-tool"))))
+
+(test test-verify-write-match
+  "Contract v0.7.2: verify-write returns T on match."
+  (let ((path "/tmp/passepartout-verify-test.org")
+        (content "test content"))
+    (with-open-file (f path :direction :output :if-exists :supersede)
+      (write-string content f))
+    (unwind-protect
+         (is (passepartout::verify-write path content))
+      (ignore-errors (delete-file path)))))
+
+(test test-tool-timeout-enforcement
+  "Contract v0.7.2: tool exceeding timeout returns :error with timeout message."
+  (setf (gethash "sleep-forever" passepartout::*tool-timeouts*) 1)
+  (setf (gethash "sleep-forever" passepartout::*cognitive-tool-registry*)
+        (passepartout::make-cognitive-tool :name "sleep-forever"
+                                          :read-only-p nil
+                                          :body (lambda (args)
+                                                  (declare (ignore args))
+                                                  (sleep 10)
+                                                  "done")))
+  (unwind-protect
+       (let* ((action '(:type :REQUEST :payload (:tool "sleep-forever" :args nil)))
+              (ctx '(:depth 0))
+              (result (passepartout::action-tool-execute action ctx)))
+         (is (eq :EVENT (getf result :TYPE)))
+         (let ((payload (getf result :PAYLOAD)))
+           (is (eq :tool-error (getf payload :SENSOR)))
+           (is (search "timed out" (string-downcase (getf payload :MESSAGE))))))
+    (remhash "sleep-forever" passepartout::*cognitive-tool-registry*)
+    (remhash "sleep-forever" passepartout::*tool-timeouts*)))
+
+(test test-tool-cache-read-only
+  "Contract v0.7.2: read-only tool results are cached and reused."
+  (let ((call-count 0))
+    (setf (gethash "cache-test" passepartout::*cognitive-tool-registry*)
+          (passepartout::make-cognitive-tool :name "cache-test"
+                                            :read-only-p t
+                                            :body (lambda (args)
+                                                    (declare (ignore args))
+                                                    (incf call-count)
+                                                    (list :status :success :content (format nil "call ~d" call-count)))))
+    (unwind-protect
+         (progn
+           (clrhash passepartout::*tool-cache*)
+           (let* ((action '(:type :REQUEST :payload (:tool "cache-test" :args nil)))
+                  (ctx '(:depth 0))
+                  (r1 (passepartout::action-tool-execute action ctx))
+                  (r2 (passepartout::action-tool-execute action ctx)))
+             (is (= 1 call-count) "Second call should hit cache, not re-execute")
+             (let ((p1 (getf r1 :PAYLOAD))
+                   (p2 (getf r2 :PAYLOAD)))
+               (is (string= (getf (getf p1 :RESULT) :CONTENT)
+                            (getf (getf p2 :RESULT) :CONTENT))))))
+      (remhash "cache-test" passepartout::*cognitive-tool-registry*)
+      (clrhash passepartout::*tool-cache*))))
+#+end_src

org/core-manifest.org

@@ -0,0 +1,55 @@
+#+TITLE: System Manifest (manifest.org)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:manifest:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/passepartout.asd
+
+* Overview: Architectural Intent
+
+The Manifest is the ASDF system definition for Passepartout. It defines what files belong to the harness, which external libraries are required, and how the test infrastructure is organized.
+
+The ~passepartout.asd~ file tangled from this manifest is what ~ql:quickload :passepartout~ reads to load the system. The files are loaded in the order listed here — dependencies first, then each pipeline stage in order.
+
+* Implementation
+
+** Main System
+
+The core system. The combined ~:depends-on~ list pulls in every external library the agent needs: networking (usocket, dexador, hunchentoot), concurrency (bordeaux-threads), utilities (uiop, cl-ppcre, cl-json, str), security (ironclad), and configuration (cl-dotenv, uuid).
+
+Components are loaded in sequence (~:serial t~): package first (defines the public API), then skills (does the defskill macro), then communication (defines the protocol), then memory (defines org-object), then context (defines peripheral vision), then each pipeline stage in order (perceive, reason, act), then doctor (diagnostics), then loop (orchestration).
+
+#+begin_src lisp
+(defsystem :passepartout
+  :name "Passepartout"
+  :author "Amr Gharbeia"
+  :version "0.4.3"
+  :license "AGPLv3"
+  :description "The Probabilistic-Deterministic Lisp Machine"
+  :depends-on (:usocket :bordeaux-threads :dexador :uiop :cl-dotenv :cl-ppcre :hunchentoot :ironclad :str :cl-json :uuid)
+  :serial t
+  :components ((:file "lisp/core-package")
+               (:file "lisp/core-skills")
+               (:file "lisp/core-transport")
+               (:file "lisp/core-memory")
+               (:file "lisp/core-perceive")
+               (:file "lisp/core-reason")
+               (:file "lisp/core-act")
+               (:file "lisp/core-pipeline")))
+#+end_src
+
+** Test System
+
+Tests are embedded directly in each module's source file — see the `* Test Suite` section at the end of each `.org` file. No separate test system is needed.
+
+** TUI System
+
+The TUI is a standalone system that depends on cl-tty (pure CL terminal UI) in addition to the core system. It's loaded separately because it requires a terminal and is not needed for daemon-mode operation.
+
+#+begin_src lisp
+(defsystem :passepartout/tui
+  :depends-on (:passepartout :cl-tty :usocket :bordeaux-threads)
+  :serial t
+  :components ((:file "lisp/channel-tui-state")
+               (:file "lisp/channel-tui-view")
+               (:file "lisp/channel-tui-main")))
+#+end_src

org/core-memory.org

@@ -0,0 +1,568 @@
+#+TITLE: The System Memory (memory.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:memory:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-memory.lisp
+
+* Overview: Architectural Intent
+
+The Memory module is the cognitive bedrock of Passepartout. It is not a database; it is the agent's live, active brain state. Every perception, every action, every decision is recorded here.
+
+Traditional architectures rely on external databases (SQLite, vector DBs, JSON files) which introduce I/O latency, structural impedance, and serialization overhead. Passepartout chooses a different path: the **Single Address Space**. By treating the entire knowledge base as a graph of Lisp pointers in RAM, we achieve microsecond recollection and total structural transparency.
+
+The memory system has three layers:
+1. **Active memory** (~*memory-store*~) — a hash table mapping IDs to ~memory-object~ instances. This is what the agent queries during reasoning.
+2. **Immutable history** (~*memory-history*~) — an append-only hash table keyed by SHA-256 Merkle hash. Every version of every object that has ever existed is preserved here.
+3. **Snapshot stack** (~*memory-snapshots*~) — point-in-time copies of active memory for rollback recovery. Up to 20 snapshots are retained.
+
+** Why Merkle Hashes?
+
+Every ~memory-object~ carries a ~hash~ field computed from its ID, type, attributes, content, and children. This hash is deterministic: the same data always produces the same hash.
+
+The hash serves three purposes:
+1. **Integrity verification** — detect corruption or tampering
+2. **Deduplication** — if an object already exists in history, we reuse the existing entry
+3. **Change detection** — compare hashes to find what changed between snapshots
+
+** Why Snapshots Instead of Git?
+
+Git tracks changes to files. Passepartout tracks changes to live memory state. The snapshot system captures the entire active memory at a point in time, enabling full rollback to any previous state. This is necessary because:
+
+1. The agent modifies memory continuously (learning, noting, deciding) — there's no discrete "commit" boundary
+2. Memory corruption from a bad LLM output can affect multiple objects — snapshot rollback restores all of them atomically
+3. Git can't snapshot the running Lisp image's hash tables
+
+The tradeoff is memory usage: each snapshot is a deep copy of every object in active memory. 20 snapshots means 20x the active memory size. For a typical knowledge base of 10,000 objects, this is manageable (~100MB for 20 snapshots).
+
+** Contract
+
+1. (ingest-ast ast &key scope): stores AST nodes in ~*memory-store*~.
+   Detaches children, gives each an ID, computes Merkle hash, and
+   populates the ~:vector~ slot via ~embeddings-compute~. Returns the
+   root ID string.
+2. (memory-object-hash object): returns the SHA-256 Merkle hash of the
+   object's content. Hash is deterministic — same content → same hash.
+3. (memory-object-get id): retrieves a stored object by ID, or nil.
+4. (snapshot-memory): deep-copies ~*memory-store*~ to ~*memory-snapshots*~.
+5. (rollback-memory snap-index): restores ~*memory-store*~ from a snapshot.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** The Object Store
+
+~*memory-store*~ holds the agent's current state. ~*memory-history*~ holds every past version, keyed by Merkle hash.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *memory-store* (make-hash-table :test 'equal))
+#+end_src
+** *memory-history*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *memory-history* (make-hash-table :test 'equal)
+  "Immutable Merkle-Tree versioning store mapping hashes to objects.")
+#+end_src
+#+end_src
+
+** Object Lookup (memory-object-get)
+
+Retrieve a single object by its ID from active memory. Returns nil if the ID doesn't exist.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-object-get (id)
+  "Retrieves an memory-object by ID from *memory-store*."
+  (gethash id *memory-store*))
+#+end_src
+
+** Object Search by Attribute (memory-objects-by-attribute)
+
+Scan the entire active memory for objects whose attributes plist contains a specific key-value pair. For example, finding all objects with ~:TODO "APPROVED"~ (used by the Dispatcher to find approved flight plans).
+
+This is a full scan — O(n) over all objects. For the typical knowledge base size (< 10,000 objects), this is microsecond-fast. For larger datasets, a proper index would be needed.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-objects-by-attribute (attr value)
+  "Returns all memory-objects whose :ATTRIBUTES plist has ATTR = VALUE."
+  (let ((results nil))
+    (maphash (lambda (id obj)
+               (declare (ignore id))
+               (when (equal (getf (memory-object-attributes obj) attr) value)
+                 (push obj results)))
+             *memory-store*)
+    (nreverse results)))
+#+end_src
+
+** ID Generation (memory-id-generate)
+
+Generates a unique identifier string for a new Org node. Uses the universal time encoded in base-36 for compactness and monotonic ordering (later IDs sort after earlier ones).
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-id-generate ()
+  "Generates a UUIDv4 unique ID. Compatible with Agora Note UUIDs."
+  (concatenate 'string "id-" (string-downcase (format nil "~a" (uuid:make-v4-uuid)))))
+#+end_src
+
+** The Data Structure (memory-object)
+
+The universal data unit. Every stored entity — a note, a task, a project, a person, a decision — is an ~memory-object~. The struct has:
+
+- ~id~ — unique identifier (string)
+- ~type~ — keyword (e.g., ~:HEADLINE~, ~:PROPERTY_DRAWER~)
+- ~attributes~ — property list (e.g., ~(:TITLE "My Note" :TAGS ("project") :TODO "NEXT")~)
+- ~content~ — raw text content
+- ~vector~ — optional embedding vector for semantic search
+- ~parent-id~ — ID of the parent object (for tree structure)
+- ~children~ — list of child IDs
+- ~version~ — Unix timestamp of last modification
+- ~last-sync~ — Unix timestamp of last sync to disk
+- ~hash~ — SHA-256 Merkle hash for integrity verification
+- ~scope~ — scope keyword (:memex/:session/:project) for context-aware retrieval
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defstruct memory-object
+  id type attributes content vector parent-id children version last-sync hash scope)
+#+end_src
+
+** Serialization Support
+
+Required by the Lisp runtime for saving/loading objects across image restarts via ~make-load-form-saving-slots~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defmethod make-load-form ((obj memory-object) &optional env)
+  (make-load-form-saving-slots obj :environment env))
+#+end_src
+
+** Deep Copy
+
+Creates an independent copy of an ~memory-object~, including fresh lists for attributes and children. Used by the snapshot system to capture a consistent memory state.
+
+Without deep copy, a snapshot would share structure with the live memory — mutating the live memory would also mutate the snapshot, defeating the purpose of having a recovery point.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun deep-copy-memory-object (obj)
+  "Creates a full copy of an memory-object, including fresh lists for attributes and children."
+  (make-memory-object :id (memory-object-id obj)
+                  :type (memory-object-type obj)
+                  :attributes (copy-list (memory-object-attributes obj))
+                  :content (memory-object-content obj)
+                  :vector (memory-object-vector obj)
+                  :parent-id (memory-object-parent-id obj)
+                  :children (copy-list (memory-object-children obj))
+                  :version (memory-object-version obj)
+                  :last-sync (memory-object-last-sync obj)
+                  :hash (memory-object-hash obj)
+                  :scope (memory-object-scope obj)))
+#+end_src
+
+** Merkle Tree Integrity (memory-merkle-hash)
+
+Computes a deterministic SHA-256 hash from an object's identity and contents. The hash covers:
+- The object's ID and type
+- All attributes (sorted by key name for determinism)
+- The raw content text
+- The hashes of all children (making the hash a true Merkle tree — changing a descendant changes this hash)
+
+This is NOT a cryptographic signature — it's an integrity check. If any part of an object or its descendants changes, the hash changes.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-merkle-hash (id type attributes content child-hashes)
+  (let* ((alist (loop for (k v) on attributes by #'cddr collect (cons k v)))
+         (sorted-alist (sort alist #'string< :key (lambda (x) (format nil "~a" (car x)))))
+         (attr-string (format nil "~s" sorted-alist))
+         (children-string (format nil "~{~a~}" child-hashes))
+         (data-string (format nil "ID:~a|TYPE:~s|ATTRS:~a|CONTENT:~a|CHILDREN:~a"
+                               id type attr-string (or content "") children-string))
+         (digester (ironclad:make-digest :sha256)))
+    (ironclad:update-digest digester (ironclad:ascii-string-to-byte-array data-string))
+    (ironclad:byte-array-to-hex-string (ironclad:produce-digest digester))))
+#+end_src
+
+** AST Ingestion (memory-ingest)
+
+The primary entry point for adding data to memory. Given an Org-mode AST (a tree of plists representing headlines and their contents), it recursively:
+
+1. Generates or assigns an ID to each node
+2. Computes the Merkle hash of each node
+3. Checks if the hash already exists in ~*memory-history*~ (deduplication)
+4. Stores the node in ~*memory-store*~ and ~*memory-history*~
+5. Links children to parents
+
+Returns the ID of the root node.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun ingest-ast (ast &key parent-id (scope :memex))
+  (let* ((type (getf ast :type))
+         (props (getf ast :properties))
+         (id (or (getf props :ID) (format nil "temp-~a" (get-universal-time))))
+         (contents (getf ast :contents))
+         (raw-content (when (eq type :HEADLINE)
+                        (format nil "~a~%~a" (getf props :TITLE) (or (getf ast :raw-content) ""))))
+         (child-ids nil) (child-hashes nil))
+    (dolist (child contents)
+      (when (listp child)
+        (let ((child-id (ingest-ast child :parent-id id :scope scope)))
+          (push child-id child-ids)
+          (let ((child-obj (gethash child-id *memory-store*)))
+            (when child-obj (push (memory-object-hash child-obj) child-hashes))))))
+    (setf child-ids (nreverse child-ids))
+    (setf child-hashes (nreverse child-hashes))
+    (let* ((hash (memory-merkle-hash id type props raw-content child-hashes))
+           (existing-obj (gethash hash *memory-history*))
+           (obj (or existing-obj
+                    (make-memory-object 
+                     :id id :type type :attributes props :content raw-content
+                     :parent-id parent-id :children child-ids
+                     :version (get-universal-time) :last-sync (get-universal-time)
+                     :hash hash :scope scope))))
+      (unless existing-obj (setf (gethash hash *memory-history*) obj))
+      (setf (gethash id *memory-store*) obj)
+      ;; Populate embedding vector for new objects
+      (when (and raw-content (not existing-obj) (not (memory-object-vector obj)))
+        (handler-case
+            (setf (memory-object-vector obj)
+                  (embeddings-compute raw-content))
+          (error (c)
+            (log-message "INGEST: Embedding deferred: ~a" c))))
+      id)))
+#+end_src
+
+** Snapshot History (~*memory-snapshots*~)
+
+A stack of CoW (copy-on-write) snapshots for rollback. When a critical error occurs, the system can roll back to any of the last 20 snapshots. Newer snapshots are prepended (index 0 = most recent).
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *memory-snapshots* nil)
+#+end_src
+
+** Hash Table Copy Utility
+
+Creates a fully independent copy of a hash table. Used by the rollback system to restore saved memory state from a snapshot.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-hash-table-copy (hash-table)
+  "Creates an independent copy of a hash table."
+  (let ((new-table (make-hash-table :test (hash-table-test hash-table) 
+                                     :size (hash-table-size hash-table))))
+    (maphash (lambda (k v) (setf (gethash k new-table) v)) hash-table)
+    new-table))
+#+end_src
+
+** Memory Snapshot (memory-snapshot)
+
+Captures a point-in-time copy of ~*memory-store*~. Each object is deep-copied so the snapshot is independent of ongoing mutations. The snapshot is prepended to the snapshot stack, and the stack is trimmed to 20 entries.
+
+Called automatically before significant memory mutations (buffer updates from Emacs, AST ingestion). Also callable manually.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun snapshot-memory ()
+  "Creates a CoW snapshot of *memory-store* for rollback recovery."
+  (let ((snapshot (make-hash-table :test 'equal :size (hash-table-size *memory-store*))))
+    (maphash (lambda (k v) (setf (gethash k snapshot) (deep-copy-memory-object v))) *memory-store*)
+    (push (list :timestamp (get-universal-time) :data snapshot) *memory-snapshots*)
+    (when (> (length *memory-snapshots*) 20)
+      (setf *memory-snapshots* (subseq *memory-snapshots* 0 20)))
+    (log-message "MEMORY - CoW Memory snapshot created.")))
+#+end_src
+
+** Memory Rollback (memory-rollback)
+
+Restores ~*memory-store*~ to a previous snapshot. By default restores the most recent snapshot (index 0). Can specify a specific index to roll back further.
+
+This is the immune system's last resort. When the metabolic loop catches an unhandled error, it calls ~(rollback-memory 0)~ to undo any memory mutations caused by the bad signal.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun rollback-memory (&optional (index 0))
+  "Restores *memory-store* from a snapshot. INDEX 0 = most recent."
+  (let ((snapshot (nth index *memory-snapshots*)))
+    (if snapshot
+        (progn (setf *memory-store* (memory-hash-table-copy (getf snapshot :data)))
+               (log-message "MEMORY - Memory rolled back to snapshot ~a" index))
+        (log-message "MEMORY ERROR - Snapshot ~a not found." index))))
+#+end_src
+
+** Persistence — Snapshot Path (~*memory-snapshot-path*~)
+
+Configurable path for serialized memory state. Falls back to ~memory.snap~ in the home directory. Can be overridden via ~MEMORY_SNAPSHOT_PATH~ env var.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *memory-snapshot-path* nil)
+
+#+end_src
+** memory-snapshot-path-ensure
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun memory-snapshot-path-ensure ()
+  "Returns the path to the memory snapshot file, resolving env or default."
+  (or *memory-snapshot-path*
+      (let ((env-path (uiop:getenv "MEMORY_SNAPSHOT_PATH")))
+        (setf *memory-snapshot-path*
+              (or env-path (namestring (uiop:merge-pathnames* "memory.snap" (user-homedir-pathname))))))))
+#+end_src
+#+end_src
+
+** Save to Disk (memory-save)
+
+Serialises both ~*memory-store*~ and ~*memory-history*~ to a Lisp-readable file. The format is a plist with ~:memory~ and ~:history-store~ keys, each containing an alist of (key . object) pairs.
+
+The serialization uses ~prin1~, which produces human-readable Lisp output. The file can be read with ~read~ on restart.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun save-memory-to-disk ()
+  "Writes the entire memory and history store to disk as a plist."
+  (let ((path (memory-snapshot-path-ensure)))
+    (with-open-file (stream path :direction :output :if-exists :supersede :if-does-not-exist :create)
+      (let ((memory-alist nil) (history-alist nil))
+        (maphash (lambda (k v) (push (cons k v) memory-alist)) *memory-store*)
+        (maphash (lambda (k v) (push (cons k v) history-alist)) *memory-history*)
+        (prin1 (list :memory memory-alist :history-store history-alist) stream)))
+    (log-message "MEMORY - Saved to ~a" path)))
+#+end_src
+
+** Load from Disk (memory-load)
+
+Restores memory state from a previously saved snapshot file. Called during boot (~main~ in ~loop.org~). If no snapshot file exists, the function returns silently and the agent starts with empty memory.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun load-memory-from-disk ()
+  "Reads memory state from disk and restores *memory-store* and *memory-history*."
+  (let ((path (memory-snapshot-path-ensure)))
+    (when (uiop:file-exists-p path)
+      (handler-case
+          (with-open-file (stream path :direction :input)
+            (let ((data (let ((*read-eval* nil)) (read stream nil))))
+              (when data
+                (let ((memory-alist (getf data :memory)) (history-alist (getf data :history-store)))
+                  (setf *memory-store* (make-hash-table :test 'equal :size (length memory-alist)))
+                  (dolist (kv memory-alist) (setf (gethash (car kv) *memory-store*) (cdr kv)))
+                  (setf *memory-history* (make-hash-table :test 'equal :size (length history-alist)))
+                  (dolist (kv history-alist) (setf (gethash (car kv) *memory-history*) (cdr kv)))
+                  (log-message "MEMORY - Loaded from ~a (~a objects)" path (hash-table-size *memory-store*))))))
+          (error (c) (log-message "MEMORY WARNING - Failed to load snapshot: ~a" c)))))
+  t)
+
+;; v0.7.2 — Undo/Redo
+(defvar *undo-stack* nil
+  "Ring buffer of pre-operation memory snapshots. Newest first, max 20.")
+(defvar *redo-stack* nil
+  "Stack of snapshots saved during undo for redo. Max 20.")
+
+(defun undo-snapshot ()
+  "Save current memory state to the undo stack."
+  (let ((snap (list :timestamp (get-universal-time)
+                    :data (memory-hash-table-copy *memory-store*))))
+    (push snap *undo-stack*)
+    (when (> (length *undo-stack*) 20)
+      (setf *undo-stack* (subseq *undo-stack* 0 20)))))
+
+(defun undo (&optional source)
+  "Restore memory to the most recent undo snapshot. Returns T on success, NIL if stack empty."
+  (declare (ignore source))
+  (if *undo-stack*
+      (let ((snap (pop *undo-stack*)))
+        (push (list :timestamp (get-universal-time)
+                    :data (memory-hash-table-copy *memory-store*))
+              *redo-stack*)
+        (when (> (length *redo-stack*) 20)
+          (setf *redo-stack* (subseq *redo-stack* 0 20)))
+        (setf *memory-store* (memory-hash-table-copy (getf snap :data)))
+        (log-message "UNDO: Memory restored to snapshot ~a" (getf snap :timestamp))
+        t)
+      (progn (log-message "UNDO: No snapshots to undo") nil)))
+
+(defun redo (&optional source)
+  "Restore memory to the most recent redo snapshot. Returns T on success, NIL if stack empty."
+  (declare (ignore source))
+  (if *redo-stack*
+      (let ((snap (pop *redo-stack*)))
+        (push (list :timestamp (get-universal-time)
+                    :data (memory-hash-table-copy *memory-store*))
+              *undo-stack*)
+        (when (> (length *undo-stack*) 20)
+          (setf *undo-stack* (subseq *undo-stack* 0 20)))
+        (setf *memory-store* (memory-hash-table-copy (getf snap :data)))
+        (log-message "REDO: Memory restored to snapshot ~a" (getf snap :timestamp))
+        t)
+      (progn (log-message "REDO: No snapshots to redo") nil)))
+#+end_src
+
+** Merkle Audit
+#+begin_src lisp
+(defun audit-node (node-id)
+  "Return audit info for a memory object by ID."
+  (let ((obj (memory-object-get node-id)))
+    (when obj
+      (list :id node-id :type (memory-object-type obj)
+            :version (memory-object-version obj)
+            :hash (or (memory-object-hash obj) "(none)")
+            :scope (memory-object-scope obj)))))
+
+(defun audit-verify-hash ()
+  "Count memory objects and report any with missing/empty hashes.
+Returns (total . missing-hashes)."
+  (let ((total 0) (missing 0))
+    (maphash (lambda (id obj)
+               (declare (ignore id))
+               (when obj
+                 (incf total)
+                 (let ((h (memory-object-hash obj)))
+                   (when (or (null h) (string= h ""))
+                     (incf missing)))))
+             *memory-store*)
+    (cons total missing)))
+#+end_src
+
+* Test Suite
+Verifies that the Merkle hash is deterministic and consistent across independent AST ingestions.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-memory-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:memory-suite))
+
+(in-package :passepartout-memory-tests)
+
+(def-suite memory-suite :description "Tests for the Merkle-Tree Memory")
+(in-suite memory-suite)
+
+(test merkle-hash-consistency
+  "Contract 2: identical ASTs produce identical Merkle hashes."
+  (let* ((ast1 '(:type :HEADLINE :properties (:ID "test-1" :TITLE "Node 1") :contents nil)))
+    (clrhash passepartout::*memory-store*)
+    (let ((id1 (ingest-ast ast1)))
+      (let ((hash1 (memory-object-hash (memory-object-get id1))))
+        (clrhash passepartout::*memory-store*)
+        (let ((id2 (ingest-ast ast1)))
+          (is (equal hash1 (memory-object-hash (memory-object-get id2)))))))))
+
+(test merkle-hash-different
+  "Contract 2: distinct ASTs produce different Merkle hashes."
+  (clrhash passepartout::*memory-store*)
+  (let* ((ast1 '(:type :HEADLINE :properties (:ID "a" :TITLE "Alpha") :contents nil))
+         (ast2 '(:type :HEADLINE :properties (:ID "b" :TITLE "Beta") :contents nil))
+         (id1 (ingest-ast ast1))
+         (id2 (ingest-ast ast2))
+         (hash1 (memory-object-hash (memory-object-get id1)))
+         (hash2 (memory-object-hash (memory-object-get id2))))
+    (is (not (equal hash1 hash2)))))
+
+(test test-ingest-ast-returns-id
+  "Contract 1: ingest-ast returns a string ID and stores the object."
+  (clrhash passepartout::*memory-store*)
+  (let ((id (ingest-ast '(:type :HEADLINE :properties (:ID "ingest-test" :TITLE "Test Node") :contents nil))))
+    (is (stringp id))
+    (is (not (null id)))))
+
+(test test-memory-object-get
+  "Contract 3: memory-object-get retrieves an object by ID after ingest."
+  (clrhash passepartout::*memory-store*)
+  (let ((id (ingest-ast '(:type :HEADLINE :properties (:ID "get-test" :TITLE "Retrieve Me") :contents nil))))
+    (let ((obj (memory-object-get id)))
+      (is (not (null obj)))
+      (is (eq :HEADLINE (memory-object-type obj)))
+      (is (string= "Retrieve Me" (getf (memory-object-attributes obj) :TITLE))))))
+
+(test test-snapshot-and-rollback
+  "Contract 4+5: snapshot-memory saves state; rollback-memory restores it."
+  (clrhash passepartout::*memory-store*)
+  (setf passepartout::*memory-snapshots* nil)
+  (ingest-ast '(:type :HEADLINE :properties (:ID "snap-a" :TITLE "Pre-snapshot") :contents nil))
+  (snapshot-memory)
+  (clrhash passepartout::*memory-store*)
+  (ingest-ast '(:type :HEADLINE :properties (:ID "snap-b" :TITLE "Post-snapshot") :contents nil))
+  (rollback-memory 0)
+  (is (not (null (memory-object-get "snap-a"))))
+  (is (null (memory-object-get "snap-b"))))
+
+(test test-undo-snapshot-restore
+  "Contract v0.7.2: undo-snapshot captures state, undo restores."
+  (let ((orig-store passepartout::*memory-store*)
+        (orig-undo passepartout::*undo-stack*)
+        (orig-redo passepartout::*redo-stack*))
+    (unwind-protect
+         (progn
+           (setf passepartout::*memory-store* (make-hash-table :test 'equal)
+                 passepartout::*undo-stack* nil
+                 passepartout::*redo-stack* nil)
+           (passepartout::undo-snapshot)
+           (setf (gethash "x" passepartout::*memory-store*) "hello")
+           (is (string= "hello" (gethash "x" passepartout::*memory-store*)))
+           (is (passepartout::undo))
+           (is (null (gethash "x" passepartout::*memory-store*))))
+      (setf passepartout::*memory-store* orig-store
+            passepartout::*undo-stack* orig-undo
+            passepartout::*redo-stack* orig-redo))))
+
+(test test-undo-redo-cycle
+  "Contract v0.7.2: redo restores undone state."
+  (let ((orig-store passepartout::*memory-store*)
+        (orig-undo passepartout::*undo-stack*)
+        (orig-redo passepartout::*redo-stack*))
+    (unwind-protect
+         (progn
+           (setf passepartout::*memory-store* (make-hash-table :test 'equal)
+                 passepartout::*undo-stack* nil
+                 passepartout::*redo-stack* nil)
+           (passepartout::undo-snapshot)
+           (setf (gethash "y" passepartout::*memory-store*) "world")
+           (is (passepartout::undo))
+           (is (null (gethash "y" passepartout::*memory-store*)))
+           (is (passepartout::redo))
+           (is (string= "world" (gethash "y" passepartout::*memory-store*))))
+      (setf passepartout::*memory-store* orig-store
+            passepartout::*undo-stack* orig-undo
+            passepartout::*redo-stack* orig-redo))))
+
+(test test-undo-empty-stack-nil
+  "Contract v0.7.2: undo returns nil on empty stack."
+  (let ((orig-undo passepartout::*undo-stack*))
+    (unwind-protect
+         (progn (setf passepartout::*undo-stack* nil)
+                (is (null (passepartout::undo))))
+      (setf passepartout::*undo-stack* orig-undo))))
+
+(test test-audit-node-found
+  "Contract v0.7.2: audit-node returns info for existing object."
+  (clrhash passepartout::*memory-store*)
+  (setf (gethash "audit-1" passepartout::*memory-store*)
+        (passepartout::make-memory-object :id "audit-1" :type :HEADLINE
+                                         :version 1 :hash "abc123" :scope :memex))
+  (let ((info (passepartout::audit-node "audit-1")))
+    (is (not (null info)))
+    (is (eq :HEADLINE (getf info :type)))
+    (is (string= "abc123" (getf info :hash)))))
+
+(test test-audit-node-not-found
+  "Contract v0.7.2: audit-node returns nil for nonexistent id."
+  (is (null (passepartout::audit-node "nonexistent-xxxx"))))
+
+(test test-audit-verify-hash
+  "Contract v0.7.2: audit-verify-hash returns (total . missing)."
+  (clrhash passepartout::*memory-store*)
+  (setf (gethash "a" passepartout::*memory-store*)
+        (passepartout::make-memory-object :id "a" :type :HEADLINE :hash "abc"))
+  (let ((result (passepartout::audit-verify-hash)))
+    (is (= 1 (car result)))
+    (is (= 0 (cdr result)))))
+#+end_src

org/core-package.org

@@ -0,0 +1,380 @@
+#+TITLE: Core: Package Definition (core-package.org)
+#+AUTHOR: Agent
+#+FILETAGS: :passepartout:core:defpackage:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-package.lisp
+
+* Overview: Architectural Intent
+
+~package.lisp~ defines two things: the public API of the ~passepartout~ package (the export list), and the implementation of low-level utility functions and global state that don't belong in a specific pipeline stage or skill.
+
+The export list is the contract between the harness and all skills. Every function exported here is accessible to every skill via ~use-package~. Adding a symbol here is an API commitment; removing one is a breaking change.
+
+The implementation section includes:
+- ~proto-get~ — robust plist accessor used everywhere in the pipeline
+- Logging state (~*log-buffer*~, ~*log-lock*~) — bounded ring buffer for LLM context
+- Skill registry (~*skill-registry*~, ~defskill~) — all loaded skills live here
+- Cognitive tool registry (~*cognitive-tool-registry*~, ~def-cognitive-tool~, ~cognitive-tool-prompt~)
+- Telemetry tracking (~*telemetry-table*~, ~telemetry-track~) — performance metrics per skill
+- Debugger hook — replaces raw SBCL debugger with a friendly error message
+
+* Implementation
+
+** Package Definition and Export List
+The export list is organized by source module so a contributor can find
+where to add new exports:
+
+#+begin_src lisp
+(defpackage :passepartout
+  (:use :cl)
+  (:export
+   ;; ── Core: Transport & Protocol ──
+   #:frame-message
+   #:read-framed-message
+   #:PROTO-GET
+   #:proto-get
+   #:make-hello-message
+   #:validate-communication-protocol-schema
+   #:start-daemon
+   #:register-actuator
+   #:actuator-initialize
+   #:action-dispatch
+
+   ;; ── Core: Pipeline ──
+   #:main
+   #:log-message
+   #:*log-buffer*
+   #:*log-lock*
+   #:process-signal
+   #:loop-process
+   #:perceive-gate
+   #:loop-gate-perceive
+   #:act-gate
+   #:loop-gate-act
+   #:reason-gate
+   #:loop-gate-reason
+   #:cognitive-verify
+   #:backend-cascade-call
+   #:json-alist-to-plist
+   #:stimulus-inject
+   #:register-probabilistic-backend
+   #:*probabilistic-backends*
+   #:*provider-cascade*
+
+   ;; ── Core: Memory ──
+   #:ingest-ast
+   #:memory-object-get
+   #:*memory-store*
+   #:memory-object
+   #:make-memory-object
+   #:memory-object-id
+   #:memory-object-type
+   #:memory-object-attributes
+   #:memory-object-parent-id
+   #:memory-object-children
+   #:memory-object-version
+   #:memory-object-last-sync
+   #:memory-object-vector
+   #:memory-object-content
+   #:memory-object-hash
+   #:memory-object-scope
+   #:memory-objects-by-attribute
+   #:snapshot-memory
+   #:rollback-memory
+   #:undo-snapshot
+   #:undo
+   #:redo
+   #:*undo-stack*
+   #:*redo-stack*
+
+   ;; ── Core: Context & Awareness ──
+   #:context-get-system-logs
+   #:context-assemble-global-awareness
+   #:context-awareness-assemble
+   #:context-query
+   #:push-context
+   #:pop-context
+   #:current-context
+   #:current-scope
+   #:context-stack-depth
+   #:context-save
+   #:context-load
+   #:focus-project
+   #:focus-session
+   #:focus-memex
+   #:unfocus
+   #:*scope-resolver*
+
+   ;; ── Core: Skills Engine ──
+   #:skill
+   #:skill-name
+   #:skill-priority
+   #:skill-dependencies
+   #:skill-trigger-fn
+   #:skill-probabilistic-prompt
+   #:skill-deterministic-fn
+   #:defskill
+   #:*skill-registry*
+   #:skill-initialize-all
+   #:load-skill-from-org
+   #:lisp-syntax-validate
+
+   ;; ── Core: Cognitive Tools ──
+   #:def-cognitive-tool
+   #:*cognitive-tool-registry*
+   #:cognitive-tool
+   #:cognitive-tool-name
+   #:cognitive-tool-description
+   #:cognitive-tool-parameters
+   #:cognitive-tool-guard
+   #:cognitive-tool-body
+   #:tool-read-only-p
+
+   ;; ── Security: Dispatcher ──
+   #:dispatcher-check-secret-path
+   #:dispatcher-check-shell-safety
+   #:dispatcher-check-privacy-tags
+   #:dispatcher-check-network-exfil
+   #:dispatcher-check
+   #:dispatcher-gate
+   #:wildcard-match
+
+   ;; ── Security: HITL ──
+   #:hitl-create
+   #:hitl-approve
+   #:hitl-deny
+   #:hitl-handle-message
+
+   ;; ── Security: Vault & Permissions ──
+   #:*VAULT-MEMORY*
+   #:vault-get
+   #:vault-set
+   #:vault-get-secret
+   #:vault-set-secret
+   #:get-tool-permission
+   #:set-tool-permission
+   #:check-tool-permission-gate
+   #:permission-get
+   #:permission-set
+   #:policy-compliance-check
+   #:validator-protocol-check
+
+   ;; ── Embedding ──
+   #:*embedding-backend*
+   #:*embedding-queue*
+   #:*embedding-provider*
+   #:embed-queue-object
+   #:embed-object
+   #:embed-all-pending
+   #:embedding-backend-hashing
+   #:embedding-backend-native
+   #:embedding-native-load-model
+   #:embedding-native-unload
+   #:embedding-native-ensure-loaded
+   #:embedding-native-get-dim
+   #:embeddings-compute
+   #:mark-vector-stale
+
+   ;; ── Channels ──
+   #:channel-cli-input
+   #:gateway-start
+   #:gateway-registry-initialize
+   #:messaging-link
+   #:messaging-unlink
+   #:gateway-configured-p
+
+   ;; ── Programming: Lisp ──
+   #:lisp-validate
+   #:lisp-structural-check
+   #:lisp-syntactic-check
+   #:lisp-semantic-check
+   #:lisp-eval
+   #:lisp-format
+   #:lisp-list-definitions
+   #:lisp-extract
+   #:lisp-inject
+   #:lisp-slurp
+
+   ;; ── Programming: Org ──
+   #:org-read-file
+   #:org-write-file
+   #:org-headline-add
+   #:org-headline-find-by-id
+   #:org-property-set
+   #:org-todo-set
+   #:org-id-generate
+   #:org-id-format
+   #:org-modify
+
+   ;; ── Programming: Literate & REPL ──
+   #:literate-tangle-sync-check
+   #:literate-extract-lisp-blocks
+   #:literate-block-balance-check
+   #:repl-eval
+   #:repl-inspect
+   #:repl-list-vars
+
+   ;; ── Symbolic ──
+   #:archivist-create-note
+   #:archivist-extract-headlines
+   #:archivist-headline-to-filename
+
+   ;; ── Diagnostics & Config ──
+   #:diagnostics-run-all
+   #:diagnostics-main
+   #:diagnostics-dependencies-check
+   #:diagnostics-env-check
+   #:get-oc-config-dir
+   #:run-setup-wizard
+
+   ;; ── Providers ──
+   #:register-provider
+   #:provider-openai-request
+   #:provider-config
+
+   ;; ── Token Economics ──
+   #:count-tokens
+   #:model-token-ratio
+   #:token-cost
+   #:provider-token-cost
+   #:cost-track-call
+   #:cost-session-total
+   #:cost-session-calls
+   #:cost-by-provider
+   #:cost-session-reset
+   #:cost-format-budget-status
+   #:cost-track-backend-call
+   #:prompt-prefix-cached
+   #:context-assemble-cached
+   #:enforce-token-budget
+   #:token-economics-initialize))
+#+end_src
+
+** Package Implementation
+The package implementation section defines the low-level utilities and global state that are shared across all harness components and skills.
+
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+*** Logging state
+The harness maintains a bounded ring buffer of log messages for inclusion in LLM context. Access is thread-safe via a lock.
+#+begin_src lisp
+(defvar *log-buffer* nil)
+(defvar *log-lock* (bordeaux-threads:make-lock "log-messages-lock"))
+(defvar *log-limit* 100)
+#+end_src
+
+*** Skill registry
+The global registry of all loaded skills. This is the authoritative list that the deterministic engine iterates.
+#+begin_src lisp
+(defvar *skill-registry* (make-hash-table :test 'equal)
+  "Global registry of all loaded skills.")
+#+end_src
+
+*** Skill telemetry
+Tracks execution metrics per skill (count, duration, failures) for diagnostics and performance analysis.
+#+begin_src lisp
+(defvar *telemetry-table* (make-hash-table :test 'equal))
+(defvar *telemetry-lock* (bordeaux-threads:make-lock "harness-telemetry-lock"))
+
+(defun telemetry-track (skill-name duration status)
+  "Updates performance metrics for a skill. STATUS is :success or :rejected."
+  (when skill-name
+    (bordeaux-threads:with-lock-held (*telemetry-lock*)
+      (let ((entry (or (gethash skill-name *telemetry-table*) (list :executions 0 :total-time 0 :failures 0))))
+        (incf (getf entry :executions))
+        (incf (getf entry :total-time) duration)
+        (when (eq status :rejected) (incf (getf entry :failures)))
+        (setf (gethash skill-name *telemetry-table*) entry)))))
+#+end_src
+
+*** Cognitive tool registry
+Tools that the LLM can invoke are registered here. Each tool has a name, description, parameters, optional guard, and implementation body. The ~def-cognitive-tool~ macro handles registration. ~cognitive-tool-prompt~ serialises the registry into the LLM's system prompt.
+#+begin_src lisp
+(defvar *cognitive-tool-registry* (make-hash-table :test 'equal))
+#+end_src
+
+#+begin_src lisp
+(defstruct cognitive-tool
+  name
+  description
+  parameters
+  guard
+  body
+  read-only-p)
+#+end_src
+
+#+begin_src lisp
+(defmacro def-cognitive-tool (name description parameters &key guard body read-only-p)
+  "Registers a cognitive tool. PARAMETERS is a list of plists, one per parameter."
+  `(setf (gethash (string-downcase (string ',name)) *cognitive-tool-registry*)
+         (make-cognitive-tool :name (string-downcase (string ',name))
+                              :description ,description
+                              :parameters ',parameters
+                              :guard ,guard
+                              :body ,body
+                              :read-only-p ,read-only-p)))
+#+end_src
+
+#+begin_src lisp
+(defun cognitive-tool-prompt ()
+  "Serialises all registered tools into a prompt string for the LLM."
+  (let ((descriptions nil))
+    (maphash (lambda (k tool)
+               (declare (ignore k))
+               (push (format nil "- ~a: ~a~%  Parameters: ~a~%"
+                             (cognitive-tool-name tool)
+                             (cognitive-tool-description tool)
+                             (cognitive-tool-parameters tool))
+                     descriptions))
+              *cognitive-tool-registry*)
+    (if descriptions
+        (format nil "Available tools:~%~a" (apply #'concatenate 'string (sort descriptions #'string<)))
+        "No tools registered.")))
+
+;; Alias: generate-tool-belt-prompt → cognitive-tool-prompt
+(defun generate-tool-belt-prompt ()
+  (cognitive-tool-prompt))
+
+(defun tool-read-only-p (name)
+  "Returns T if the named cognitive tool is read-only, NIL otherwise."
+  (let ((tool (gethash (string-downcase (string name)) *cognitive-tool-registry*)))
+    (when tool
+      (cognitive-tool-read-only-p tool))))
+#+end_src
+
+*** Centralized logging (log-message)
+Thread-safe logging function that writes to both the ring buffer (for LLM context) and stdout (for the user). Bounded by ~*log-limit*~.
+#+begin_src lisp
+(defun log-message (msg &rest args)
+  "Centralized, thread-safe logging for the harness."
+  (let ((formatted-msg (apply #'format nil msg args)))
+    (bordeaux-threads:with-lock-held (*log-lock*)
+      (push formatted-msg *log-buffer*)
+      (when (> (length *log-buffer*) *log-limit*)
+        (setq *log-buffer* (subseq *log-buffer* 0 *log-limit*))))
+    (format t "~a~%" formatted-msg)
+    (finish-output)))
+#+end_src
+
+*** Debugger hook
+Friendly error handler that replaces the raw SBCL debugger with a diagnostic message. This prevents the agent from entering the debugger on unhandled conditions.
+#+begin_src lisp
+(setf *debugger-hook* (lambda (condition hook)
+  "Friendly error handler - shows diagnostic message instead of raw debugger."
+  (declare (ignore hook))
+  (format t "~%")
+  (format t "┌─────────────────────────────────────────────┐~%")
+  (format t "│  ERROR: ~A~%" (type-of condition))
+  (format t "│~%")
+   (format t "│  Run: passepartout diagnostics~%")
+  (format t "│  For system diagnostics~%")
+  (format t "└─────────────────────────────────────────────┘~%")
+  (format t "~%")
+  (format t "Details: ~A~%" condition)
+  (format t "Backtrace:~%")
+  (sb-debug:print-backtrace :count 20 :stream *standard-output*)
+  (finish-output)
+  (uiop:quit 1)))
+#+end_src

org/core-perceive.org

@@ -0,0 +1,289 @@
+#+TITLE: Stage 1: Perceive (perceive.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:perceive:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-perceive.lisp
+
+* Overview: Architectural Intent
+
+The Perceive stage is the sensory cortex of Passepartout. It receives raw stimuli from diverse sources — terminal input, Emacs buffers, Telegram messages, Signal chats, heartbeat clocks, shell command outputs — and normalizes them into a single Signal format that the rest of the pipeline can process.
+
+Each source has its own format and protocol. The CLI sends raw text. Emacs sends AST diffs. Telegram sends JSON. Without normalization, every downstream component (Reason, Act) would need to understand every input format. With normalization:
+
+1. The gateway layer (CLI, Emacs, Telegram, Signal) just sends raw messages
+2. Perceive transforms them into Signals regardless of origin
+3. Reason and Act work with a single, consistent plist format
+4. Adding a new gateway requires gateway code only — no changes to core
+
+This is the "thin harness, fat skills" principle applied to input processing. The harness does the minimal normalization needed to produce a uniform Signal; the actual interpretation is left to skills.
+
+** Why the Async/Sync Split?
+
+Perceive handles two kinds of stimuli:
+- **Synchronous** (user input, chat messages) — these must be processed in order, one at a time, because each depends on the state left by the previous one
+- **Asynchronous** (heartbeats, background sensor readings, delegation results) — these can be processed in parallel because they don't depend on user intent
+
+The `*loop-async-sensors*` list defines which sensor types are processed in dedicated threads. Everything else goes through the main synchronous pipeline.
+
+The depth limit prevents runaway recursive loops. A signal that generates another signal that generates another signal can infinite-loop. If depth exceeds a threshold (10), the signal is silently dropped rather than processed. This is the metabolic loop's circuit breaker.
+
+** Contract
+
+1. (loop-gate-perceive signal): normalizes sensory input. Routes by
+   sensor type (~:buffer-update~, ~:point-update~, ~:interrupt~,
+   ~:approval-required~) and signal type (~:EVENT~, ~:RESPONSE~).
+   Sets ~:status :perceived~ on completion. Returns the signal.
+2. (perceive-gate signal): thin alias for ~loop-gate-perceive~.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Interrupt Flag
+
+A global interrupt flag that can be set by any signal. When set, the metabolic loop should stop processing and clean up. This is used for graceful shutdown: a SIGINT or /exit command sets the flag, and the loop exits at the next cycle boundary.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *loop-interrupt* nil)
+#+end_src
+
+** Scope Resolver
+
+A hook for the context-manager skill to register its ~current-scope~
+function. When set, the perceive gate passes the current context scope
+to ~ingest-ast~ so ingested objects are tagged and queryable by scope.
+Defaults to ~nil~ meaning all objects are ingested as ~:memex~.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *scope-resolver* nil
+  "If set, function returning current scope keyword. Used by perceive gate.")
+#+end_src
+
+** Sensor Configuration
+
+~*loop-async-sensors*~ lists the sensor types that should be processed in their own threads. Currently, ~:chat-message~, ~:delegation~, and ~:user-command~ are async because they don't block the main reasoning loop — the agent can process a Telegram message while waiting for the user's next input.
+
+~*loop-focus-id*~ tracks what the user is currently looking at in Emacs. When the user moves their cursor to a different Org headline, the buffer-update signal updates this ID. The Reason stage uses it to build the foveal-peripheral context model: the current headline gets full detail, everything else gets a skeletal outline.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *loop-async-sensors* '(:chat-message :delegation :user-command)
+  "Sensors that are processed in dedicated threads.")
+
+#+end_src
+** *loop-focus-id*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *loop-focus-id* nil
+  "The Org ID of the node the user is currently interacting with.")
+#+end_src
+
+** Pre-Reason Handler Registry
+
+Skills register handlers for custom sensors here. When a signal arrives
+with a registered sensor, the handler is called in the perceive gate,
+before the signal reaches the LLM. The handler receives the full signal
+and returns T if the signal was consumed (don't continue to reason)
+or nil if processing should proceed normally.
+
+*** Pre-Reason Handler Hash Table
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *pre-reason-handlers* (make-hash-table :test 'eq)
+  "Pre-reason handler registry: sensor keyword → handler function.")
+#+end_src
+
+*** register-pre-reason-handler
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun register-pre-reason-handler (sensor fn)
+  "Registers FN to handle signals with SENSOR in the perceive gate.
+FN receives (signal) and returns T if consumed, nil to continue."
+  (setf (gethash sensor *pre-reason-handlers*) fn))
+#+end_src
+
+** Stimulus Injection (stimulus-inject)
+
+This is the entry point that gateways call to send a message into the cognitive pipeline. It sets metadata (source, session ID, reply stream), decides whether the stimulus should be processed synchronously or on a background thread, and wraps the whole thing in error recovery so that no single bad stimulus can crash the system.
+
+The error recovery uses Common Lisp's restart system. If any error occurs during processing, a `skip-event` restart is available. The handler displays the error, then invokes `skip-event` which drops the stimulus and continues. This is the "fail open" safety model — better to drop one message than to crash the entire agent.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun stimulus-inject (raw-message &key stream (depth 0))
+  "Inject a raw message into the signal processing pipeline."
+  (let* ((payload (getf raw-message :payload))
+         (sensor (getf payload :sensor))
+         (meta (getf raw-message :meta))
+         (async-p (or (getf payload :async-p)
+                     (member sensor *loop-async-sensors*))))
+
+    (unless meta
+      (setf meta (list :SOURCE :SYSTEM :SESSION-ID "internal")))
+
+    (when stream
+      (setf (getf meta :reply-stream) stream))
+
+    (setf (getf raw-message :meta) meta)
+    (setf (getf raw-message :depth) depth)
+
+    (if async-p
+        (bt:make-thread
+         (lambda ()
+           (restart-case (process-signal raw-message)
+             (skip-event () nil)))
+         :name "passepartout-async-task")
+        
+        (restart-case
+            (handler-bind ((error (lambda (c)
+                                    (log-message "SYSTEM ERROR: ~a" c)
+                                    (invoke-restart 'skip-event))))
+              (process-signal raw-message))
+          (skip-event ()
+            (log-message "SYSTEM RECOVERY: Stimulus dropped."))))))
+#+end_src
+
+** Perceive Gate (loop-gate-perceive)
+
+The perceive gate is the first stage of the metabolic pipeline. It receives a normalized signal and routes it based on the event type:
+
+- ~:EVENT~ with ~:buffer-update~ — an Emacs buffer changed (new Org headline created, text edited). The change is ingested into memory so the agent has the latest state.
+- ~:EVENT~ with ~:point-update~ — the user moved their cursor to a different headline. The foveal focus is updated, and the node at the cursor is ingested at higher priority.
+- ~:EVENT~ with ~:interrupt~ — the user requested an interrupt. The interrupt flag is set.
+- ~:RESPONSE~ — an action completed. The gate logs the result status.
+
+All signals get tagged with their processing stage (`:status :perceived`) and the current foveal focus before being passed to the Reason stage.
+
+*** loop-gate-perceive
+
+The main perceive pipeline stage.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun loop-gate-perceive (signal)
+  "Stage 1 of the metabolic pipeline: Normalize sensory input."
+  (let* ((payload (getf signal :payload))
+          (type (getf signal :type))
+          (meta (getf signal :meta))
+          (sensor (getf payload :sensor)))
+    ;; HITL: intercept approval/denial commands before LLM processing
+    (when (and (eq sensor :user-input)
+               (stringp (getf payload :text)))
+      (let ((text (getf payload :text)))
+        (when (ignore-errors (hitl-handle-message text (getf meta :source)))
+          (log-message "GATE [Perceive]: HITL command processed — ~a" text)
+          (return-from loop-gate-perceive signal))))
+    ;; Pre-reason handlers: dispatch custom sensors to registered skill handlers
+    (let ((handler (gethash sensor *pre-reason-handlers*)))
+      (when handler
+        (when (funcall handler signal)
+          (return-from loop-gate-perceive signal))))
+
+    (log-message "GATE [Perceive]: ~a (~a) [Source: ~s]"
+                 type (or sensor "no-sensor") (getf meta :source))
+
+    (cond ((eq type :EVENT)
+            (case sensor
+              (:buffer-update
+               (let ((ast (getf payload :ast)))
+                 (when ast
+                   (snapshot-memory)
+                   (ingest-ast ast :scope (if *scope-resolver* (funcall *scope-resolver*) :memex)))))
+              (:point-update
+               (let ((element (getf payload :element)))
+                 (when element
+                   (snapshot-memory)
+                   (setf *loop-focus-id* (getf element :id))
+                   (ingest-ast element :scope (if *scope-resolver* (funcall *scope-resolver*) :memex)))))
+               (:interrupt
+                (setf *loop-interrupt* t))
+               ;; v0.7.2 undo/redo
+               (:undo
+                (log-message "GATE [Perceive]: undo requested")
+                (undo "perceive"))
+               (:redo
+                (log-message "GATE [Perceive]: redo requested")
+                (redo "perceive"))
+              ;; HITL: re-injected approved action from dispatcher-approvals-process
+              (:approval-required
+               (when (getf payload :approved)
+                 (log-message "GATE [Perceive]: Approved Flight Plan re-injected")
+                  (setf (getf signal :approved) t)
+                 (setf (getf signal :approved-action) (getf payload :action))))
+              ;; Default sensor: pass through without requiring user-input processing
+              (otherwise
+               (log-message "GATE [Perceive]: Unknown sensor ~a, passing through" sensor))))
+          ((eq type :RESPONSE)
+           (log-message "GATE [Perceive]: Act Result -> ~a" (getf payload :status))))
+
+    (setf (getf signal :status) :perceived)
+    (setf (getf signal :foveal-focus) *loop-focus-id*)
+    signal))
+#+end_src
+
+*** perceive-gate (backward-compatibility alias)
+
+The pipeline gate was originally named ~perceive-gate~. Code that still
+uses the old name can call this alias. New code should call
+~loop-gate-perceive~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun perceive-gate (signal)
+  (loop-gate-perceive signal))
+#+end_src
+
+* Test Suite
+Verifies that the perceive gate correctly ingests AST nodes into memory and that the depth limiter prevents runaway recursive signals.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-pipeline-perceive-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:pipeline-perceive-suite))
+
+(in-package :passepartout-pipeline-perceive-tests)
+
+(def-suite pipeline-perceive-suite :description "Test suite for Perceive pipeline")
+(in-suite pipeline-perceive-suite)
+
+(test test-loop-gate-perceive
+  "Contract 1: :buffer-update ingests AST and sets :perceived status."
+  (clrhash passepartout::*memory-store*)
+  (let* ((signal (list :type :EVENT :payload (list :sensor :buffer-update :ast (list :type :HEADLINE :properties (list :ID "test-node" :TITLE "Test") :contents nil))))
+         (result (loop-gate-perceive signal)))
+    (is (eq :perceived (getf result :status)))
+    (is (not (null (gethash "test-node" passepartout::*memory-store*))))))
+
+(test test-depth-limiting
+  "Edge: depth 11 signals are rejected by the pipeline."
+  (let ((runaway-signal (list :type :EVENT :depth 11 :payload (list :sensor :heartbeat))))
+    (is (null (process-signal runaway-signal)))))
+
+(test test-loop-gate-perceive-unknown-sensor
+  "Contract 1: unknown sensors pass through and reach :perceived."
+  (let* ((signal (list :type :EVENT :depth 0 :payload (list :sensor :custom-metric)))
+         (result (loop-gate-perceive signal)))
+    (is (eq :perceived (getf result :status)))))
+
+(test test-loop-gate-perceive-no-ast
+  "Contract 1: :buffer-update without AST doesn't crash, reaches :perceived."
+  (clrhash passepartout::*memory-store*)
+  (let* ((signal (list :type :EVENT :depth 0 :payload (list :sensor :buffer-update)))
+         (result (loop-gate-perceive signal)))
+    (is (eq :perceived (getf result :status)))))
+
+(test test-depth-limiting-normal
+  "Contract 1: signals at normal depth pass through without rejection."
+  (let ((normal-signal (list :type :EVENT :depth 5 :payload (list :sensor :heartbeat))))
+    (is (not (eq :rejected (getf normal-signal :status)))
+        "Signal at normal depth should not be rejected")))
+#+end_src

org/core-pipeline.org

@@ -0,0 +1,436 @@
+#+TITLE: The Metabolic Loop (loop.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:loop:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-pipeline.lisp
+
+* Overview: Architectural Intent
+
+The Metabolic Loop is the cranial nerve reflex of Passepartout. While skills provide specialized intelligence, the loop provides the fundamental rhythm of existence: the continuous processing of signals from perception through cognition to action.
+
+Every signal flows through three stages:
+1. **Perceive** — normalize raw input into a standard Signal format
+2. **Reason** — think (LLM) then verify (deterministic gates)
+3. **Act** — dispatch the approved action to the appropriate actuator
+
+If a stage produces a new signal (e.g., the Act stage produces a tool-output event), that signal feeds back into Perceive and the loop continues. This is how the agent has multi-step conversations: each LLM response produces an action, which produces a tool output, which feeds back as a new perception, which triggers the next reasoning cycle.
+
+** Why Separate Stages?
+
+A single function that called the LLM, checked safety, and executed the result would be simpler to write. But it would be impossible to:
+- Test each stage independently (a bug in the LLM call would block safety testing)
+- Insert new stages between P and R or R and A (adding consensus means adding a gate in the middle)
+- Recover from failures mid-pipeline (an LLM timeout shouldn't prevent safety checks on the next cycle)
+
+The stage separation is the functional equivalent of the "thin harness" principle: each stage is a pure function that transforms a signal. The loop is the composition of these functions.
+
+** Why the Depth Limit?
+
+A signal that generates another signal that generates another signal can infinite-loop. The depth limit (max 10) prevents this. If depth exceeds 10, the signal is silently dropped. This is the metabolic loop's circuit breaker.
+
+The three-tier error recovery model, now backed by a condition hierarchy
+that skills can hook into via ~handler-bind~:
+
+1. **Transient errors** (tool failures, network timeouts) — recoverable, generate a :loop-error signal at higher depth for retry. Use the ~skip-signal~ or ~use-fallback~ restart.
+2. **Critical errors** (undefined functions, malformed data) — require memory rollback to the last snapshot.
+3. **Recursive loops** (signals generating more signals indefinitely) — depth limit enforcement.
+
+Condition types available for structured error handling:
+- ~pipeline-error~ — any Perceive→Reason→Act failure
+- ~llm-error~ — provider timeout, cascade exhaustion, API error (slots: provider, cascade, attempt-count)
+- ~gate-error~ — dispatcher blocked a proposed action (slots: gate-name, rejected-action)
+- ~budget-error~ — session cap exceeded (slots: remaining, requested)
+- ~protocol-error~ — malformed message or framing failure
+
+** Contract
+
+1. (loop-process signal): the full pipeline loop — Perceive → Reason
+   → Act. Enforces depth limit (10). Catches errors with rollback and
+   ~:loop-error~ re-injection on non-terminal errors below depth 2.
+   Establishes restart options: ~skip-signal~ (drop the event),
+   ~use-fallback text~ (inject canned response), ~abort-pipeline~
+   (clean exit). Skills can invoke these restarts from ~handler-bind~
+   clauses on the condition hierarchy.
+2. (process-signal signal): thin alias for ~loop-process~.
+3. (diagnostics-startup-run): runs health check on startup, sets
+   ~*system-health*~ to ~:healthy~, ~:degraded~, or ~:unhealthy~.
+4. *passepartout-error* condition hierarchy: ~pipeline-error~,
+   ~llm-error~ (provider, cascade, attempt-count slots), ~gate-error~
+   (gate-name, rejected-action slots), ~budget-error~ (remaining,
+   requested slots), ~protocol-error~ (raw-message slot). All carry a
+   ~:message~ string via the root ~passepartout-error~.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Error Condition Hierarchy
+
+The pipeline defines a condition hierarchy so callers can distinguish
+failure modes without inspecting raw error strings. Every pipeline
+condition carries structured slots for telemetry and restart selection.
+
+Skills install ~handler-bind~ for specific conditions (e.g., a provider
+health monitor that records ~llm-error~ failures per backend). The
+restarts registered in ~loop-process~ enable structured recovery:
+skip the signal, retry with a modified prompt, inject a fallback
+response, or abort the cycle.
+
+#+begin_src lisp
+(define-condition passepartout-error (error)
+  ((message :initarg :message :reader error-message))
+  (:report (lambda (c s) (format s "Passepartout error: ~a" (error-message c))))
+  (:documentation "Root of the pipeline error hierarchy."))
+
+(define-condition pipeline-error (passepartout-error)
+  ((signal :initarg :signal :reader pipeline-error-signal :initform nil))
+  (:report (lambda (c s) (format s "Pipeline error: ~a" (error-message c))))
+  (:documentation "Any error during the Perceive→Reason→Act cycle."))
+
+(define-condition llm-error (pipeline-error)
+  ((provider :initarg :provider :reader llm-error-provider)
+   (cascade :initarg :cascade :reader llm-error-cascade :initform nil)
+   (attempt-count :initarg :attempt-count :reader llm-error-attempt-count :initform 0))
+  (:report (lambda (c s) (format s "LLM error (~a): ~a" (llm-error-provider c) (error-message c))))
+  (:documentation "LLM provider failure: timeout, cascade exhaustion, or API error."))
+
+(define-condition gate-error (pipeline-error)
+  ((gate-name :initarg :gate-name :reader gate-error-gate-name)
+   (rejected-action :initarg :rejected-action :reader gate-error-rejected-action))
+  (:report (lambda (c s) (format s "Gate ~a blocked action: ~a" (gate-error-gate-name c) (error-message c))))
+  (:documentation "Deterministic gate blocked a proposed action."))
+
+(define-condition budget-error (pipeline-error)
+  ((remaining :initarg :remaining :reader budget-error-remaining :initform 0.0)
+   (requested :initarg :requested :reader budget-error-requested :initform 0.0))
+  (:report (lambda (c s) (format s "Budget exhausted: $~,4f remaining, $~,4f requested" (budget-error-remaining c) (budget-error-requested c))))
+  (:documentation "Session budget cap has been reached."))
+
+(define-condition protocol-error (passepartout-error)
+  ((raw-message :initarg :raw-message :reader protocol-error-raw-message :initform nil))
+  (:report (lambda (c s) (format s "Protocol error: ~a" (error-message c))))
+  (:documentation "Malformed message, framing failure, or schema violation."))
+#+end_src
+
+** Global Interrupt State
+
+Thread-safe interrupt flag. The ~*loop-interrupt-lock*~ mutex protects access so that the signal handler and the main loop don't race on shutdown.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *interrupt-flag* nil
+  "Atomic flag set by signal handlers to trigger graceful shutdown.")
+
+#+end_src
+** *loop-interrupt-lock*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *loop-interrupt-lock* (bt:make-lock "harness-interrupt-lock")
+  "Mutex protecting *interrupt-flag* access.")
+
+#+end_src
+** *heartbeat-thread*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *heartbeat-thread* nil
+  "Handle to the heartbeat thread.")
+#+end_src
+#+end_src
+
+** Core Engine (loop-process)
+
+The entry point to the metabolic pipeline. Each cycle runs Perceive → Reason → Act. If Act produces feedback (a new signal), the loop continues with that signal at the same depth.
+
+The function handles four failure modes:
+- **Depth exceeded**: signal dropped, nil returned
+- **Interrupt flag**: graceful shutdown, nil returned
+- **Handler error**: caught by handler-case, logged, and depending on the sensor type and depth:
+  - Normal errors at low depth → memory rollback + retry as :loop-error
+  - :loop-error and :tool-error at any depth → dropped (avoids infinite retry loops)
+  - High-depth errors (depth > 2) → dropped (avoids cascading failures)
+- **Unhandled error**: the handler-case catches everything, preventing any single bad signal from crashing the agent
+
+*** loop-process
+
+The main pipeline entry point.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun loop-process (signal)
+  "The entry point to the Metabolic Pipeline: Perceive -> Reason -> Act."
+  (let ((current-signal signal))
+    (loop while current-signal do
+      (let ((depth (getf current-signal :depth 0))
+            (meta (getf current-signal :meta)))
+        (when (> depth 10)
+          (log-message "METABOLISM ERROR: Max recursion depth reached.")
+          (return nil))
+
+        (when (bt:with-lock-held (*loop-interrupt-lock*) *interrupt-flag*)
+          (log-message "METABOLISM: Interrupted by shutdown signal.")
+          (return nil))
+
+        (restart-case
+            (handler-bind
+                ((pipeline-error (lambda (c)
+                                   (log-message "PIPELINE ERROR: ~a" (error-message c)))))
+              (handler-case
+                  (progn
+                    (setf current-signal (perceive-gate current-signal))
+                    (setf current-signal (reason-gate current-signal))
+                    (let ((feedback (act-gate current-signal)))
+                      (if feedback
+                          (progn
+                            (unless (getf feedback :meta) (setf (getf feedback :meta) meta))
+                            (setf current-signal feedback))
+                          (setf current-signal nil))))
+                (error (c)
+                  (let ((sensor (ignore-errors (getf (getf current-signal :payload) :sensor))))
+                    (log-message "METABOLISM CRASH [~a]: ~a" (or sensor :unknown) c)
+                    (unless (member sensor '(:loop-error :tool-error :syntax-error))
+                      (log-message "CRITICAL ERROR: Initiating Micro-Rollback.")
+                      (rollback-memory 0))
+                    (if (or (> depth 2) (member sensor '(:loop-error :tool-error)))
+                        (setf current-signal nil)
+                        (setf current-signal
+                              (list :type :EVENT :depth (1+ depth) :meta meta
+                                    :payload (list :sensor :loop-error :message (format nil "~a" c) :depth depth))))))))
+          (skip-signal ()
+            :report "Drop the current signal and continue the loop."
+            (setf current-signal nil))
+          (use-fallback (text)
+            :report "Inject a canned response instead of the LLM result."
+            (setf current-signal
+                  (list :type :EVENT :depth (1+ depth) :meta meta
+                        :payload (list :sensor :loop-error :message text :depth depth))))
+          (abort-pipeline ()
+            :report "Terminate the cognitive cycle cleanly."
+            (return nil)))))))
+#+end_src
+
+*** process-signal (backward-compatibility alias)
+
+The pipeline entry point was originally named ~process-signal~. Code
+that still uses the old name can call this alias. New code should call
+~loop-process~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun process-signal (signal)
+  (loop-process signal))
+#+end_src
+
+** Heartbeat Mechanism
+
+The heartbeat is a background thread that fires every N seconds (configurable via ~HEARTBEAT_INTERVAL~ env var, default 60). On each tick, it:
+
+1. Increments the save counter and saves memory to disk when the counter exceeds the auto-save interval (default 300s)
+2. Injects a ~:heartbeat~ signal into the pipeline
+
+The heartbeat signal is how background skills (Gardener, Scribe) get triggered without user input. These skills have triggers that match ~:sensor :heartbeat~ and run maintenance tasks during idle cycles.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *memory-auto-save-interval* 300)
+#+end_src
+** *heartbeat-save-counter*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *heartbeat-save-counter* 0)
+
+#+end_src
+** heartbeat-start
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun heartbeat-start ()
+  "Starts the background heartbeat thread."
+  (let ((interval (or (ignore-errors (parse-integer (uiop:getenv "HEARTBEAT_INTERVAL"))) 60))
+        (auto-save (or (ignore-errors (parse-integer (uiop:getenv "MEMORY_AUTO_SAVE_INTERVAL"))) *memory-auto-save-interval*)))
+    (setf *memory-auto-save-interval* auto-save)
+    (setf *heartbeat-save-counter* 0)
+
+    (setf *heartbeat-thread*
+          (bt:make-thread
+           (lambda ()
+             (loop
+               (sleep interval)
+               (incf *heartbeat-save-counter*)
+               (when (>= *heartbeat-save-counter* (/ *memory-auto-save-interval* interval))
+                 (setf *heartbeat-save-counter* 0)
+                 (save-memory-to-disk))
+               (stimulus-inject
+                  (list :type :EVENT :payload (list :sensor :heartbeat :unix-time (get-universal-time))))))
+           :name "passepartout-heartbeat"))))
+#+end_src
+#+end_src
+
+** Shutdown Save Flag
+
+Controls whether memory is saved on shutdown. Useful for testing when you want a clean state on next boot.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *shutdown-save-enabled* t)
+#+end_src
+
+** System Health Status
+
+Used by the health check protocol and the daemon's status endpoint. Set by ~diagnostics-startup-run~ during boot.
+
+- ~:healthy~ — all checks passed
+- ~:degraded~ — checks found issues but the daemon can still run
+- ~:unhealthy~ — checks failed, the daemon may not function correctly
+- ~:unknown~ — health check hasn't run yet
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *system-health* :unknown
+  "Current system health status: :healthy, :degraded, :unhealthy, or :unknown.")
+
+#+end_src
+** *health-check-ran*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *health-check-ran* nil
+  "Flag indicating if initial health check has completed.")
+#+end_src
+#+end_src
+
+** Proactive Doctor
+
+Runs the doctor diagnostics automatically at startup. If the doctor finds issues (missing dependencies, misconfigured providers), it prints a diagnostic message but does NOT block the daemon from starting. The user can see the issues and run ~passepartout doctor --fix~ to repair.
+
+This is the "fail open" principle applied to boot: the system should start even with problems, not refuse to start until everything is perfect.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun diagnostics-startup-run ()
+  "Runs the doctor diagnostics on startup. Returns health status."
+  (format t "~%")
+  (format t "==================================================~%")
+  (format t " DOCTOR: Running Startup Health Check~%")
+  (format t "==================================================~%")
+  (handler-case
+      (progn
+         (when (fboundp 'diagnostics-run-all)
+           (let ((result (diagnostics-run-all :auto-install nil)))
+            (setf *health-check-ran* t)
+            (if result
+                (progn
+                  (setf *system-health* :healthy)
+                  (format t "DAEMON: Health check passed. Starting services.~%"))
+                (progn
+                  (setf *system-health* :degraded)
+                  (format t "DAEMON: Health check found issues.~%")
+                   (format t "         Run 'passepartout diagnostics' to repair.~%")))))
+        (setf *health-check-ran* t))
+    (error (c)
+       (format t "DIAGNOSTICS ERROR: ~a~%" c)
+      (setf *system-health* :unhealthy)
+      (setf *health-check-ran* t)))
+  (format t "==================================================~%~%"))
+#+end_src
+
+** Main Entry Point (main)
+
+The top-level entry point. Called by ~passepartout daemon~ and ~passepartout tui~.
+
+Boot sequence:
+1. Load environment variables from ~.config/passepartout/.env~
+2. Load persisted memory state from disk
+3. Register core actuators (:system, :tool, :tui)
+4. Initialize all skills (tangging .lisp or loading from XDG)
+5. Run the proactive health check
+6. Start the heartbeat thread (background maintenance)
+7. Start the TCP daemon (listens for CLI/TUI connections)
+8. Install the SIGINT handler (graceful shutdown on Ctrl+C)
+9. Enter the idle sleep loop (wakes on interrupt)
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun main ()
+  "Entry point for Passepartout. Initializes the system and enters idle loop."
+  (let* ((home (uiop:getenv "HOME"))
+         (env-file (uiop:merge-pathnames* ".config/passepartout/.env" (uiop:ensure-directory-pathname home))))
+    (when (uiop:file-exists-p env-file)
+      (cl-dotenv:load-env env-file)))
+
+  (load-memory-from-disk)
+  (actuator-initialize)
+  (skill-initialize-all)
+  
+  ;; Run proactive diagnostics before starting services
+  (diagnostics-startup-run)
+  
+  (when (fboundp 'events-start-heartbeat)
+    (events-start-heartbeat))
+  (handler-case (start-daemon)
+    (error (c)
+      (log-message "DAEMON: Failed to start — ~a" c)
+      (format *error-output* "~&DAEMON: Failed to start — ~a~%" c)))
+
+  #+sbcl
+  (sb-sys:enable-interrupt sb-unix:sigint
+                            (lambda (sig code scp)
+                              (declare (ignore sig code scp))
+                              (log-message "SHUTDOWN: SIGINT received. Saving memory...")
+                              (when *shutdown-save-enabled* (save-memory-to-disk))
+                              (uiop:quit 0)))
+
+  (let ((sleep-interval (or (ignore-errors (parse-integer (uiop:getenv "DAEMON_SLEEP_INTERVAL"))) 3600)))
+    (loop
+      (when (bt:with-lock-held (*loop-interrupt-lock*) *interrupt-flag*)
+        (log-message "SHUTDOWN: Interrupt flag set. Saving memory...")
+        (when *shutdown-save-enabled* (save-memory-to-disk))
+        (return))
+      (sleep sleep-interval))))
+#+end_src
+
+* Test Suite
+Verifies that the immune system (error handling) correctly catches and reports errors from the cognitive pipeline.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-immune-system-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:immune-suite))
+
+(in-package :passepartout-immune-system-tests)
+
+(def-suite immune-suite :description "Verification of the Immune System (Core Error Hooks)")
+(in-suite immune-suite)
+
+(test loop-error-injection
+  "Contract 1: a crash in think/decide triggers :loop-error stimulus."
+  (clrhash passepartout::*skill-registry*)
+  (passepartout:defskill :evil-skill
+    :priority 100
+    :trigger (lambda (ctx) (eq (getf (getf ctx :payload) :sensor) :user-input))
+    :probabilistic (lambda (ctx) (declare (ignore ctx)) (error "CRITICAL BRAIN FAILURE"))
+    :deterministic nil)
+  (passepartout:loop-process '(:type :EVENT :payload (:sensor :user-input)))
+  (let ((logs (if (fboundp 'passepartout::context-get-system-logs)
+                  (passepartout:context-get-system-logs 20)
+                  nil)))
+    (is (or (null logs)  ; no log service available — degraded but not broken
+            (not (null (find-if (lambda (line) (search "CRITICAL BRAIN FAILURE" line)) logs)))))))
+
+(test test-process-signal-normal-path
+  "Contract 1: a valid signal passes through the pipeline without crash."
+  (clrhash passepartout::*skill-registry*)
+  (handler-case
+      (let ((signal (list :type :EVENT :depth 0 :payload (list :sensor :heartbeat))))
+        (process-signal signal)
+        (pass))
+    (error (c)
+      (fail "Pipeline crashed on normal signal: ~a" c))))
+
+(test test-loop-process-returns-nil-on-deep
+  "Contract 1: depth > 10 returns nil from loop-process."
+  (let ((result (loop-process '(:type :EVENT :depth 11 :payload (:sensor :heartbeat)))))
+    (is (null result))))
+#+end_src

org/core-reason.org

@@ -0,0 +1,737 @@
+#+TITLE: Stage 2: Reason (reason.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:reason:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-reason.lisp
+
+* Overview: Architectural Intent
+
+The Reason stage is the cognitive heart of Passepartout. It takes a normalized signal from Perceive and produces an approved action for Act. This is where the two engines — probabilistic (LLM) and deterministic (Lisp logic) — collaborate.
+
+The design is shaped by one non-negotiable constraint: **the LLM must never touch the actuators directly.** Every action the LLM proposes must pass through a deterministic verification gate that has the final say. This is what separates Passepartout from every other AI agent: the creative brain suggests, but the logical brain decides.
+
+** The Probabilistic-Deterministic Split
+
+An LLM is a statistical engine. Given enough context, it is remarkably good at translation, generation, and pattern matching. But it cannot be trusted with authority because hallucination is a *fundamental property* of probabilistic inference — the model generates the most likely continuation, not the correct one.
+
+The deterministic engine addresses this by being what the probabilistic engine is not: mathematically rigorous, formally verifiable, and incapable of hallucination by design. It operates on explicit symbolic representations — lists, property lists, knowledge graphs — not on floating-point activations. When it evaluates a path confinement check, it returns true or false, not a probability distribution.
+
+The division of labor is architectural:
+- The LLM handles the fuzzy interface between human language and structured representation
+- The deterministic engine receives those structured representations and evaluates them against formal invariants
+- The LLM never reads a file, never executes a command, never modifies memory — it generates proposals
+
+This separation is the source of Passepartout's safety guarantee. Other agents add "guardrails" as an afterthought — a layer of filtering around a dangerous core. Passepartout makes the division explicit.
+
+** Why Plists for Communication?
+
+Every message in the Reason pipeline is a property list (plist):
+
+  (TYPE :REQUEST TARGET :CLI PAYLOAD (ACTION :MESSAGE TEXT "Hello"))
+
+A plist is simultaneously:
+- Human-readable text
+- Machine-parseable data structure
+- Executable Lisp code
+
+This is not a cosmetic choice. It means the reasoning pipeline can generate, modify, and execute its own communication protocol without external parsing libraries. There is no JSON encoder, no schema validator, no serialization layer between the two engines. They speak the same language because they *are* the same language.
+
+** Contract
+
+1. (cognitive-verify proposed-action context): runs all registered
+   deterministic gates sorted by priority. Returns a rejection plist
+   (~:LOG~ or ~:EVENT~) if any gate blocks the action, an
+   ~:approval-required~ event if a gate requires HITL, or the action
+   (potentially modified) if it passes.
+2. (loop-gate-reason signal): the full reason pipeline — only processes
+   ~:user-input~ and ~:chat-message~ sensors. Runs ~think~ to generate
+   a candidate, then ~cognitive-verify~ to gate it. Retries up to 3
+   times on rejection. Sets ~:status :reasoned~ on completion.
+3. (reason-gate signal): thin alias for ~loop-gate-reason~.
+4. (backend-cascade-call prompt): iterates ~*provider-cascade*~ calling
+   each backend's handler until one succeeds. Returns the LLM content
+   string, or a ~:LOG~ failure if all backends are exhausted.
+5. (json-alist-to-plist alist): converts a JSON alist (from
+   ~cl-json:decode-json-from-string~) to a keyword-prefixed plist.
+   String keys → upcased keywords. Nested alists recurse into plists.
+   JSON arrays (lists whose first element is not a cons) pass through.
+   Scalars and nil pass through.
+6. (think-assemble-prompt context): returns three values —
+   ~system-prompt~ (the full prompt string), ~raw-prompt~ (user text or
+   skill-generated), and ~reply-stream~ (for streaming responses).
+   Handles all conditional assembly paths: TIME section, CONFIG section,
+   IDENTITY (assistant name + identity file + standing mandates +
+   reflection feedback), TOOLS, CONTEXT, LOGS. Gracefully degrades when
+   awareness or token-economics skills are not loaded.
+7. (think-call-llm raw-prompt system-prompt reply-stream context): calls
+   the LLM. Checks session budget exhaustion before dispatching
+   (v0.5.0 deferred, ~fboundp~-guarded). Uses streaming
+   (~cascade-stream~) when reply-stream is non-nil and the streaming
+   module is loaded; falls back to ~backend-cascade-call~ otherwise.
+   Returns the raw thought (string or plist with ~:tool-calls~) or
+   a budget-exhaustion message.
+8. (think-parse-response thought): parses the LLM response into an action
+   plist. Handles three paths: structured ~:tool-calls~ (convert JSON args
+   to plist via ~json-alist-to-plist~), raw S-expression text (parse with
+   ~*read-eval* nil~, normalize keywords), and plain text (wrap as
+   ~:MESSAGE~ action). Tracks cost via ~cost-track-backend-call~ when
+   available. Guarantees a valid plist for any input.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Probabilistic Backend Registry
+
+~*probabilistic-backends*~ is a hash table mapping provider keywords to
+their handler functions. Populated by ~register-probabilistic-backend~.
+Skills like system-model-provider register into this table at boot time.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *probabilistic-backends* (make-hash-table :test 'equal)
+  "Maps provider keyword → handler function (prompt system-prompt &key model).")
+
+(defun register-probabilistic-backend (name fn)
+  "Register FN as the handler for provider NAME."
+  (setf (gethash name *probabilistic-backends*) fn))
+#+end_src
+
+The probabilistic engine maintains three pieces of global state that control how LLM requests are dispatched:
+
+~*provider-cascade*~ is the ordered list of providers to try — if the first one fails, the cascade falls through to the next. ~*model-selector*~ is an optional function that examines the context and picks a model per request (useful for routing simple questions to a small fast model and complex reasoning to a large expensive one). ~*consensus-enabled*~ toggles multi-provider agreement, where multiple LLMs run the same prompt and the system waits for consensus.
+
+Providers register into ~*probabilistic-backends*~ (declared above) via ~register-probabilistic-backend~. The cascade can be changed without restart: (setf *provider-cascade* (quote (:ollama :openrouter))).
+
+** Provider Cascade
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *provider-cascade* nil)
+#+end_src
+
+** Model Selector
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *model-selector* nil)
+#+end_src
+
+** Consensus Toggle
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *consensus-enabled* nil)
+#+end_src
+
+** Cascade Dispatch (backend-cascade-call)
+
+Given a prompt, this function iterates through the provider cascade and calls each backend in order until one succeeds. A provider "succeeds" when it returns ~:status :success~ with content, or when it returns a plain string (the LLM's raw output).
+
+The function has a fallback for every failure mode:
+- If a backend returns ~:status :error~, the cascade moves to the next provider
+- If a backend throws an exception, it is caught and logged, and the cascade moves on
+- If ALL backends are exhausted, a structured LOG message is returned saying "Neural Cascade Failure"
+
+This is deliberately resilient. The system should never crash because an LLM provider is down. It should log the failure, try the next provider, and if all fail, return a diagnostic message that the deterministic engine can present to the user.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun backend-cascade-call (prompt &key
+                                (system-prompt "You are the Probabilistic engine.")
+                                (cascade nil)
+                                (context nil)
+                                tools)
+  (let ((backends (or cascade *provider-cascade*))
+        (result nil))
+    (dolist (backend backends (or result
+                                   (list :type :LOG
+                                         :payload (list :text "Neural Cascade Failure: All providers exhausted."))))
+      (let ((backend-fn (gethash backend *probabilistic-backends*)))
+        (when backend-fn
+          (log-message "PROBABILISTIC: Attempting backend ~a..." backend)
+          (let* ((model (and *model-selector*
+                             (funcall *model-selector* backend context)))
+                 (skip (eq model :skip))
+                 (r (unless skip
+                      (apply backend-fn
+                             (append (list prompt system-prompt :model model)
+                                     (when tools (list :tools tools)))))))
+            (when skip
+              (log-message "PROBABILISTIC: Skipping ~a (filtered)" backend))
+            (cond ((and (listp r) (eq (getf r :status) :success))
+                   (let ((tool-calls (getf r :tool-calls)))
+                     (if tool-calls
+                         (return (list :status :success :tool-calls tool-calls))
+                         (progn
+                           (setf result (getf r :content))
+                           (return result)))))
+                  ((stringp r)
+                   (setf result r)
+                   (return result))
+                   (t
+                    (log-message "PROBABILISTIC: Backend ~a failed: ~a"
+                                backend (getf r :message))))))))))
+#+end_src
+
+** Markdown Strip
+
+The LLM might wrap its output in Markdown code fences (~```~). This function strips them before parsing. It also strips trailing/leading whitespace.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun markdown-strip (text)
+  (if (and text (stringp text))
+      (let ((cleaned text))
+        (setf cleaned (cl-ppcre:regex-replace-all "^```[a-z]*\\n" cleaned ""))
+        (setf cleaned (cl-ppcre:regex-replace-all "\\n```$" cleaned ""))
+        (setf cleaned (cl-ppcre:regex-replace-all "```" cleaned ""))
+        (string-trim '(#\Space #\Newline #\Tab) cleaned))
+      text))
+#+end_src
+
+** Normalize plist keywords
+
+Lisp keywords are case-sensitive. The LLM might produce ~:payload~ or ~:PAYLOAD~ or ~:Payload~ depending on the model. This function normalizes all keyword keys to uppercase to ensure the deterministic engine receives consistent input.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun plist-keywords-normalize (plist)
+  (when (listp plist)
+    (loop for (k v) on plist by #'cddr
+          collect (if (and (symbolp k) (not (keywordp k)))
+                       (intern (string k) :keyword)
+                       k)
+          collect v)))
+#+end_src
+
+** Think: assemble context and call the LLM
+
+This is the main entry point for the probabilistic engine. Every cognitive cycle goes through here.
+
+The function handles several cases:
+- If a triggered skill provides a probabilistic prompt generator, that replaces the raw user input
+- If the previous proposal was rejected, the rejection trace is injected into the LLM's context so it can self-correct
+- Standing mandates from ~*standing-mandates*~ are injected into the IDENTITY section of the system prompt
+
+The system prompt assembly order — identity (including mandates), tools, context, logs — is intentional: standing mandates appear early in IDENTITY so they set the behavioral frame before the model processes tools, context, and logs.
+
+Token economics (v0.5.0): when ~token-economics~ is loaded, ~think()~ uses
+~context-assemble-cached~ (skips context assembly on heartbeat/delegation),
+~prompt-prefix-cached~ (avoids retransmitting IDENTITY+TOOLS), and
+~enforce-token-budget~ (trims over-budget prompts). Cost is tracked after
+each cascade call via ~cost-track-backend-call~. All four calls are
+~fboundp~-guarded — when the module is not loaded, behavior is unchanged.
+
+~think()~ is the orchestrator that composes three sub-functions:
+
+1. *think-assemble-prompt* — builds the full system prompt from context,
+   awareness, logs, identity, standing mandates, and tool belt.
+2. *think-call-llm* — dispatches to the LLM (streaming or batch cascade).
+3. *think-parse-response* — converts the LLM's output to an action plist,
+   handling structured tool-calls, raw S-expressions, and plain text.
+
+The orchestrator snapshots memory, calls the three phases in sequence,
+and returns the action plist that flows into ~cognitive-verify~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+;; v0.7.2: live config section for system prompt
+(defun assemble-config-section ()
+  "Build the CONFIG section of the system prompt from live state."
+  (let ((provider-names "")
+        (context-window (if (and (boundp '*tokenizer-provider*) (fboundp 'tokenizer-context-limit))
+                           (tokenizer-context-limit (symbol-value '*tokenizer-provider*))
+                           8192))
+        (gate-count 10)
+        (rules-count 0))
+    (when (boundp '*provider-cascade*)
+      (setf provider-names
+            (format nil "~{~a~^, ~}"
+                    (mapcar (lambda (p)
+                              (handler-case (or (getf p :model) (getf p :provider) "")
+                                (error () (princ-to-string p))))
+                            (symbol-value '*provider-cascade*)))))
+    (when (boundp '*hitl-pending*)
+      (setf rules-count (hash-table-count (symbol-value '*hitl-pending*))))
+    (format nil "CONFIG: You are Passepartout v0.7.2. Provider: ~a. Context: ~d tokens. Security gates: ~d active. Rules learned: ~d. Documentation: USER_MANUAL.org."
+            (if (string= provider-names "") "default" provider-names)
+            context-window gate-count rules-count)))
+
+(defun think-assemble-prompt (context)
+  "Phase 2-3 of the metabolic cycle: context + system prompt assembly.
+Returns three values: system-prompt, raw-prompt, reply-stream."
+  (let* ((sensor (proto-get (proto-get context :payload) :sensor))
+         (active-skill (find-triggered-skill context))
+         (tool-belt (generate-tool-belt-prompt))
+         (reply-stream (proto-get context :reply-stream))
+         (global-context (if (fboundp 'context-assemble-cached)
+                             (context-assemble-cached context sensor)
+                             (if (fboundp 'context-assemble-global-awareness)
+                                 (context-assemble-global-awareness)
+                                 "[Awareness skill not loaded]")))
+         (system-logs (if (fboundp 'context-get-system-logs)
+                          (context-get-system-logs)
+                          "[No system logs available]"))
+         (assistant-name (or (uiop:getenv "MEMEX_ASSISTANT") "Agent"))
+         (rejection-trace (proto-get (proto-get context :payload) :rejection-trace))
+         (prompt-generator (when active-skill (skill-probabilistic-prompt active-skill)))
+         (raw-prompt (if prompt-generator
+                         (funcall prompt-generator context)
+                         (let ((p (proto-get (proto-get context :payload) :text)))
+                           (if (and p (stringp p)) p "Maintain metabolic stasis."))))
+         (reflection-feedback (if rejection-trace
+                                  (format nil "~%~%PREVIOUS PROPOSAL REJECTED: ~a" rejection-trace)
+                                  ""))
+         (standing-mandates-text (let ((out ""))
+                                   (dolist (fn *standing-mandates*)
+                                     (let ((text (ignore-errors (funcall fn context))))
+                                       (when (and text (stringp text) (> (length text) 0))
+                                         (setf out (concatenate 'string out text (string #\Newline))))))
+                                   (when (> (length out) 0) out)))
+         (identity-content (if (fboundp 'agent-identity)
+                               (agent-identity)
+                               ""))
+         (config-section (if (fboundp 'assemble-config-section)
+                             (assemble-config-section)
+                             ""))
+         (time-section (if (fboundp 'sensor-time-duration)
+                           (format-time-for-llm
+                            :session-duration-seconds (funcall (symbol-function 'session-duration)))
+                           (if (fboundp 'format-time-for-llm)
+                               (format-time-for-llm)
+                               "")))
+         (system-prompt (if (fboundp 'prompt-prefix-cached)
+                            (let* ((prefix (prompt-prefix-cached assistant-name identity-content
+                                                                  reflection-feedback
+                                                                  standing-mandates-text tool-belt)))
+                              (if (fboundp 'enforce-token-budget)
+                                  (multiple-value-bind (pfx ctxt logs _ mandates)
+                                      (enforce-token-budget prefix global-context system-logs
+                                                            raw-prompt standing-mandates-text)
+                                    (declare (ignore _))
+                                    (setf standing-mandates-text mandates)
+                                    (format nil "~a~%~%~a~%~%~a~%~%CONTEXT:~%~a~%~%LOGS:~%~a"
+                                            time-section config-section pfx (or ctxt "") logs))
+                                  (format nil "~a~%~%~a~%~%~a~%~%CONTEXT:~%~a~%~%LOGS:~%~a"
+                                          time-section config-section prefix (or global-context "") system-logs)))
+                            (format nil "~a~%~%~a~%~%IDENTITY: ~a~a~a~a~%~%TOOLS:~%~a~%~%CONTEXT:~%~a~%~%LOGS:~%~a"
+                                    time-section config-section
+                                    assistant-name identity-content reflection-feedback
+                                    (if standing-mandates-text
+                                        (concatenate 'string (string #\Newline) standing-mandates-text)
+                                        "")
+                                    tool-belt (or global-context "") system-logs))))
+    (values system-prompt raw-prompt reply-stream)))
+
+(defun think-call-llm (raw-prompt system-prompt reply-stream context)
+  "Phase 4 of the metabolic cycle: call the LLM via streaming or batch cascade.
+Returns the raw LLM response (string or plist with :tool-calls)."
+  ;; v0.5.0 deferred: budget enforcement — refuse calls when cap is exhausted
+  (when (and (fboundp 'budget-exhausted-p) (budget-exhausted-p))
+    (return-from think-call-llm (budget-exhaustion-message)))
+  (if (and reply-stream (fboundp 'cascade-stream))
+      (let ((acc (make-string-output-stream)))
+        (funcall 'cascade-stream raw-prompt system-prompt
+                 (lambda (delta)
+                   (when reply-stream
+                     (format reply-stream "~a"
+                             (frame-message (list :type :stream-chunk
+                                                  :payload (list :text delta))))
+                     (finish-output reply-stream))
+                   (write-string delta acc)))
+        (get-output-stream-string acc))
+      (backend-cascade-call raw-prompt
+                            :system-prompt system-prompt
+                            :context context)))
+
+(defun think-parse-response (thought)
+  "Phases 5-7 of the metabolic cycle: cost tracking + response parsing.
+Returns an action plist ready for cognitive-verify."
+  (let ((tool-calls (and (listp thought) (getf thought :tool-calls))))
+    (when (and (fboundp 'cost-track-backend-call)
+               (stringp thought)
+               (or (null tool-calls)))
+      (ignore-errors
+        (cost-track-backend-call (first *provider-cascade*)
+                                 thought)))
+    (if tool-calls
+        (let* ((first-call (car tool-calls))
+               (tool-name (getf first-call :name))
+               (args (getf first-call :arguments))
+               (args-plist (json-alist-to-plist args)))
+          (list :TYPE :REQUEST
+                :PAYLOAD (list* :TOOL tool-name
+                                :ARGS args-plist
+                                :EXPLANATION "Generated by function-calling engine.")))
+        (let* ((cleaned (if (and (listp thought) (getf thought :type))
+                           (format nil "~a" (getf (getf thought :payload) :text))
+                           (markdown-strip thought))))
+          (if (and cleaned (stringp cleaned) (> (length cleaned) 0)
+                   (or (char= (char cleaned 0) #\() (char= (char cleaned 0) #\[)))
+              (handler-case
+                  (let ((parsed (let ((*read-eval* nil)) (read-from-string cleaned))))
+                    (if (listp parsed)
+                        (let ((normalized (plist-keywords-normalize parsed)))
+                          (let ((payload (proto-get normalized :payload)))
+                            (if (and payload (proto-get payload :explanation))
+                                normalized
+                                (let ((new-payload (list* :EXPLANATION "Generated by the Probabilistic engine."
+                                                          (if (listp payload) payload nil))))
+                                  (list* :PAYLOAD new-payload
+                                         (loop for (k v) on normalized by #'cddr
+                                               unless (eq k :PAYLOAD)
+                                               collect k collect v))))))
+                        (list :TYPE :REQUEST :PAYLOAD
+                              (list :ACTION :MESSAGE :TEXT cleaned
+                                    :EXPLANATION "Generated by the Probabilistic engine."))))
+                (error ()
+                  (list :TYPE :REQUEST :PAYLOAD
+                        (list :ACTION :MESSAGE :TEXT cleaned
+                              :EXPLANATION "Generated by the Probabilistic engine."))))
+              (list :TYPE :REQUEST :PAYLOAD
+                    (list :ACTION :MESSAGE
+                          :TEXT (if (stringp cleaned) cleaned "No response")
+                          :EXPLANATION "Generated by the Probabilistic engine.")))))))
+
+(defun think (context)
+  "The probabilistic reasoning engine — orchestrates prompt assembly, LLM call,
+and response parsing into an action plist for cognitive-verify."
+  (when (fboundp 'snapshot-memory)
+    (snapshot-memory))
+  (multiple-value-bind (system-prompt raw-prompt reply-stream)
+      (think-assemble-prompt context)
+    (let ((thought (think-call-llm raw-prompt system-prompt reply-stream context)))
+      (think-parse-response thought))))
+#+end_src
+
+** JSON-to-Plist Conversion (json-alist-to-plist)
+
+Converts a JSON alist as returned by ~cl-json:decode-json-from-string~ to a keyword-prefixed plist — the internal data format that ~cognitive-verify~ and the actuator layer expect. This is the boundary where the probabilistic layer's output format (JSON) meets the deterministic layer's input format (plists).
+
+String keys are interned as upcased keywords (~"action" → :ACTION~). Nested alists recurse. JSON arrays (lists whose first element is an atom) pass through unchanged since the actuator layer handles list arguments natively.
+
+#+begin_src lisp
+(defun json-alist-to-plist (alist)
+  "Convert a JSON alist to a keyword-prefixed plist."
+  (when (listp alist)
+    (loop for (key . value) in alist
+          append (list (intern (string-upcase (string key)) :keyword)
+                       (if (listp value)
+                           (if (consp (car value))
+                               (json-alist-to-plist value)
+                               value)
+                           value)))))
+#+end_src
+
+** Deterministic Engine (cognitive-verify)
+
+The deterministic engine is the strict guard. It receives a proposed action from the probabilistic engine and runs it through every registered deterministic gate, sorted by priority.
+
+**Gate Trace (v0.4.0)**
+
+As part of v0.4.0's TUI differentiator visualizations, ~cognitive-verify~ now accumulates a ~:gate-trace~ — a list of ~(:gate <name> :result <:passed|:blocked|:approval>)~ entries — as each deterministic gate processes the action. The trace is prepended to the result plist via ~list*~ and flows through the pipeline to the TUI actuator, which transmits it to the client.
+
+This is Passepartout's permanent UX advantage: no competitor can ship a gate trace because none has deterministic gates to trace. Claude Code, OpenClaw, and Hermes Agent all use prompt-based guardrails where the safety decision is invisible. In Passepartout, the user sees exactly which nine safety gates ran, what each decided, and why — all at 0 LLM tokens.
+
+Skills register deterministic gates via ~defskill~ with the ~:deterministic~ keyword. Each gate is a function that receives (action context) and returns either:
+- A modified action (the gate approves or adjusts the proposal)
+- A LOG or EVENT plist (the gate rejects the proposal with a reason)
+
+Gates run in priority order, highest first. If any gate returns a LOG or EVENT, the proposal is rejected immediately and the rejection reason flows back to the probabilistic engine via the rejection trace. If all gates pass, the proposal is approved.
+
+This architecture makes safety compositional: each skill adds one constraint. The dispatcher checks secrets. The policy checks explanations. The shell actuator checks destructive commands. No single skill needs to understand the full security model.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun cognitive-verify (proposed-action context)
+  "Runs all registered deterministic gates against the proposed action,
+sorted by priority (highest first). Returns a rejection plist or the action."
+  (let ((current-action (copy-tree proposed-action))
+        (approval-needed nil)
+        (approval-action nil)
+        (gates nil)
+        (gate-trace nil))
+    ;; Collect gates sorted by priority (highest first)
+    (maphash (lambda (name skill)
+               (declare (ignore name))
+               (when (skill-deterministic-fn skill)
+                 (push (cons (skill-priority skill) (cons (skill-name skill) (skill-deterministic-fn skill))) gates)))
+             *skill-registry*)
+    (setf gates (sort gates #'> :key #'car))
+    (dolist (gate-entry gates)
+      (let* ((gate-name (cadr gate-entry))
+             (result (funcall (cddr gate-entry) current-action context)))
+        (cond
+          ((eq (getf result :level) :approval-required)
+           (push (list :gate (or gate-name (car gate-entry)) :result :approval) gate-trace)
+           (setf approval-needed t
+                 approval-action (getf (getf result :payload) :action)))
+           ((member (getf result :type) '(:LOG :EVENT))
+            (push (list :gate (or gate-name (car gate-entry)) :result :blocked) gate-trace)
+            (let ((blocked-result (copy-list result)))
+              (setf (getf blocked-result :gate-trace) (nreverse gate-trace))
+              (return-from cognitive-verify blocked-result)))
+          ((and (listp result) result)
+           (push (list :gate (or gate-name (car gate-entry)) :result :passed) gate-trace)
+           (setf current-action result)))))
+    (if approval-needed
+        (list :type :EVENT :level :approval-required
+              :gate-trace (nreverse gate-trace)
+              :payload (list :sensor :approval-required
+                             :action approval-action))
+        (let ((passed-result (copy-tree current-action)))
+          (setf (getf passed-result :gate-trace) (nreverse gate-trace))
+          passed-result))))
+#+end_src
+
+** Reason Gate (Stage 2)
+
+The reason gate is the pipeline stage that orchestrates Think + Determine. It receives a signal, checks if it requires reasoning (only ~:user-input~ and ~:chat-message~ events do), and runs through the cognitive + verification loop.
+
+The loop has retry logic: up to 3 attempts. If the deterministic engine rejects a proposal, the rejection reason is fed back into the next think call so the LLM can self-correct. This loop — propose, reject, correct, re-propose — is the core mechanism by which the agent improves its own output without human intervention.
+
+The retry limit prevents infinite loops. If the LLM cannot produce a passable proposal within 3 attempts, the last rejection reason is attached to the signal and the acted pipeline sees a failed reasoning cycle.
+
+*** loop-gate-reason
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun loop-gate-reason (signal)
+  (let* ((type (proto-get signal :type))
+         (payload (proto-get signal :payload))
+         (sensor (proto-get payload :sensor)))
+    (unless (and (eq type :EVENT) (member sensor '(:user-input :chat-message)))
+      (return-from loop-gate-reason signal))
+    (let ((retries 3)
+          (current-signal (copy-tree signal))
+          (last-rejection nil))
+      (loop
+        (when (<= retries 0)
+          (setf (getf signal :approved-action) last-rejection)
+          (setf (getf signal :status) :reasoned)
+          (return signal))
+        (when last-rejection
+          (setf (getf (getf current-signal :payload) :rejection-trace) last-rejection))
+        (let ((candidate (think current-signal)))
+           (if (and candidate (listp candidate))
+               (let ((verified (cognitive-verify candidate current-signal)))
+                 ;; Approval-required is not a rejection — pass to act for Flight Plan
+                 (if (eq (getf verified :level) :approval-required)
+                     (progn
+                       (setf (getf signal :approved-action) verified)
+                       (setf (getf signal :status) :requires-approval)
+                       (return signal))
+                     ;; Hard rejection: retry with feedback
+                     (if (member (getf verified :type) '(:LOG :EVENT))
+                         (progn (decf retries) (setf last-rejection verified))
+                         (progn
+                           (setf (getf signal :approved-action) verified)
+                           (setf (getf signal :status) :reasoned)
+                           (return signal)))))
+              (progn
+                (setf (getf signal :approved-action) nil)
+                (setf (getf signal :status) :reasoned)
+                (return signal))))))))
+#+end_src
+
+*** reason-gate (backward-compatibility alias)
+
+The pipeline gate was originally named ~reason-gate~. Code that still
+uses the old name can call this alias. New code should call
+~loop-gate-reason~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun reason-gate (signal)
+  (loop-gate-reason signal))
+#+end_src
+
+* Test Suite
+Verifies that the deterministic engine correctly rejects unsafe actions (like ~rm -rf /~) while allowing safe ones.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-pipeline-reason-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:pipeline-reason-suite))
+
+(in-package :passepartout-pipeline-reason-tests)
+
+(def-suite pipeline-reason-suite :description "Test suite for Reason pipeline")
+(in-suite pipeline-reason-suite)
+
+(test test-decide-gate-safety
+  "Contract 1: cognitive-verify blocks unsafe actions with :LOG rejection."
+  (clrhash passepartout::*skill-registry*)
+  (passepartout::defskill :mock-safety
+    :priority 50
+    :trigger (lambda (ctx) (declare (ignore ctx)) t)
+    :deterministic (lambda (action ctx)
+                    (declare (ignore ctx))
+                    (if (search "rm -rf" (format nil "~s" action))
+                        (list :type :LOG :payload (list :text "Rejected"))
+                        action)))
+  (let* ((candidate '(:type :REQUEST :payload (:action :shell :cmd "rm -rf /")))
+         (signal '(:type :EVENT :payload (:sensor :user-input)))
+         (result (cognitive-verify candidate signal)))
+    (is (eq :LOG (getf result :type)))))
+
+(test test-cognitive-verify-pass-through
+  "Contract 1: safe actions pass through cognitive-verify unchanged."
+  (clrhash passepartout::*skill-registry*)
+  (passepartout::defskill :mock-passthrough
+    :priority 50
+    :trigger (lambda (ctx) (declare (ignore ctx)) t)
+    :deterministic (lambda (action ctx)
+                    (declare (ignore ctx))
+                    action))
+  (let* ((candidate '(:type :REQUEST :payload (:action :shell :cmd "echo hello")))
+         (signal '(:type :EVENT :payload (:sensor :user-input)))
+         (result (cognitive-verify candidate signal)))
+    (is (eq :REQUEST (getf result :type)))
+    (is (equal (getf candidate :payload) (getf result :payload)))
+    (is (getf result :gate-trace))))
+
+(test test-cognitive-verify-empty-registry
+  "Contract 1: with no gates registered, action passes through unchanged."
+  (clrhash passepartout::*skill-registry*)
+  (let* ((candidate '(:type :REQUEST :payload (:action :shell :cmd "ls")))
+         (signal '(:type :EVENT :payload (:sensor :user-input)))
+         (result (cognitive-verify candidate signal)))
+    (is (eq :REQUEST (getf result :type)))
+    (is (equal (getf candidate :payload) (getf result :payload)))))
+
+(test test-cognitive-verify-approval-required
+  "Contract 1: gate returning :approval-required produces an approval event."
+  (clrhash passepartout::*skill-registry*)
+  (passepartout::defskill :mock-approval
+    :priority 50
+    :trigger (lambda (ctx) (declare (ignore ctx)) t)
+    :deterministic (lambda (action ctx)
+                    (declare (ignore ctx))
+                    (list :type :EVENT :level :approval-required
+                          :payload (list :action action))))
+  (let* ((candidate '(:type :REQUEST :payload (:action :shell :cmd "sudo reboot")))
+         (signal '(:type :EVENT :payload (:sensor :user-input)))
+         (result (cognitive-verify candidate signal)))
+    (is (eq :approval-required (getf result :level)))
+    (is (eq :EVENT (getf result :type)))))
+
+(test test-loop-gate-reason-passthrough
+  "Contract 2: non-user-input sensors pass through loop-gate-reason unchanged."
+  (let* ((signal '(:type :EVENT :payload (:sensor :heartbeat) :meta (:source :system)))
+         (result (loop-gate-reason signal)))
+    (is (not (null result)))))
+
+(test test-loop-gate-reason-sets-status
+  "Contract 2: loop-gate-reason sets :status on :user-input signals."
+  (clrhash passepartout::*skill-registry*)
+  (let* ((passepartout::*provider-cascade* nil)
+         (signal (list :type :EVENT :payload (list :sensor :user-input :text "test")))
+         (result (loop-gate-reason signal)))
+    (is (member (getf result :status) '(:reasoned :requires-approval)))))
+
+(test test-backend-cascade-no-backends
+  "Contract 4: empty cascade returns :LOG failure."
+  (let* ((passepartout::*provider-cascade* nil)
+         (passepartout::*probabilistic-backends* (make-hash-table :test 'equal))
+         (result (backend-cascade-call "test" :cascade '())))
+    (is (eq :LOG (getf result :type)))
+    (is (search "exhausted" (getf (getf result :payload) :text) :test #'char-equal))))
+
+(test test-backend-cascade-with-mock
+  "Contract 4: backend-cascade-call returns content from first successful backend."
+  (let ((passepartout::*probabilistic-backends* (make-hash-table :test 'equal)))
+    (setf (gethash :mock-backend passepartout::*probabilistic-backends*)
+          (lambda (prompt sp &key model)
+            (declare (ignore prompt sp model))
+            (list :status :success :content "mock-response")))
+    (let ((result (backend-cascade-call "hello" :cascade '(:mock-backend))))
+      (is (string= "mock-response" result)))))
+
+(test test-read-eval-rce-blocked
+  "Contract 1/v0.3.1: #. reader macro in LLM output must not execute arbitrary code."
+  (let ((passepartout::*probabilistic-backends* (make-hash-table :test 'equal))
+        (passepartout::*provider-cascade* '(:mock-evil)))
+    (setf (gethash :mock-evil passepartout::*probabilistic-backends*)
+          (lambda (prompt sp &key model)
+            (declare (ignore prompt sp model))
+            (list :status :success :content "(#.(setf passepartout::*v031-rce-test* :PWNED))")))
+    (setf passepartout::*v031-rce-test* nil)
+    (setf *read-eval* t)
+    (let* ((ctx (list :type :EVENT :payload (list :sensor :user-input :text "test") :depth 0))
+           (result (passepartout::think ctx)))
+      (is (not (eq passepartout::*v031-rce-test* :PWNED)))
+      (is (eq :REQUEST (getf result :TYPE)))
+       (setf *read-eval* nil))))
+
+(test test-json-alist-to-plist-simple
+  "Contract 5: converts simple alist to keyword plist."
+  (let ((alist (list (cons "action" "shell") (cons "cmd" "echo hello"))))
+    (let ((result (json-alist-to-plist alist)))
+      (is (eq :ACTION (first result)))
+      (is (string= "shell" (second result)))
+      (is (eq :CMD (third result)))
+      (is (string= "echo hello" (fourth result))))))
+
+(test test-json-alist-to-plist-nested
+  "Contract 5: nested alists recurse into nested plists."
+  (let ((alist (list (cons "tool" "write-file")
+                     (cons "args" (list (cons "filepath" "/tmp/x")
+                                        (cons "content" "hi"))))))
+    (let ((result (json-alist-to-plist alist)))
+      (is (eq :TOOL (first result)))
+      (is (eq :ARGS (third result)))
+      (let ((inner (fourth result)))
+        (is (eq :FILEPATH (first inner)))
+        (is (string= "/tmp/x" (second inner)))
+        (is (eq :CONTENT (third inner)))))))
+
+(test test-json-alist-to-plist-array-passthrough
+  "Contract 5: JSON arrays pass through unchanged."
+  (let ((alist (list (cons "names" (list "alice" "bob")))))
+    (let ((result (json-alist-to-plist alist)))
+      (is (eq :NAMES (first result)))
+      (is (equal (list "alice" "bob") (second result))))))
+
+(test test-json-alist-to-plist-null
+  "Contract 5: nil passes through unchanged."
+  (let ((result (json-alist-to-plist nil)))
+    (is (null result))))
+
+(test test-json-alist-to-plist-scalar
+  "Contract 5: scalar values pass through."
+  (let ((alist (list (cons "count" 42) (cons "active" :true))))
+    (let ((result (json-alist-to-plist alist)))
+      (is (eq :COUNT (first result)))
+      (is (= 42 (second result)))
+      (is (eq :ACTIVE (third result)))
+      (is (eq :true (fourth result))))))
+
+(test test-assemble-config-section
+  "Contract v0.7.2: config section contains Passepartout and version."
+  (let ((section (passepartout::assemble-config-section)))
+    (is (stringp section))
+    (is (search "Passepartout" section))
+    (is (search "v0.7.2" section))
+    (is (search "Security gates" section))))
+
+(test test-think-snapshots-before-llm
+  "Contract v0.7.2: think() snapshots memory before LLM call."
+  (let ((passepartout::*memory-snapshots* nil)
+        (passepartout::*memory-store* (make-hash-table :test 'equal)))
+    (setf (gethash "pre" passepartout::*memory-store*) "value")
+    (let ((passepartout::*probabilistic-backends* (make-hash-table :test 'equal))
+          (passepartout::*provider-cascade* nil))
+      (handler-case
+          (let* ((ctx (list :type :EVENT :payload (list :sensor :user-input :text "hi") :depth 0))
+                 (result (passepartout::think ctx)))
+            (declare (ignore result)))
+        (error (c) (format nil "Expected: ~a" c)))
+      (is (>= (length passepartout::*memory-snapshots*) 0)))))
+#+end_src

org/core-skills.org

@@ -0,0 +1,527 @@
+#+TITLE: The Skill Engine (skills.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :org:skills:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-skills.lisp
+
+* Overview: Architectural Intent
+
+The Skill Engine is the dynamic loading and lifecycle manager for all Passepartout skills. It discovers skill files in the skills directory, resolves their dependency order, loads them into jailed packages, and exports their public symbols into the ~passepartout~ package.
+
+** Late-Binding Intelligence
+
+Hardcoding logic into a compiled binary creates a brittle kernel. Every time you add a capability, you must recompile, restart, and re-deploy. Skills solve this by being:
+
+1. **Discovered at boot** — the engine scans a directory for skill files and loads whatever it finds. No registration step needed.
+2. **Dependency-ordered** — skills declare dependencies via ~#+DEPENDS_ON:~ headers. The topological sort ensures they load in the right order.
+3. **Hot-reloadable** — a skill can be replaced at runtime without restarting the daemon. The new version is compiled into a fresh jail package and swapped in.
+4. **Self-documenting** — each skill is a single Org file containing prose, code, metadata, and tests. The "Why" and the "How" are unified.
+
+** The Jailed Package Model
+
+Every skill loads into its own package (e.g., ~PASSEPARTOUT.SKILLS.SECURITY-DISPATCHER~). This prevents name conflicts between skills — two skills can define a function called ~process~ without collision, because each lives in its own namespace.
+
+After loading, the engine exports the skill's public symbols into the ~passepartout~ package, making them available to other skills and the org. The export filter uses the skill's short name as a prefix — for example, the Security Dispatcher exports only symbols starting with ~DISPATCHER-~.
+
+This is how the "thin org, fat skills" principle works in practice: the org provides the loading infrastructure; the skills provide all the intelligence.
+
+** Contract
+
+1. (lisp-syntax-validate code-string): returns T if the Lisp code is
+   structurally valid, nil if reader errors are detected.
+2. (skill-topological-sort dir): reads org files in a directory, parses
+   ~#+DEPENDS_ON:~ declarations, returns files sorted such that
+   dependencies come before dependents.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+
+(defvar *VAULT-MEMORY* (make-hash-table :test 'equal))
+#+end_src
+
+** Utility functions
+
+Helper functions used by the skill loader and other components.
+
+*** Cosine similarity
+
+Computes the cosine similarity between two numeric vectors. Used by the peripheral vision system for semantic relevance scoring — if the agent's current focus has a vector embedding, objects with similar embeddings get promoted to foveal detail.
+
+#+begin_src lisp
+(defun vector-cosine-similarity (v1 v2)
+  "Computes cosine similarity between two vectors."
+  (let* ((len1 (length v1)) (len2 (length v2)))
+    (if (or (zerop len1) (zerop len2))
+        0.0
+        (let* ((dot 0.0d0) (n1 0.0d0) (n2 0.0d0))
+          (dotimes (i (min len1 len2))
+            (let* ((x (coerce (elt v1 i) 'double-float)) (y (coerce (elt v2 i) 'double-float)))
+              (incf dot (* x y)) (incf n1 (* x x)) (incf n2 (* y y))))
+          (if (or (zerop n1) (zerop n2)) 0.0 (/ dot (sqrt (* n1 n2))))))))
+#+end_src
+
+** Skill data structures
+
+The ~skill~ struct holds all metadata about a loaded skill: its name, priority, dependencies, trigger function, probabilistic prompt generator, and deterministic gate. The ~skill-entry~ struct tracks the loading state of each discovered skill file.
+
+#+begin_src lisp
+(defstruct skill name priority dependencies trigger-fn probabilistic-prompt deterministic-fn)
+#+end_src
+
+#+begin_src lisp
+(defvar *skill-catalog* (make-hash-table :test 'equal)
+  "Tracks all discovered skill files and their loading state.")
+#+end_src
+
+#+begin_src lisp
+(defvar *standing-mandates* nil
+  "List of functions (context) → string-or-nil. Each is called on every think() cycle.
+When non-nil, the returned string is injected into the IDENTITY section of the system prompt.
+Unlike skills (which activate on triggers), standing mandates are always consulted.")
+#+end_src
+
+#+begin_src lisp
+(defstruct skill-entry filename (status :discovered) error-log (load-time 0))
+#+end_src
+
+** Skill discovery (skill-triggered-find)
+
+Iterates the registry and returns the highest-priority skill whose trigger function matches the current context. Only skills with a probabilistic prompt are considered (purely deterministic skills don't need LLM attention).
+
+This is how the system determines which skill "owns" the current user input. For example, if the REPL skill's trigger matches the input, the REPL skill provides the prompt template that shapes how the LLM responds.
+
+#+begin_src lisp
+;; Alias: find-triggered-skill → skill-triggered-find
+(defun find-triggered-skill (context)
+  (skill-triggered-find context))
+
+(defun skill-triggered-find (context)
+  "Returns the highest priority skill whose trigger matches context."
+  (let ((triggered nil))
+    (maphash (lambda (name skill) 
+               (declare (ignore name)) 
+               (when (and (skill-probabilistic-prompt skill)
+                          (ignore-errors (funcall (skill-trigger-fn skill) context)))
+                 (push skill triggered))) 
+               *skill-registry*)
+    (first (sort triggered #'> :key #'skill-priority))))
+#+end_src
+
+** Standing Mandates
+
+Standing mandates are cross-cutting instructions injected into every LLM system prompt. They live in ~*standing-mandates*~, a list of functions ~(context) → string-or-nil~. Each is called on every reasoning cycle; nil results are skipped.
+
+This is the mechanism for always-on behavioral instructions. Skills call their registered trigger function to determine if they should activate for a given context; standing mandates always run and decide themselves whether to contribute text. Use ~push~ to register:
+
+#+begin_example
+(push #'my-mandate *standing-mandates*)
+#+end_example
+
+** Skill registration macro (defskill)
+
+The primary API for skills. Each skill file calls this once to register itself. The macro creates a ~skill~ struct and stores it in ~*skill-registry*~ keyed by the skill's name.
+
+#+begin_src lisp
+(defmacro defskill (name &key priority dependencies trigger probabilistic deterministic)
+  "Registers a new skill. NAME is a keyword. TRIGGER is a function (context) → bool."
+  `(setf (gethash (string-downcase (string ,name)) *skill-registry*)
+         (make-skill :name (string-downcase (string ,name)) 
+                    :priority (or ,priority 10) 
+                    :dependencies ',dependencies
+                    :trigger-fn ,trigger 
+                    :probabilistic-prompt ,probabilistic 
+                    :deterministic-fn ,deterministic)))
+#+end_src
+
+** Dependency resolution (skill-dependencies-resolve)
+
+Recursively resolves all transitive dependencies for a given skill, returning an ordered list. Uses a standard graph traversal with a ~seen~ set to prevent infinite recursion from circular dependencies.
+
+#+begin_src lisp
+(defun skill-dependencies-resolve (skill-name)
+  "Resolves transitive dependencies. Returns list of skill names in dependency order."
+  (let ((resolved nil) (seen nil))
+    (labels ((visit (name) 
+               (unless (member name seen :test #'equal) 
+                 (push name seen)
+                 (let ((skill (gethash (string-downcase (string name)) *skill-registry*)))
+                   (when skill 
+                     (dolist (dep (skill-dependencies skill)) (visit dep))))
+                 (push name resolved))))
+      (visit skill-name) 
+      (nreverse resolved))))
+#+end_src
+
+** Skill File Analysis (skill-metadata-parse)
+
+Extracts the ~:ID~ and ~#+DEPENDS_ON:~ declarations from a skill's Org file. Used by the topological sorter to order skills correctly.
+
+#+begin_src lisp
+(defun skill-metadata-parse (filepath)
+  "Extracts ID and DEPENDS_ON tags from org file."
+  (let ((dependencies nil) (id nil) (content (uiop:read-file-string filepath)))
+    (let ((id-start (search ":ID:" content)))
+      (when id-start
+        (let ((id-end (position #\Newline content :start id-start)))
+          (when id-end (setf id (string-trim " " (subseq content (+ id-start 4) id-end)))))))
+    (let ((pos 0))
+      (loop while (setf pos (search "#+DEPENDS_ON:" content :start2 pos))
+            do (let ((end (position #\Newline content :start pos)))
+              (when end
+                (let ((line (string-trim " " (subseq content (+ pos 13) end))))
+                  (dolist (d (uiop:split-string line :separator '(#\Space #\Tab)))
+                    (unless (string= d "") (push d dependencies))))
+                (setf pos end)))))
+    (values id (reverse dependencies))))
+#+end_src
+
+** Dependency Resolution (skill-topological-sort)
+
+Returns a list of skill filepaths sorted by dependency order. Uses Kahn's algorithm: collect all files, build an adjacency graph from ~#+DEPENDS_ON:~ declarations, and topologically sort them. Skills with no dependencies are sorted alphabetically.
+
+Both ~.org~ and ~.lisp~ files are included. For each skill, the ~.org~ file supplies the dependency metadata; if a ~.lisp~ file exists, it's loaded instead of tangling from the ~.org~ at load time.
+
+#+begin_src lisp
+(defun skill-topological-sort (skills-dir)
+  "Returns a list of skill filepaths sorted by dependency."
+  (let* ((org-files (uiop:directory-files skills-dir "*.org"))
+         (lisp-files (uiop:directory-files skills-dir "*.lisp"))
+         (all-files (append org-files lisp-files))
+         (files (remove-if (lambda (f)
+                             (let ((n (pathname-name f)))
+                                (or (string= n "core-package")
+                                    (string= n "core-skills")
+                                    (string= n "core-transport")
+                                    (string= n "core-memory")
+                                    (string= n "core-perceive")
+                                    (string= n "core-reason")
+                                    (string= n "core-act")
+                                    (string= n "core-pipeline")
+                                    (string= n "core-manifest")
+                                    (string= n "neuro-router")
+                                    (string= n "neuro-explorer")
+                                    (string= n "channel-tui"))))
+                           all-files))
+        (adj (make-hash-table :test 'equal))
+        (name-to-file (make-hash-table :test 'equal))
+        (id-to-file (make-hash-table :test 'equal))
+        (result nil)
+        (visited (make-hash-table :test 'equal))
+        (stack (make-hash-table :test 'equal)))
+    (dolist (file files)
+      (let ((filename (pathname-name file)))
+        (if (uiop:string-suffix-p (namestring file) ".lisp")
+            (progn
+              (setf (gethash (string-downcase filename) name-to-file) file)
+              (unless (gethash (string-downcase filename) adj)
+                (setf (gethash (string-downcase filename) adj) nil)))
+            (multiple-value-bind (id deps) (skill-metadata-parse file)
+              (setf (gethash (string-downcase filename) name-to-file) file)
+              (when id (setf (gethash (string-downcase id) id-to-file) file))
+              (setf (gethash (string-downcase filename) adj) deps)))))
+    (labels ((visit (file)
+               (let* ((filename (pathname-name file))
+                      (node-key (string-downcase filename)))
+                 (unless (gethash node-key visited)
+                   (setf (gethash node-key stack) t)
+                   (dolist (dep (gethash node-key adj))
+                     (let* ((is-id-p (uiop:string-prefix-p "id:" (string-downcase dep)))
+                            (dep-key (string-downcase (if is-id-p (subseq dep 3) dep)))
+                            (dep-file (if is-id-p 
+                                          (gethash dep-key id-to-file)
+                                          (or (gethash dep-key id-to-file)
+                                              (gethash dep-key name-to-file)))))
+                       (when dep-file
+                         (let ((dep-filename (pathname-name dep-file)))
+                           (if (gethash (string-downcase dep-filename) stack)
+                               (error "Circular dependency detected")
+                               (visit dep-file))))))
+                   (setf (gethash node-key stack) nil)
+                   (setf (gethash node-key visited) t)
+                   (push file result)))))
+      (let ((filenames (sort (mapcar #'pathname-name files) #'string<)))
+        (dolist (name filenames)
+          (let ((file (gethash (string-downcase name) name-to-file)))
+            (when file (visit file)))))
+      (nreverse result))))
+#+end_src
+
+** Jailed Loading (skill-load-from-org)
+
+The primary skill loader. Given a path to an ~.org~ file:
+
+1. Reads the Org file and collects all ~#+begin_src lisp~ blocks (excluding test blocks and blocks with ~:tangle no~)
+2. Validates the Lisp syntax before loading
+3. Creates a jailed package named after the skill (e.g., ~PASSEPARTOUT.SKILLS.SECURITY-DISPATCHER~) with ~:use :passepartout~
+4. Evaluates the collected Lisp forms in that package
+5. Scans the package for symbols matching the skill's name prefix and exports them to the ~passepartout~ package
+
+The validation step is critical: invalid Lisp in an org block would crash the loader. The validator uses ~read~ with ~*read-eval*~ bound to nil to safely detect syntax errors without evaluating.
+
+#+begin_src lisp
+(defun lisp-syntax-validate (code-string)
+  "Checks if a string contains valid Common Lisp forms."
+  (handler-case
+      (let ((*read-eval* nil))
+        (with-input-from-string (s (format nil "(progn ~a)" code-string))
+          (loop for form = (read s nil :eof) until (eq form :eof)))
+        (values t nil))
+    (error (c) (values nil (format nil "~a" c)))))
+
+(defun skill-package-forms-strip (code-string)
+  "Removes (in-package :passepartout) forms only — preserves test-package
+declarations so embedded test code evaluates in the correct package."
+  (let ((lines (uiop:split-string code-string :separator '(#\Newline)))
+        (result ""))
+    (dolist (line lines)
+      (let ((trimmed (string-trim '(#\Space #\Tab) line)))
+        (if (uiop:string-prefix-p "(in-package :passepartout)" trimmed)
+            (setf result (concatenate 'string result (string #\Newline)))
+            (setf result (concatenate 'string result line (string #\Newline))))))
+    result))
+
+(defun tangle-target-extract (line)
+  "Extracts the value of the :tangle header."
+  (let ((pos (search ":tangle" line)))
+    (when pos
+      (let ((rest (string-tirm '(#\Space #\Tab) (subseq line (+ pos 7)))))
+        (let ((end (position #\Space rest)))
+          (if end (subseq rest 0 end) rest))))))
+
+(defun load-skill-from-org (filepath)
+  "Parses and evaluates Lisp blocks from an Org file."
+  (let* ((skill-base-name (pathname-name filepath))
+         (entry (or (gethash skill-base-name *skill-catalog*) (setf (gethash skill-base-name *skill-catalog*) (make-skill-entry :filename skill-base-name)))))
+    (setf (skill-entry-status entry) :loading)
+    (handler-case
+        (let* ((content (uiop:read-file-string filepath))
+               (lines (uiop:split-string content :separator '(#\Newline)))
+               (in-lisp-block nil) (collect-this-block nil) (lisp-code "")
+               (pkg-name (intern (string-upcase (format nil "PASSEPARTOUT.SKILLS.~a" skill-base-name)) :keyword)))
+          (dolist (line lines)
+            (let ((clean-line (string-trim '(#\Space #\Tab #\Return) line)))
+              (cond
+                ((uiop:string-prefix-p "#+begin_src lisp" clean-line)
+                 (setf in-lisp-block t)
+                 (let ((target (tangle-target-extract clean-line)))
+                   (setf collect-this-block (or (null target)
+                                                (and (not (search "no" target))
+                                                     (not (search "/tests" target)))))))
+                ((uiop:string-prefix-p "#+end_src" clean-line)
+                 (setf in-lisp-block nil) (setf collect-this-block nil))
+                ((and in-lisp-block collect-this-block)
+                 (unless (or (uiop:string-prefix-p ":PROPERTIES:" (string-upcase clean-line))
+                              (uiop:string-prefix-p ":END:" (string-upcase clean-line))
+                              (uiop:string-prefix-p ":ID:" (string-upcase clean-line)))
+                   (setf lisp-code (concatenate 'string lisp-code line (string #\Newline))))))))
+          (if (= (length lisp-code) 0)
+              (setf (skill-entry-status entry) :ready)
+              (progn
+                (multiple-value-bind (valid-p err) (lisp-syntax-validate lisp-code)
+                  (unless valid-p (error err)))
+                ;; Pre-eval sandbox scan: block before any code executes
+                (multiple-value-bind (blocked-p blocked-syms)
+                    (skill-source-scan lisp-code)
+                  (when blocked-p
+                    (log-message "LOADER SANDBOX: Skill '~a' blocked before eval — references restricted symbol(s): ~{~a~^, ~}"
+                                 skill-base-name blocked-syms)
+                    (setf (skill-entry-status entry) :sandbox-blocked)
+                    (return-from load-skill-from-org nil)))
+                (unless (find-package pkg-name)
+                  (let ((new-pkg (make-package pkg-name :use '(:cl)))) (use-package :passepartout new-pkg)))
+                (let ((*read-eval* nil) (*package* (find-package pkg-name)))
+                  (log-message "LOADER: Evaluating code for '~a' in package ~a" skill-base-name (package-name *package*))
+                  (eval (read-from-string (format nil "(progn ~a)" lisp-code))))
+
+                (let ((target-pkg (find-package :passepartout))
+                      (exported 0)
+                      (seen (make-hash-table :test 'equal)))
+                  (do-symbols (sym (find-package pkg-name))
+                    (when (and (eq (symbol-package sym) (find-package pkg-name))
+                               (or (fboundp sym) (boundp sym))
+                               (not (gethash (symbol-name sym) seen)))
+                      (setf (gethash (symbol-name sym) seen) t)
+                      (incf exported)
+                      (let ((existing (find-symbol (symbol-name sym) target-pkg)))
+                        (when existing (unintern existing target-pkg)))
+                      (import sym target-pkg)
+                      (export sym target-pkg)))
+                  (log-message "LOADER: Exported ~a symbols from ~a to :PASSEPARTOUT"
+                               exported (package-name (find-package pkg-name))))
+
+                (setf (skill-entry-status entry) :ready)))
+          t)
+      (error (c)
+        (log-message "LOADER ERROR in skill '~a': ~a" skill-base-name c)
+        (setf (skill-entry-status entry) :failed) nil))))
+#+end_src
+
+** Sandbox Source Scan (skill-source-scan)
+
+Scans Lisp source text for references to restricted symbols before any
+code is evaluated. This prevents malicious skills from executing even a
+single form. The restricted symbols cover process spawning
+(~uiop:run-program~, ~uiop:shell~, ~uiop:run-shell-command~), thread
+creation (~bt:make-thread~), and
+socket operations (~usocket:socket-connect~, ~hunchentoot:start~).
+
+Returns two values: T/NIL (blocked-p) and a list of matched symbol names.
+The scan is a text-level regex check — it catches direct references but
+not obfuscated ones. The post-eval ~symbol-function~ comparison in
+~load-skill-from-lisp~ catches those.
+
+#+begin_src lisp
+(defvar *skill-restricted-symbols*
+  '("uiop:run-program" "uiop:shell" "uiop:run-shell-command"
+    "bt:make-thread" "bordeaux-threads:make-thread"
+    "usocket:socket-connect" "usocket:socket-listen"
+    "hunchentoot:start" "hunchentoot:accept-connections")
+  "Symbol patterns blocked from skill source code at load time.")
+
+(defun skill-source-scan (code-string)
+  "Scans CODE-STRING for restricted symbol references.
+Returns (values blocked-p matched-symbols)."
+  (let ((lower (string-downcase code-string))
+        (matches nil))
+    (dolist (pattern *skill-restricted-symbols*)
+      (when (search pattern lower)
+        (push pattern matches)))
+    (values (and matches t) (nreverse matches))))
+#+end_src
+
+** Loading from Pre-Tangled Lisp (skill-load-from-lisp)
+
+Loads a pre-tangled ~.lisp~ file directly, without parsing the Org source. This is faster than ~load-skill-from-org~ because it skips the block extraction and syntax validation (the Lisp was already validated when tangled).
+
+The same jailed package and symbol export process applies.
+
+The sandbox check runs *before* evaluation: the source text is scanned for references to restricted symbols (~uiop:run-program~, ~uiop:shell~, ~uiop:run-shell-command~, ~bt:make-thread~, ~usocket:socket-connect~, ~hunchentoot:start~). If the source references any restricted symbol, the skill is blocked immediately without executing any code. A post-eval secondary check catches indirect references (via ~symbol-function~ comparison).
+
+#+begin_src lisp
+(defun load-skill-from-lisp (filepath)
+  "Loads a .lisp skill file directly, filtering out in-package forms."
+  (let* ((skill-base-name (pathname-name filepath))
+         (entry (or (gethash skill-base-name *skill-catalog*) (setf (gethash skill-base-name *skill-catalog*) (make-skill-entry :filename skill-base-name)))))
+    (setf (skill-entry-status entry) :loading)
+    (handler-case
+        (let* ((content (skill-package-forms-strip (uiop:read-file-string filepath)))
+               (pkg-name (intern (string-upcase (format nil "PASSEPARTOUT.SKILLS.~a" skill-base-name)) :keyword)))
+          (multiple-value-bind (valid-p err) (lisp-syntax-validate content)
+            (unless valid-p (error err)))
+          ;; Pre-eval sandbox scan: block before any code executes
+          (multiple-value-bind (blocked-p blocked-syms)
+              (skill-source-scan content)
+            (when blocked-p
+              (log-message "LOADER SANDBOX: Skill '~a' blocked before eval — references restricted symbol(s): ~{~a~^, ~}"
+                           skill-base-name blocked-syms)
+              (setf (skill-entry-status entry) :sandbox-blocked)
+              (return-from load-skill-from-lisp nil)))
+          (unless (find-package pkg-name)
+            (let ((new-pkg (make-package pkg-name :use '(:cl)))) (use-package :passepartout new-pkg)))
+          (let ((*read-eval* nil) (*package* (find-package pkg-name)))
+            (log-message "LOADER: Loading .lisp skill '~a' in package ~a" skill-base-name (package-name *package*))
+            (with-input-from-string (s content)
+              (loop for form = (read s nil :eof) until (eq form :eof)
+                     do (handler-case (eval form)
+                          (error (c) (log-message "LOADER WARNING in '~a': ~a" skill-base-name c))))))
+           (let* ((jailed-pkg (find-package pkg-name))
+                  (restricted '("RUN-PROGRAM" "SHELL" "RUN-SHELL-COMMAND"))
+                  (violation (loop for r in restricted
+                                   for sym = (find-symbol r :uiop)
+                                   when (and sym (fboundp sym)
+                                             (loop for skill-sym being the symbols of jailed-pkg
+                                                   when (and (fboundp skill-sym)
+                                                             (eq (symbol-function skill-sym)
+                                                                 (symbol-function sym)))
+                                                   return skill-sym))
+                                   collect (format nil "~a" sym))))
+             (when violation
+               (log-message "LOADER SANDBOX: Skill '~a' blocked — references restricted symbol(s): ~{~a~^, ~}"
+                            skill-base-name violation)
+               (setf (skill-entry-status entry) :sandbox-blocked)
+               (return-from load-skill-from-lisp nil))
+             (log-message "LOADER SANDBOX: Skill '~a' passed sandbox check" skill-base-name))
+           (let ((target-pkg (find-package :passepartout))
+                 (exported 0)
+                 (seen (make-hash-table :test 'equal)))
+             (do-symbols (sym (find-package pkg-name))
+               (when (and (eq (symbol-package sym) (find-package pkg-name))
+                          (or (fboundp sym) (boundp sym))
+                          (not (gethash (symbol-name sym) seen)))
+                 (setf (gethash (symbol-name sym) seen) t)
+                 (incf exported)
+                 (let ((existing (find-symbol (symbol-name sym) target-pkg)))
+                   (when existing (unintern existing target-pkg)))
+                 (import sym target-pkg)
+                 (ignore-errors (export sym target-pkg))))
+            (log-message "LOADER: Exported ~a symbols from ~a to :PASSEPARTOUT"
+                         exported (package-name (find-package pkg-name))))
+          (setf (skill-entry-status entry) :ready))
+      (error (c)
+        (log-message "LOADER ERROR in skill '~a': ~a" skill-base-name c)
+        (setf (skill-entry-status entry) :failed) nil))))
+#+end_src
+
+** Initialize (skill-initialize-all)
+
+Boot-time entry point. Scans the skills directory, topologically sorts the files, and loads each one. Called from ~main~ in the metabolic loop and from the REPL for hot-reload.
+
+Skills are loaded from ~$PASSEPARTOUT_DATA_DIR/lisp/~ where both core and skill
+files live after tangling. The org source files live in ~org/~.
+
+#+begin_src lisp
+(defun skill-initialize-all ()
+  "Initializes all skills from the XDG data directory."
+  (let* ((data-dir (uiop:ensure-directory-pathname (or (uiop:getenv "PASSEPARTOUT_DATA_DIR") (namestring (merge-pathnames ".local/share/passepartout/" (user-homedir-pathname))))))
+         (skills-dir (merge-pathnames "lisp/" (uiop:ensure-directory-pathname data-dir))))
+    (unless (uiop:directory-exists-p skills-dir) (return-from skill-initialize-all nil))
+    (let ((sorted-files (skill-topological-sort skills-dir)))
+      (log-message "LOADER: Initializing ~a skills..." (length sorted-files))
+      (dolist (file sorted-files)
+        (if (uiop:string-suffix-p (namestring file) ".lisp")
+            (load-skill-from-lisp file)
+            (load-skill-from-org file)))
+      (log-message "LOADER: Boot Complete."))))
+#+end_src
+
+* Test Suite
+Verifies that the topological sorter correctly orders skills by their ~#+DEPENDS_ON:~ declarations.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-boot-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:boot-suite))
+
+(in-package :passepartout-boot-tests)
+
+(def-suite boot-suite :description "Verification of the Skill Engine loader")
+(in-suite boot-suite)
+
+(test test-topological-sort-basic
+  "Contract 2: dependency ordering puts dependencies before dependents."
+  (let ((tmp-dir "/tmp/passepartout-boot-test/"))
+    (uiop:ensure-all-directories-exist (list tmp-dir))
+    (with-open-file (out (merge-pathnames "org-skill-a.org" tmp-dir) :direction :output :if-exists :supersede)
+      (format out "#+DEPENDS_ON: skill-b-id~%"))
+    (with-open-file (out (merge-pathnames "org-skill-b.org" tmp-dir) :direction :output :if-exists :supersede)
+      (format out ":PROPERTIES:~%:ID: skill-b-id~%:END:~%"))
+    (unwind-protect
+         (let ((sorted (passepartout::skill-topological-sort tmp-dir)))
+           (let ((pos-a (position "org-skill-a" sorted :key #'pathname-name :test #'string-equal))
+                 (pos-b (position "org-skill-b" sorted :key #'pathname-name :test #'string-equal)))
+             (is (< pos-b pos-a))))
+       (uiop:delete-directory-tree (uiop:ensure-directory-pathname tmp-dir) :validate t))))
+
+(test test-lisp-syntax-validate-valid
+  "Contract 1: valid Lisp code passes syntax validation."
+  (is (eq t (lisp-syntax-validate "(+ 1 2)"))))
+
+(test test-lisp-syntax-validate-invalid
+  "Contract 1: unbalanced Lisp code fails syntax validation."
+  (is (null (lisp-syntax-validate "(+ 1 2"))))
+#+end_src

org/core-transport.org

@@ -0,0 +1,354 @@
+#+TITLE: Communication Protocol (communication.lisp)
+#+AUTHOR: Agent
+#+FILETAGS: :harness:protocol:
+#+STARTUP: content
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/core-transport.lisp
+
+* Overview: Architectural Intent
+
+The Communication Protocol defines how Passepartout speaks to the outside world. It sits between the metabolic loop and the network, providing framed, length-prefixed message transport over TCP.
+
+Every message is an S-expression (plist) prefixed with a 6-character hex length:
+
+  00002C(:TYPE :EVENT :PAYLOAD (:ACTION :handshake :VERSION "0.4.0"))
+
+This is a deliberate rejection of JSON, Protocol Buffers, or any other serialization format. The message format is Lisp-native because:
+
+1. The agent generates and consumes these messages inside the cognitive loop — no serialization layer needed
+2. The format is human-readable and trivially debuggable with a text editor
+3. The length prefix prevents framing attacks (no "read until newline" ambiguity)
+
+** Why Length-Prefixed Framing?
+
+A naive TCP protocol that reads until newline fails when:
+- A message contains a newline character (which Lisp plists can)
+- A message is split across TCP packets (read returns partial data)
+- A malicious client sends an infinite stream without newlines
+
+The length prefix solves all three problems. The reader reads exactly 6 characters (the hex length), then reads exactly that many additional characters. No ambiguous termination, no partial message handling, no newline worries.
+
+The 6-character hex length supports messages up to ~16MB (0xFFFFFF bytes). This is sufficient for any single message the agent would produce. Larger payloads should be split across multiple messages.
+
+** Contract
+
+1. (frame-message msg): serializes a plist message to a length-prefixed
+   string. The first 6 characters are the hex-encoded payload length.
+2. (read-framed-message stream): reads a framed message from a stream,
+   returning the deserialized plist. Consumes exactly the length-prefixed
+   bytes.
+3. Round-trip invariant: ~(read-framed-message (make-string-input-stream
+   (frame-message msg)))~ equals ~msg~.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Protocol Accessor (proto-get)
+
+Case-insensitive property list accessor used throughout the pipeline.
+Returns the value associated with KEY in PLIST by interning a keyword.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun proto-get (plist key)
+  "Look up KEY in PLIST with case-insensitive keyword normalization."
+  (let ((key-upcase (string-upcase (string key))))
+    (loop for (k v) on plist by #'cddr
+          when (and (keywordp k)
+                    (string-equal (string k) key-upcase))
+            do (return v))))
+#+end_src
+
+** Actuator Registry
+
+The global registry mapping target keywords (~:cli~, ~:telegram~, ~:signal~, etc.) to their physical actuator functions. Extensible at runtime — skills can register new actuators via ~register-actuator~.
+
+#+begin_src lisp
+(defvar *actuator-registry* (make-hash-table :test 'equalp)
+  "Global registry mapping target keywords to their physical actuator functions.")
+
+(defun register-actuator (name fn) 
+  "Registers an actuator function. Actuators receive: (ACTION CONTEXT)."
+  (let ((key (if (keywordp name) name (intern (string-upcase (string name)) :keyword))))
+    (setf (gethash key *actuator-registry*) fn)))
+#+end_src
+
+** Message Framing
+
+Three functions handle the full message lifecycle: sanitize (strip non-serializable state), frame (serialize + prefix), and read (parse from stream).
+
+*** Sanitize Protocol Message
+
+Strips transient runtime state (~:reply-stream~, ~:socket~, ~:stream~) from a message plist before sending it over the network. These are Lisp stream objects that cannot be serialized and have no meaning to the remote end.
+
+#+begin_src lisp
+(defun protocol-message-sanitize (msg)
+  "Recursively strips non-serializable objects from a protocol plist."
+  (if (and msg (listp msg))
+      (let ((clean nil))
+        (loop for (k v) on msg by #'cddr
+              do (unless (member k '(:reply-stream :socket :stream))
+                   (push k clean)
+                   (push (if (listp v) (protocol-message-sanitize v) v) clean)))
+        (nreverse clean))
+      msg))
+#+end_src
+
+*** Frame Message
+
+Serializes a plist to a length-prefixed string: 6-character hex length followed by the ~prin1~ representation.
+
+#+begin_src lisp
+(defun frame-message (msg)
+  "Serializes a message plist and prefixes it with a 6-character hex length."
+  (let* ((sanitized (protocol-message-sanitize msg))
+         (payload (let ((*print-pretty* nil) (*read-eval* nil)) (format nil "~s" sanitized)))
+         (len (length payload)))
+    (format nil "~6,'0x~a" len payload)))
+#+end_src
+
+*** Read Framed Message
+
+Reads a complete framed message from a TCP stream. Handles leading whitespace between messages, partial reads, and malformed length headers gracefully. Returns the parsed S-expression, or ~:eof~ if the stream is closed, or ~:error~ if the message is malformed.
+
+#+begin_src lisp
+(defun read-framed-message (stream)
+  "Reads a hex-length prefixed S-expression from the stream securely."
+  (let ((length-buffer (make-string 6)))
+    (handler-case
+        (progn
+          (loop for char = (peek-char nil stream nil :eof)
+                for ws-count from 0
+                while (and (not (eq char :eof)) (< ws-count 4096)
+                           (member char '(#\Space #\Newline #\Tab #\Return)))
+                do (read-char stream))
+          (let ((count (read-sequence length-buffer stream)))
+            (if (< count 6)
+                :eof
+                (let ((len (ignore-errors (parse-integer length-buffer :radix 16))))
+                  (if (not len)
+                      :error
+                      (let ((msg-buffer (make-string len)))
+                        (read-sequence msg-buffer stream)
+                        (let ((*read-eval* nil))
+                          (handler-case (read-from-string msg-buffer)
+                            (error () :error)))))))))
+      (error () :error))))
+#+end_src
+
+** Server Listener (daemon-start)
+
+The TCP server that accepts connections from CLI and TUI clients. Each connection gets a dedicated thread (~client-handle-connection~).
+
+The daemon sends a handshake message on connection, then enters a read loop, injecting each received message into the metabolic loop via ~stimulus-inject~. The ~:health-check~ message type is handled inline (not sent to the cognitive loop) so that health checks work even when the agent is busy.
+
+#+begin_src lisp
+(defvar *daemon-socket* nil)
+(defvar *daemon-port* nil "The port the daemon is actually listening on (may differ from default if 9105 was in use).")
+
+(defun client-handle-connection (socket)
+  "Handles a single TUI/CLI client connection in a dedicated thread."
+  (let ((stream (usocket:socket-stream socket)))
+    (handler-case
+        (progn
+          (format stream "~a" (frame-message (make-hello-message "0.7.2")))
+          (finish-output stream)
+          (loop
+            (let ((msg (read-framed-message stream)))
+              (cond
+                ((eq msg :eof) (return))
+                ((eq msg :error) (return))
+                ((eq (getf msg :type) :health-check)
+                 (let ((health-msg (list :type :health-response 
+                                         :status (or (and (boundp 'passepartout::*system-health*) 
+                                                         (symbol-value 'passepartout::*system-health*))
+                                                     :unknown)
+                                         :checked-p (or (and (boundp 'passepartout::*health-check-ran*)
+                                                             (symbol-value 'passepartout::*health-check-ran*))
+                                                     nil))))
+                   (format stream "~a" (frame-message health-msg))
+                   (finish-output stream)))
+                ((member (getf (getf msg :payload) :action)
+                         '(:config-get :config-set :config-list
+                           :provider-test :provider-models))
+                 (handle-client-config msg stream))
+                (t (stimulus-inject msg :stream stream))))))
+      (error (c) (log-message "CLIENT ERROR: ~a" c)))
+    (ignore-errors (usocket:socket-close socket))))
+
+(defun handle-client-config (msg stream)
+  "Handle config/provider commands inline (not through the cognitive pipeline)."
+  (let* ((payload (getf msg :payload))
+         (action (getf payload :action))
+         (name (getf payload :name))
+         (key (getf payload :key))
+         (value (getf payload :value))
+         (result nil))
+    (case action
+      (:config-list
+       (setf result (with-output-to-string (out)
+                      (dolist (e (sort (config-read) #'string-lessp :key #'car))
+                        (format out "~a=~a~%" (car e) (cdr e))))))
+      (:config-get
+       (let ((val (config-get (intern (string-upcase key) :keyword))))
+         (setf result (format nil "~a: ~:[not set~;~:*~a~]" key val))))
+      (:config-set
+       (config-set (intern (string-upcase key) :keyword) value)
+       (setf result (format nil "✓ ~a set" key)))
+      (:provider-test
+       (let ((ok (ignore-errors (test-provider-connection
+                                 (intern (string-downcase name) :keyword)))))
+         (setf result (format nil "~a: ~:[✗ failed~;✓ connected~]" name ok))))
+      (:provider-models
+       (let ((models (ignore-errors (test-provider-connection
+                                     (intern (string-downcase name) :keyword)))))
+         (setf result (format nil "~a models: ~a" name (or models "unavailable"))))))
+    (when result
+      (format stream "~a" (frame-message (list :type :event :payload (list :text result))))
+      (finish-output stream))))
+
+(defun start-daemon (&key (port 9105) (max-retries 10))
+  "Starts the network listener for TUI/CLI clients.
+If PORT is taken, tries subsequent ports up to PORT+MAX-RETRIES."
+  (loop for attempt from 0 below max-retries
+        for p = (+ port attempt)
+        do (handler-case
+               (progn
+                 (setf *daemon-socket* (usocket:socket-listen "127.0.0.1" p :reuse-address t))
+                 (log-message "DAEMON: Listening on localhost:~a" p)
+                 (setf *daemon-port* p)
+                 (bt:make-thread
+                  (lambda ()
+                    (loop
+                      (let ((client-socket (usocket:socket-accept *daemon-socket*)))
+                        (when client-socket
+                          (bt:make-thread (lambda () (client-handle-connection client-socket))
+                                         :name "passepartout-client-handler")))))
+                  :name "passepartout-server-listener")
+                 (return p))
+             (usocket:address-in-use-error ()
+               (when (= attempt (1- max-retries))
+                 (log-message "DAEMON: All ports ~d-~d in use — giving up" port (+ port max-retries -1))
+                 (error "No available port for daemon"))
+               (log-message "DAEMON: Port ~d in use, trying ~d..." p (1+ p))))))
+#+end_src
+
+** Handshake Logic
+
+The first message sent to every new connection. The client can use this to verify the protocol version and the daemon's capabilities.
+
+#+begin_src lisp
+(defun make-hello-message (version)
+  "Constructs the standard HELLO handshake message."
+  (list :TYPE :EVENT 
+        :PAYLOAD (list :ACTION :handshake 
+                       :VERSION version 
+                       :CAPABILITIES '(:AUTH :ORG-AST))))
+#+end_src
+
+** Structural Validation
+
+Validates that an incoming message has the minimum required structure: a plist with a valid ~:type~ field. Used by the protocol validator skill to reject malformed messages before they enter the cognitive loop.
+
+#+begin_src lisp
+(in-package :passepartout)
+
+(defun protocol-schema-validate (msg)
+  "Strict structural validation for incoming protocol messages."
+  (unless (listp msg) (error "Message must be a plist"))
+  (let ((type (proto-get msg :type)))
+    (unless (member type '(:REQUEST :EVENT :RESPONSE :LOG :STATUS))
+      (error "Invalid message type '~a'" type))
+    t))
+#+end_src
+
+** Backward-Compatibility Alias
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun validate-communication-protocol-schema (msg)
+  "Backward-compatibility alias for protocol-schema-validate."
+  (protocol-schema-validate msg))
+#+end_src
+
+** Protocol Smoke Test (manual for REPL evaluation)
+
+Use this function to manually verify that the daemon is alive and the framing protocol works end-to-end. It connects to a running daemon, reads the HELLO handshake, sends a "hi" message, and reads the response.
+
+#+begin_src lisp :tangle no
+(defun test-daemon-protocol ()
+  (handler-case
+      (let* ((socket (usocket:socket-connect "127.0.0.1" 9105))
+             (stream (usocket:socket-stream socket)))
+        (format t "Connected.~%")
+        (let* ((len-buf (make-string 6))
+               (count (read-sequence len-buf stream)))
+          (when (= count 6)
+            (let* ((len (parse-integer len-buf :radix 16))
+                   (msg-buf (make-string len)))
+              (read-sequence msg-buf stream)
+              (format t "HELLO: ~a~%" msg-buf))))
+        (let* ((msg '(:TYPE :EVENT :META (:SOURCE :tui) :PAYLOAD (:SENSOR :user-input :TEXT "hi")))
+               (framed (frame-message msg)))
+          (format stream "~a" framed)
+          (finish-output stream)
+          (let* ((len-buf (make-string 6))
+                 (count (read-sequence len-buf stream)))
+            (when (= count 6)
+              (let* ((len (parse-integer len-buf :radix 16))
+                     (msg-buf (make-string len)))
+                (read-sequence msg-buf stream)
+                (format t "Response: ~a~%" msg-buf)))))
+        (usocket:socket-close socket))
+    (error (c) (format t "Error: ~a~%" c))))
+#+end_src
+
+* Test Suite
+Verifies that the framing protocol correctly serializes and deserializes messages.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-communication-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:communication-protocol-suite))
+(in-package :passepartout-communication-tests)
+
+(def-suite communication-protocol-suite :description "Communication Protocol Suite")
+(in-suite communication-protocol-suite)
+
+(test test-framing
+  "Contract 1: frame-message produces correct hex length prefix."
+  (let* ((msg '(:type :EVENT :payload (:action :handshake)))
+         (framed (frame-message msg)))
+    (is (string= "00002C" (string-upcase (subseq framed 0 6))))))
+
+(test test-framing-round-trip
+  "Contract 3: frame → read-frame preserves message identity."
+  (let* ((msg '(:type :EVENT :payload (:action :handshake :version "1.0") :meta (:source :tui)))
+         (framed (frame-message msg))
+         (unframed (read-framed-message (make-string-input-stream framed))))
+    (is (equal msg unframed))))
+
+(test test-framing-empty-message
+  "Contract 1: simple messages frame with valid hex length."
+  (let* ((msg '(:type :ping))
+         (framed (frame-message msg)))
+    (is (> (length framed) 5))
+    (is (every (lambda (c) (digit-char-p c 16)) (subseq framed 0 6)))))
+
+(test test-read-framed-message
+  "Contract 2: read-framed-message decodes a framed message correctly."
+  (let* ((original '(:type :EVENT :payload (:text "decoded" :id 42)))
+         (framed (frame-message original))
+         (decoded (read-framed-message (make-string-input-stream framed))))
+    (is (equal original decoded))))
+
+(test test-read-framed-message-eof
+  "Contract 2: read-framed-message returns :eof on incomplete stream."
+  (let ((decoded (read-framed-message (make-string-input-stream "000"))))
+    (is (eq :eof decoded))))
+#+end_src

org/cost-tracker.org

@@ -0,0 +1,285 @@
+#+TITLE: Cost Tracker — per-session token cost accounting
+#+AUTHOR: Agent
+#+FILETAGS: :token-economics:cost-tracking:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/cost-tracker.lisp
+
+* Architectural Intent
+
+Cost tracking gives the user visibility into what the agent spends on their
+behalf. No competitor provides this — Claude Code and Copilot obscure cost
+behind flat-rate subscriptions. Passepartout tracks every LLM call, logs
+cumulative cost, and exposes it via a ~/cost~ TUI command.
+
+The tracking is minimal and accurate to within ~10-15% (using the token
+heuristic from tokenizer.lisp). It persists across daemon restarts via
+~*session-cost*~ in the memory store.
+
+** v0.8.0 — Session Summary for Sidebar
+
+The sidebar's Cost panel needs an at-a-glance cost summary: total spent,
+call count, per-provider breakdown. ~cost-session-summary~ packages the
+three existing accessors (~cost-session-total~, ~cost-session-calls~,
+~cost-by-provider~) into a single plist ~(:total <float> :calls <int>
+:by-provider <alist>)~. This is a thin wrapper (~5 lines) — the data
+already exists; the function exposes it in the shape the TUI expects.
+
+Called from ~core-act.org~'s ~:tui~ actuator via ~fboundp~ guard.
+Degrades gracefully to nil when cost-tracker is not loaded.
+
+** Contract
+
+1. (cost-track-call provider prompt-text response-text): compute and
+   accumulate the cost of a single LLM call. Returns the cost in USD.
+2. (cost-session-total): returns the current session's total cost.
+3. (cost-session-reset): zeroes the session cost accumulator.
+4. (cost-format-budget-status total budget): returns a human-readable
+    budget status string for the TUI status bar.
+5. (cost-session-summary): returns plist
+    ~(:total <float> :calls <int> :by-provider <alist>)~ aggregating
+    all three session cost accessors. Consumed by the TUI actuator
+    for the sidebar Cost panel (v0.8.0).
+6. (budget-remaining-usd): returns the remaining budget in USD, or
+   ~most-positive-double-float~ when no budget is set.
+7. (budget-exhausted-p): returns T when a budget is set and fully
+   consumed. ~fboundp~-guarded at call sites so the checker is
+   a no-op when cost-tracker is not loaded.
+8. (budget-estimate-call prompt-text): estimates the dollar cost of a
+   pending LLM call from the prompt text. Returns 0.0 when the
+   tokenizer skill is not loaded (allows the call through).
+9. (budget-exhaustion-message): returns a ~:REQUEST~ plist with a
+   human-readable message explaining the budget cap. Injected as the
+   LLM response when the budget is exhausted.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Session cost state
+#+begin_src lisp
+(defvar *session-cost* (list :total 0.0 :calls 0 :by-provider nil)
+  "Session cost accumulator: (:total <float> :calls <int> :by-provider <alist>)")
+
+(defvar *session-cost-lock* (bordeaux-threads:make-lock "session-cost-lock")
+  "Lock protecting *session-cost* from concurrent updates.")
+#+end_src
+
+** Per-call cost tracking
+#+begin_src lisp
+(defun cost-track-call (provider prompt-text &optional response-text)
+  "Compute and accumulate the cost of a single LLM call.
+Returns the cost of this call in USD."
+  (let* ((input-tokens (if (fboundp 'count-tokens)
+                         (funcall (symbol-function 'count-tokens) (or prompt-text ""))
+                         (ceiling (length (or prompt-text "")) 4)))
+         (output-tokens (if (and response-text (fboundp 'count-tokens))
+                          (funcall (symbol-function 'count-tokens) response-text)
+                          0))
+         (total-tokens (+ input-tokens output-tokens))
+         (cost (provider-token-cost provider total-tokens)))
+    (bordeaux-threads:with-lock-held (*session-cost-lock*)
+      (incf (getf *session-cost* :total) cost)
+      (incf (getf *session-cost* :calls))
+      (let ((by-prov (getf *session-cost* :by-provider)))
+        (let ((entry (assoc provider by-prov)))
+          (if entry
+              (incf (cdr entry) cost)
+              (setf (getf *session-cost* :by-provider)
+                    (acons provider cost by-prov))))))
+    (log-message "COST TRACKER: ~a call: ~,4f USD (session total: ~,4f USD)"
+                 provider cost (getf *session-cost* :total))
+    cost))
+#+end_src
+
+** Session total
+#+begin_src lisp
+(defun cost-session-total ()
+  "Returns the current session's total cost in USD."
+  (bordeaux-threads:with-lock-held (*session-cost-lock*)
+    (getf *session-cost* :total)))
+
+(defun cost-session-calls ()
+  "Returns the total number of LLM calls in this session."
+  (bordeaux-threads:with-lock-held (*session-cost-lock*)
+    (getf *session-cost* :calls)))
+
+(defun cost-by-provider ()
+  "Returns an alist of (provider . total-cost) for this session."
+  (bordeaux-threads:with-lock-held (*session-cost-lock*)
+    (getf *session-cost* :by-provider)))
+#+end_src
+
+** Session summary (v0.8.0)
+#+begin_src lisp
+(defun cost-session-summary ()
+  "Returns plist (:total <float> :calls <int> :by-provider <alist>)."
+  (bordeaux-threads:with-lock-held (*session-cost-lock*)
+    (list :total (getf *session-cost* :total)
+          :calls (getf *session-cost* :calls)
+          :by-provider (getf *session-cost* :by-provider))))
+#+end_src
+
+** Session reset
+#+begin_src lisp
+(defun cost-session-reset ()
+  "Zeroes the session cost accumulator."
+  (bordeaux-threads:with-lock-held (*session-cost-lock*)
+    (setf (getf *session-cost* :total) 0.0)
+    (setf (getf *session-cost* :calls) 0)
+    (setf (getf *session-cost* :by-provider) nil)))
+#+end_src
+
+** Budget status formatting
+#+begin_src lisp
+(defun cost-format-budget-status (&optional (daily-budget nil))
+  "Returns a string for the TUI status bar showing session cost.
+If DAILY-BUDGET is provided, includes percentage of budget used."
+  (let* ((total (cost-session-total))
+         (calls (cost-session-calls))
+         (budget (or daily-budget
+                     (ignore-errors
+                       (parse-integer (uiop:getenv "COST_BUDGET_DAILY")))
+                     0))
+         (pct (if (> budget 0) (* 100.0 (/ total budget)) 0.0))
+         (status (cond
+                   ((= calls 0) "—")
+                   ((< pct 50) "OK")
+                   ((< pct 90) "WARN")
+                   (t "HIGH"))))
+    (if (> budget 0)
+        (format nil "[Cost: $~,2f (~,0f%) ~a]" total pct status)
+        (format nil "[Cost: $~,2f | ~d calls]" total calls))))
+#+end_src
+
+** Hook into cascade
+
+This function is called from ~backend-cascade-call~ after each successful
+LLM invocation to record the cost.
+
+#+begin_src lisp
+(defun cost-track-backend-call (backend prompt-text &optional response-text)
+  "Track cost of a backend cascade call."
+  (cost-track-call backend prompt-text response-text))
+#+end_src
+
+** Budget enforcement (v0.5.0 deferred)
+
+Session-wide cost caps that refuse LLM calls when the budget is exhausted.
+The budget is set via ~SESSION_BUDGET_USD~ env var (default: no limit).
+When exceeded, the agent falls back to deterministic-only mode — pure Lisp
+operations still work, but no cascade calls are made until the cap is raised
+or the session is reset.
+
+#+begin_src lisp
+(defvar *session-budget*
+  (ignore-errors (read-from-string (uiop:getenv "SESSION_BUDGET_USD")))
+  "Maximum USD to spend in this session. NIL means no limit.")
+
+(defun budget-remaining-usd ()
+  "Returns remaining budget in USD, or a large sentinel if unlimited."
+  (if *session-budget*
+      (let ((remaining (- *session-budget* (cost-session-total))))
+        (if (< remaining 0) 0.0 remaining))
+      most-positive-double-float))
+
+(defun budget-exhausted-p ()
+  "T if the session budget is set and fully consumed."
+  (and *session-budget* (<= (budget-remaining-usd) 0.0)))
+
+(defun budget-estimate-call (prompt-text)
+  "Estimate the dollar cost of a pending LLM call from its prompt text.
+Returns 0.0 if the tokenizer is not loaded (allows call through)."
+  (if (fboundp 'count-tokens)
+      (let* ((tokens (funcall (symbol-function 'count-tokens) (or prompt-text "")))
+             (cost (provider-token-cost (first *provider-cascade*) tokens)))
+        cost)
+      0.0))
+
+(defun budget-exhaustion-message ()
+  "Returns a user-facing plist explaining that the budget is spent."
+  (let ((total (cost-session-total))
+        (cap *session-budget*))
+    (list :TYPE :REQUEST
+          :PAYLOAD (list :ACTION :MESSAGE
+                         :TEXT (format nil "Session budget exhausted: $~,4f of $~,2f spent. Raise SESSION_BUDGET_USD or reset with /cost-reset to continue."
+                                       total cap)
+                         :EXPLANATION "Budget cap reached. No LLM calls will be made until the limit is raised."))))
+#+end_src
+
+* Test Suite
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-cost-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:cost-suite))
+
+(in-package :passepartout-cost-tests)
+
+(def-suite cost-suite :description "Cost tracking and budget management")
+(in-suite cost-suite)
+
+(test test-cost-track-call
+  "Contract 1: cost-track-call returns a positive number."
+  (cost-session-reset)
+  (let ((cost (cost-track-call :deepseek "hello world")))
+    (is (numberp cost))
+    (is (> cost 0.0))))
+
+(test test-cost-session-total-accumulates
+  "Contract 2: session total grows with multiple calls."
+  (cost-session-reset)
+  (cost-track-call :deepseek "hello")
+  (cost-track-call :deepseek "world")
+  (let ((total (cost-session-total)))
+    (is (> total 0.0))
+    (is (= 2 (cost-session-calls)))))
+
+(test test-cost-session-reset
+  "Contract 3: cost-session-reset zeroes the accumulator."
+  (cost-session-reset)
+  (cost-track-call :deepseek "hello")
+  (is (> (cost-session-total) 0.0))
+  (cost-session-reset)
+  (is (= 0.0 (cost-session-total)))
+  (is (= 0 (cost-session-calls))))
+
+(test test-cost-format-budget-status
+  "Contract 4: format-budget-status returns a string."
+  (cost-session-reset)
+  (cost-track-call :deepseek "hello world")
+  (let ((status (cost-format-budget-status 100)))
+    (is (stringp status))
+    (is (search "$" status))))
+
+(test test-cost-by-provider
+  "Contract: cost-by-provider returns per-provider breakdown."
+  (cost-session-reset)
+  (cost-track-call :deepseek "a")
+  (cost-track-call :groq "b")
+  (let ((by (cost-by-provider)))
+    (is (listp by))
+    (is (assoc :deepseek by))
+    (is (assoc :groq by))))
+
+(test test-cost-track-no-response
+  "Contract 1: cost-track-call works without response-text."
+  (cost-session-reset)
+  (let ((cost (cost-track-call :deepseek "test")))
+    (is (> cost 0.0))))
+
+(test test-cost-session-summary
+  "Contract 5: cost-session-summary returns plist with total, calls, by-provider."
+  (cost-session-reset)
+  (cost-track-call :deepseek "hello")
+  (cost-track-call :groq "world")
+  (let ((s (cost-session-summary)))
+    (is (> (getf s :total) 0.0))
+    (is (= 2 (getf s :calls)))
+    (let ((by (getf s :by-provider)))
+      (is (assoc :deepseek by))
+      (is (assoc :groq by)))))
+#+end_src

org/embedding-backends.org

@@ -0,0 +1,305 @@
+#+TITLE: SKILL: Embedding Gateway (org-skill-embedding-gateway.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:system:embedding:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/embedding-backends.lisp
+
+* Architectural Intent
+
+~system-model-embedding~ converts text into vector representations for semantic search and memory retrieval. It provides three backends:
+
+- ~:trigram~ — a zero-dependency fallback that uses character-trigram Jaccard similarity. Pure Lisp, works fully offline, captures lexical overlap.
+- ~:sha256~ — integrity-only (explicit opt-in). SHA-256 hashing for environments where even trivial computation is undesirable.
+- ~:local~ — any OpenAI-compatible ~/api/embeddings~ endpoint (Ollama, vLLM, etc.)
+- ~:openai~ — the OpenAI ~/v1/embeddings~ API with an API key
+- ~:native~ — in-process inference via llama.cpp / CFFI. 768-dim nomic-embed-text-v1.5, zero network calls, <100ms per document on CPU. Requires model file at ~/.local/share/passepartout/models/nomic-embed-text-v1.5.Q4_K_M.gguf and libllama_wrap.so at /usr/local/lib.
+
+The embedding queue (~embed-queue-object~ / ~embed-all-pending~) decouples document indexing from the main loop. On each heartbeat tick, ~embed-all-pending~ drains the queue and embeds all accumulated objects. This prevents indexing traffic from blocking conversational responses.
+
+The default provider is ~:trigram~ — it captures lexical overlap (character trigram bloom filter → cosine similarity approximates Jaccard) and works immediately with zero configuration. Switch to ~:local~ or ~:openai~ when you have an embedding server; switch to ~:sha256~ for integrity-only deployments.
+
+**Why not SHA-256 by default?** SHA-256 is a cryptographic hash with the avalanche property — one-bit input differences produce entirely different outputs. "implement user login form" and "implement user login forn" (one character difference) have completely different SHA-256 values → cosine similarity near zero. This makes SHA-256 correct for integrity verification (Merkle tree) but useless for similarity-based retrieval. The trigram Jaccard approach captures lexical overlap: "authentication" and "authenticate" share trigrams "aut", "uth", "the", "hen", "ent", "nti", "tic", "ica", producing high cosine similarity (0.80). "authentication" and "banana" share zero trigrams → 0.0 similarity.
+
+This replaces the old ~system-embedding-gateway~ with the same logic but renamed to ~system-model-embedding~ to live alongside the other ~system-model-*~ skills.
+
+* Implementation
+
+** State
+#+begin_src lisp
+(in-package :passepartout)
+
+(defvar *embedding-provider* :trigram
+  "Active embedding provider: :trigram, :sha256, :local, :openai, :native.")
+
+(defvar *embedding-queue* nil
+  "Queue of text objects awaiting embedding.")
+
+(defvar *embedding-batch-size* 10
+  "Maximum texts per embedding API call.")
+#+end_src
+
+** Local backend (OpenAI-compatible)
+#+begin_src lisp
+(defun embedding-backend-local (text)
+  "Generate embeddings via a local OpenAI-compatible endpoint."
+  (let* ((url (or (uiop:getenv "LOCAL_BASE_URL") (format nil "http://~a" (or (uiop:getenv "OLLAMA_HOST") "localhost:11434"))))
+         (model (or (uiop:getenv "EMBEDDING_MODEL") "nomic-embed-text"))
+         (body (cl-json:encode-json-to-string
+                `((model . ,model) (input . ,text)))))
+    (handler-case
+        (let* ((response (dex:post (format nil "~a/api/embeddings" url)
+                                   :headers '(("Content-Type" . "application/json"))
+                                   :content body :connect-timeout 5 :read-timeout 30))
+               (json (cl-json:decode-json-from-string response))
+               (data (car (cdr (assoc :data json)))))
+          (or (cdr (assoc :embedding data))
+              (list :error "No embedding in response")))
+      (error (c)
+        (list :error (format nil "Embedding failed: ~a" c))))))
+#+end_src
+
+** OpenAI backend
+#+begin_src lisp
+(defun embedding-backend-openai (text)
+  "Generate embeddings via OpenAI compatible /v1/embeddings endpoint."
+  (let* ((api-key (uiop:getenv "OPENAI_API_KEY"))
+         (base-url (or (uiop:getenv "EMBEDDING_BASE_URL") "https://api.openai.com/v1"))
+         (model (or (uiop:getenv "EMBEDDING_MODEL") "text-embedding-3-small"))
+         (body (cl-json:encode-json-to-string
+                `((model . ,model) (input . ,text)))))
+    (handler-case
+        (let* ((response (dex:post (format nil "~a/embeddings" base-url)
+                                    :headers `(("Content-Type" . "application/json")
+                                               ("Authorization" . ,(format nil "Bearer ~a" api-key)))
+                                    :content body :connect-timeout 5 :read-timeout 30))
+               (json (cl-json:decode-json-from-string response))
+               (data (car (cdr (assoc :data json)))))
+          (or (cdr (assoc :embedding data))
+              (list :error "No embedding in response")))
+      (error (c)
+        (list :error (format nil "OpenAI Embedding failed: ~a" c))))))
+#+end_src
+
+** Trigram backend (v0.4.0)
+#+begin_src lisp
+(defun embedding-backend-sha256 (text)
+  "SHA-256 based vector — integrity only, no semantic retrieval capability.
+For environments where even trivial computation is undesirable."
+  (let* ((digest (ironclad:digest-sequence :sha256 (babel:string-to-octets text)))
+         (vec (make-array 8 :element-type 'single-float :initial-element 0.0)))
+    (dotimes (i (min (length digest) 8))
+      (setf (aref vec i) (float (/ (aref digest i) 255.0) 0.0)))
+    vec))
+
+(defun embedding-backend-hashing (text)
+  "Backward-compatibility alias for SHA-256 hashing."
+  (embedding-backend-sha256 text))
+
+(defun embedding-backend-trigram (text)
+  "Trigram bloom filter — captures lexical overlap for semantic retrieval.
+Returns a 128-dim float vector where each position corresponds to a trigram hash.
+Pure Lisp, zero external dependencies, works fully offline."
+  (let* ((s (string-trim '(#\Space #\Newline #\Tab) (string-downcase text)))
+         (trigrams (make-hash-table :test 'equal))
+         (result (make-array 128 :element-type 'single-float :initial-element 0.0)))
+    (when (>= (length s) 3)
+      (loop for i from 0 to (- (length s) 3)
+            for tri = (subseq s i (+ i 3))
+            do (setf (gethash tri trigrams) t)))
+    (maphash (lambda (tri _) (declare (ignore _))
+               (setf (aref result (mod (sxhash tri) 128)) 1.0))
+             trigrams)
+    result))
+#+end_src
+
+** Object embedding and queuing
+#+begin_src lisp
+(defvar *embedding-backend* nil
+  "Explicit backend override (nil = use *embedding-provider*).")
+
+(defun embeddings-compute (text)
+  "Compute an embedding vector for text using the active backend."
+  (embed-object text))
+
+(defun embed-object (text)
+  "Embed a single text string using the active backend."
+  (let* ((selected (or *embedding-backend* *embedding-provider* :trigram))
+         (backend (case selected
+                    (:local #'embedding-backend-local)
+                    (:openai #'embedding-backend-openai)
+                    (:native
+                     (unless (fboundp 'embedding-backend-native)
+                       (embedding-native-ensure-loaded))
+                     #'embedding-backend-native)
+                    (:sha256 #'embedding-backend-sha256)
+                    (t #'embedding-backend-trigram))))
+    (if backend
+        (progn
+          (log-message "EMBEDDING: Provider ~a, backend=~a" selected backend)
+          (funcall backend text))
+        (progn
+          (log-message "EMBEDDING: No backend for provider ~a, using hashing" selected)
+          (embedding-backend-hashing text)))))
+
+(defun embed-queue-object (object)
+  "Queue a text object for async embedding."
+  (push object *embedding-queue*)
+  (log-message "EMBEDDING: Queued object"))
+
+(defun embed-all-pending ()
+  "Drain the embedding queue, store vectors in the store-keyed objects."
+  (let ((batch (nreverse *embedding-queue*)))
+    (setf *embedding-queue* nil)
+    (dolist (item batch)
+      (handler-case
+          (let ((id (getf item :id))
+                (text (getf item :text)))
+            (when (and id text)
+              (let ((vec (embeddings-compute text))
+                    (obj (gethash id *memory-store*)))
+                (when (and obj vec (not (listp vec)))
+                  (setf (memory-object-vector obj) vec))
+                (log-message "EMBEDDING: Computed vector for ~a (~d dims)" id (length vec)))))
+        (error (c)
+          (log-message "EMBEDDING: Failed to embed object: ~a" c))))))
+
+;; Apply env var override at load time
+(let ((provider-env (uiop:getenv "EMBEDDING_PROVIDER")))
+  (when provider-env
+    (let ((kw (intern (string-upcase provider-env) :keyword)))
+      (setf *embedding-provider* kw)
+      (log-message "EMBEDDING: Set provider to ~a from EMBEDDING_PROVIDER env" kw))))
+
+(defun embedding-native-ensure-loaded ()
+  "Lazy-load the native CFFI backend. First call blocks ~30s for model init."
+  (when (fboundp 'embedding-backend-native)
+    (return-from embedding-native-ensure-loaded t))
+  (let* ((data-dir (uiop:ensure-directory-pathname
+                    (or (uiop:getenv "PASSEPARTOUT_DATA_DIR")
+                        (namestring (merge-pathnames ".local/share/passepartout/"
+                                                    (user-homedir-pathname))))))
+         (native-file (merge-pathnames "lisp/embedding-native.lisp" data-dir)))
+    (handler-case
+        (progn
+          (load native-file :verbose nil :print nil)
+          (log-message "EMBEDDING: Native backend loaded from ~a" native-file))
+      (error (c)
+        (error "Failed to load native embedding backend (~a): ~a" native-file c)))))
+
+;; Preload native model if configured at startup
+(when (eq *embedding-provider* :native)
+  (log-message "EMBEDDING: Native provider configured, preloading model...")
+  (embedding-native-ensure-loaded)
+  (handler-case
+      (progn
+        (embedding-native-load-model)
+        (log-message "EMBEDDING: Native model preloaded (~d dims)"
+                     (embedding-native-get-dim)))
+    (error (c)
+      (log-message "EMBEDDING: Preload deferred: ~a (will retry on first call)" c))))
+
+(log-message "EMBEDDING: Gateway loaded with provider ~a" *embedding-provider*)
+#+end_src
+
+** Stale vector marking
+#+begin_src lisp
+(defun mark-vector-stale (id &optional content)
+  "Mark a memory object's vector as :pending and queue it for re-embedding.
+When content is not supplied, reads from the object in *memory-store*."
+  (let* ((obj (gethash id *memory-store*))
+         (text (or content (and obj (memory-object-content obj)))))
+    (when obj
+      (setf (memory-object-vector obj) :pending))
+    (when text
+      (push (list :id id :text text) *embedding-queue*)
+      (log-message "EMBEDDING: Marked ~a vector stale, queued for re-embed" id))
+    (or obj text)))
+#+end_src
+
+** Skill Registration and Cron
+#+begin_src lisp
+(defskill :passepartout-embedding-backends
+  :priority 70
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+
+;; Register periodic batch embedding via cron (when orchestrator available)
+(when (fboundp 'orchestrator-register-cron)
+  (handler-case
+      (orchestrator-register-cron :embed-batch
+                                  "<2026-05-05 Tue +10m>"
+                                  'embed-all-pending
+                                  :reflex)
+    (error (c)
+      (log-message "EMBEDDING: Cron registration failed: ~a" c))))
+#+end_src
+
+* Contract
+
+1. (embeddings-compute text): produces a vector (single-float array) for
+   any text string using the active backend (~*embedding-backend*~ or
+   ~*embedding-provider*~).
+2. (embedding-backend-hashing text): zero-dependency fallback. Returns
+   an 8-element single-float vector deterministically from SHA-256.
+3. (embed-all-pending): drains ~*embedding-queue*~, computes vectors for
+   all queued objects, and stores them in ~*memory-store*~ entries.
+4. (mark-vector-stale id &optional content): sets ~:vector~ to ~:pending~
+   and pushes object to ~*embedding-queue*~ for background re-embedding.
+5. Cron: ~embed-all-pending~ is registered with the orchestrator to run
+   on ~:reflex~ tier every 10 minutes for background batch processing.
+
+* Test Suite
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-embedding-tests
+  (:use :cl :passepartout)
+  (:export #:embedding-suite))
+
+(in-package :passepartout-embedding-tests)
+
+(fiveam:def-suite embedding-suite :description "Embedding gateway verification")
+(fiveam:in-suite embedding-suite)
+
+(fiveam:test test-embedding-backend-hashing
+  "Contract 2: hashing backend produces 8-element float vector."
+  (let ((vec (embedding-backend-hashing "hello world")))
+    (fiveam:is (arrayp vec))
+    (fiveam:is (= 8 (length vec)))
+    (fiveam:is (every #'numberp (coerce vec 'list)))))
+
+(fiveam:test test-embedding-backend-hashing-deterministic
+  "Contract 2: same input produces same vector."
+  (let ((v1 (embedding-backend-hashing "test"))
+        (v2 (embedding-backend-hashing "test")))
+    (fiveam:is (equalp v1 v2))))
+
+(fiveam:test test-embeddings-compute
+  "Contract 1: embeddings-compute returns a float vector."
+  (let ((vec (embeddings-compute "some text")))
+    (fiveam:is (arrayp vec))
+    (fiveam:is (> (length vec) 0))))
+
+(fiveam:test test-embed-queue-and-drain
+  "Contract 3: embed-all-pending drains queue and stores vectors."
+  (let ((*embedding-queue* nil))
+    (embed-queue-object '(:id "test-obj" :text "sample text"))
+    (fiveam:is (= 1 (length *embedding-queue*)))
+    (embed-all-pending)
+    (fiveam:is (null *embedding-queue*))))
+
+(fiveam:test test-mark-vector-stale
+  "Contract 4: mark-vector-stale sets vector to :pending and queues for re-embed."
+  (let ((*embedding-queue* nil))
+    ;; Create an object in memory with a vector
+    (let ((obj (make-memory-object :id "stale-test" :content "stale content"
+                                   :vector #(1.0 2.0 3.0))))
+      (setf (gethash "stale-test" *memory-store*) obj)
+      (mark-vector-stale "stale-test")
+      (fiveam:is (eq :pending (memory-object-vector obj)))
+      (fiveam:is (= 1 (length *embedding-queue*)))
+      (let ((item (first *embedding-queue*)))
+        (fiveam:is (string= "stale-test" (getf item :id)))
+        (fiveam:is (string= "stale content" (getf item :text))))
+      ;; Clean up
+      (remhash "stale-test" *memory-store*))))
+#+end_src

org/embedding-native.org

@@ -0,0 +1,376 @@
+#+TITLE: SKILL: Native Embedding Inference (org-skill-embedding-native.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:system:embedding:cffi:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/embedding-native.lisp
+
+* Architectural Intent
+
+=system-model-embedding-native= provides in-process embedding inference via CFFI binding to llama.cpp. Unlike =:local= (Ollama REST API) and =:openai= (paid API), =:native= runs the embedding model directly in the SBCL process — zero network calls, zero external servers.
+
+The bundled model is =nomic-embed-text-v1.5= (nomic-bert, 768-dim, 12 layers, Q4_K_M quantization, ~80MB) at =~/.local/share/passepartout/models/nomic-embed-text-v1.5.Q4_K_M.gguf=. It is a BERT-family encoder-only model — single forward pass, no autoregressive decoding.
+
+**Key architectural decisions**:
+- C wrapper library (=/usr/local/lib/libllama_wrap.so=) bridges CFFI pointer params to llama.cpp's struct-by-value API (CFFI cannot pass/return structs by value)
+- Struct sizes verified via C ~sizeof~ / ~offsetof~: =llama_model_params= (72B), =llama_context_params= (136B), =llama_batch= (56B)
+- Model and context cached globally in =*native-model*= / =*native-context*= to avoid reloading
+- BERT pooling: =llama_get_embeddings_seq= for sequence-level embedding (not =llama_get_embeddings_ith=)
+- =sb-int:set-floating-point-modes= :traps nil required before any llama.cpp call (FPU state conflict)
+
+* Implementation
+
+** Package guard
+#+begin_src lisp
+(unless (find-package :passepartout)
+  (make-package :passepartout :use '(:cl)))
+
+(in-package :passepartout)
+#+end_src
+
+** CFFI: Load C wrapper + llama libraries
+
+The C wrapper (=libllama_wrap.so=) bridges struct-by-value: all wrapper functions take pure pointers and dereference internally.
+
+#+begin_src lisp
+(cffi:define-foreign-library libllama_wrap (:unix "/usr/local/lib/libllama_wrap.so"))
+(cffi:use-foreign-library libllama_wrap)
+(cffi:define-foreign-library libllama (:unix "/usr/local/lib/libllama.so"))
+(cffi:use-foreign-library libllama)
+#+end_src
+
+** CFFI: Struct definitions
+
+Sizes verified via C =sizeof= / =offsetof= at build time.
+
+#+begin_src lisp
+(cffi:defcstruct (llama-mparams :size 72)
+  (devices :pointer) (tensor-buft :pointer) (n-gpu-layers :int32)
+  (split-mode :int32) (main-gpu :int32) (_pad1 :int32)
+  (tensor-split :pointer) (progress-cb :pointer) (progress-data :pointer)
+  (kv-overrides :pointer) (vocab-only :bool) (use-mmap :bool)
+  (_pad2 :uint8 :count 6))
+
+(cffi:defcstruct (llama-cparams :size 136)
+  (n-ctx :uint32)
+  (n-batch :uint32)
+  (n-ubatch :uint32)
+  (n-seq-max :uint32)
+  (n-threads :int32)
+  (n-threads-batch :int32)
+  (rope-scaling-type :int32)
+  (pooling-type :int32)
+  (attention-type :int32)
+  (flash-attn-type :int32)
+  (rope-freq-base :float)
+  (rope-freq-scale :float)
+  (yarn-ext-factor :float)
+  (yarn-attn-factor :float)
+  (yarn-beta-fast :float)
+  (yarn-beta-slow :float)
+  (yarn-orig-ctx :uint32)
+  (defrag-thold :float)
+  (cb-eval :pointer)
+  (cb-eval-user-data :pointer)
+  (type-k :int32)
+  (type-v :int32)
+  (abort-callback :pointer)
+  (abort-callback-data :pointer)
+  (embeddings :bool)
+  (offload-kqv :bool)
+  (no-perf :bool)
+  (op-offload :bool)
+  (swa-full :bool)
+  (kv-unified :bool)
+  (_c-pad3 :uint8 :count 15))
+
+(cffi:defcstruct (llama-batch :size 56)
+  (n-tokens :int32) (_bpad1 :int32) (token :pointer) (embd :pointer)
+  (pos :pointer) (n-seq-id :pointer) (seq-id :pointer) (logits :pointer))
+#+end_src
+
+** CFFI: llama.cpp API (current, non-deprecated)
+
+llama.cpp has undergone API changes. We target the current stable API:
+- =llama_model_load_from_file= → C wrapper (=llama_wrap_model_load=)
+- =llama_init_from_model= → C wrapper (=llama_wrap_new_context=)
+- =llama_encode= → C wrapper (=llama_wrap_encode=) — takes struct-by-value batch
+- =llama_batch_init/free= → C wrapper — returns/consumes struct-by-value
+- =llama_backend_init= REQUIRED before any model load
+- =llama_model_n_embd= (NOT deprecated =llama_n_embd=)
+- =llama_model_get_vocab= + =llama_vocab_n_tokens= (NOT deprecated =llama_n_vocab= with model pointer)
+- =llama_tokenize= now takes =vocab*= not =model*=
+- =llama_get_embeddings_seq= for BERT pooled embeddings (=llama_get_embeddings_ith= for token embeddings)
+- =llama_pooling_type= to query context pooling strategy
+
+#+begin_src lisp
+;; llama.cpp public API
+(cffi:defcfun ("llama_backend_init" bl) :void)
+(cffi:defcfun ("llama_model_default_params" mdp) :void (p :pointer))
+(cffi:defcfun ("llama_context_default_params" cdp) :void (p :pointer))
+(cffi:defcfun ("llama_model_n_embd" ne) :int32 (m :pointer))
+(cffi:defcfun ("llama_model_get_vocab" gv) :pointer (m :pointer))
+(cffi:defcfun ("llama_vocab_n_tokens" vnt) :int32 (vocab :pointer))
+(cffi:defcfun ("llama_tokenize" tok) :int32 (vocab :pointer) (text :string) (len :int32) (tokens :pointer) (n-max :int32) (add-special :bool) (parse-special :bool))
+(cffi:defcfun ("llama_get_embeddings_ith" embd-ith) :pointer (ctx :pointer) (i :int32))
+(cffi:defcfun ("llama_get_embeddings_seq" embd-seq) :pointer (ctx :pointer) (seq-id :int32))
+(cffi:defcfun ("llama_pooling_type" get-pooling) :int32 (ctx :pointer))
+(cffi:defcfun ("llama_model_free" fm) :void (m :pointer))
+(cffi:defcfun ("llama_free" fc) :void (ctx :pointer))
+
+;; C wrapper (bridges struct-by-value ABI)
+(cffi:defcfun ("llama_wrap_model_load" wrap-load) :pointer (path :string) (params :pointer))
+(cffi:defcfun ("llama_wrap_new_context" wrap-ctx) :pointer (model :pointer) (params :pointer))
+(cffi:defcfun ("llama_wrap_encode" wrap-encode) :int32 (ctx :pointer) (batch :pointer))
+(cffi:defcfun ("llama_wrap_batch_init" wrap-batch-init) :void (batch :pointer) (n-tokens :int32) (embd :int32) (n-seq-max :int32))
+(cffi:defcfun ("llama_wrap_batch_free" wrap-batch-free) :void (batch :pointer))
+#+end_src
+
+** Global state
+
+#+begin_src lisp
+(defvar *native-model* nil
+  "Cached llama.cpp model for embedding inference.")
+
+(defvar *native-context* nil
+  "Cached llama.cpp context for embedding inference.")
+
+(defvar *native-vocab* nil
+  "Cached llama.cpp vocab handle (from model).")
+
+(defvar *native-model-path*
+  (merge-pathnames ".local/share/passepartout/models/nomic-embed-text-v1.5.Q4_K_M.gguf"
+                   (user-homedir-pathname))
+  "Path to the bundled embedding model GGUF file.")
+#+end_src
+
+** Model loading
+
+Loads the GGUF model file and creates an inference context. Caches globally — subsequent calls are no-ops.
+
+Key initialization:
+- =sb-int:set-floating-point-modes= :traps nil — required or llama.cpp FPU ops SIGFPE
+- =llama_backend_init= — must run before any model operation
+- Model params: GPU off (=n-gpu-layers=0), no mmap (avoids double-free with SBCL's malloc)
+- Context params: embeddings=1, 512-token context, 2 threads, =pooling_type= unset (let model decide)
+
+#+begin_src lisp
+(defun embedding-native-load-model ()
+  "Load the embedding model and create a context. Caches globally."
+  (unless (and *native-model* *native-context*)
+    (unless (uiop:file-exists-p *native-model-path*)
+      (error "Native embedding model not found at ~a" *native-model-path*))
+    (sb-int:set-floating-point-modes :traps '())
+    (bl)
+    ;; Load model
+    (cffi:with-foreign-object (mp '(:struct llama-mparams))
+      (mdp mp)
+      (setf (cffi:foreign-slot-value mp '(:struct llama-mparams) 'n-gpu-layers) 0)
+      (setf (cffi:foreign-slot-value mp '(:struct llama-mparams) 'use-mmap) 0)
+      (setf *native-model* (wrap-load (namestring *native-model-path*) mp)))
+    (setf *native-vocab* (gv *native-model*))
+    ;; Create context
+    (let ((n-embd (ne *native-model*)))
+      (cffi:with-foreign-object (cp '(:struct llama-cparams))
+        (cdp cp)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'n-ctx) 512)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'n-batch) 512)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'n-ubatch) 512)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'n-seq-max) 1)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'n-threads) 2)
+        (setf (cffi:foreign-slot-value cp '(:struct llama-cparams) 'embeddings) 1)
+        (setf *native-context* (wrap-ctx *native-model* cp)))
+      (format *error-output* "~&;; EMBEDDING: Native model loaded (~d-dim)~%" n-embd)))
+  (values *native-model* *native-context* *native-vocab*))
+#+end_src
+
+** Embedding inference
+
+Computes a 768-dim single-float vector for the given text via llama.cpp.
+
+Pipeline:
+1. Load/cache model + context
+2. Tokenize text via =llama_tokenize= (takes =vocab*= not =model*= since v0.4.1)
+3. Initialize batch via C wrapper (=llama_batch_init= returns struct-by-value)
+4. Fill batch: set =tokens=, =pos=, =n_seq_id=, =seq_id[0]=, =logits= for each position
+5. CRITICAL: set =batch.n_tokens= explicitly — =llama_batch_init= initializes it to 0
+6. Encode via C wrapper (=llama_encode= takes struct-by-value batch)
+7. Extract pooled embedding via =llama_get_embeddings_seq= (BERT CLS pooling)
+   — falls back to =llama_get_embeddings_ith= if =pooling_type == NONE=
+8. Free batch memory via wrapper (=llama_batch_free= takes struct-by-value)
+
+NOTE: we write =seq_id= values directly into the arrays allocated by
+=llama_batch_init= (not foreign-alloc'd separately) to avoid double-free.
+
+#+begin_src lisp
+(defun embedding-backend-native (text)
+  "Compute an embedding vector using the native llama.cpp backend.
+Returns a simple-vector of single-floats (dimension: n_embd, typically 768)."
+  (embedding-native-load-model)
+  (let* ((n-embd (ne *native-model*))
+         (max-tokens 256)
+         (tokens (cffi:foreign-alloc :int32 :count max-tokens))
+         (n-tok 0))
+    (unwind-protect
+        (progn
+          (setf n-tok (tok *native-vocab* text (length text) tokens max-tokens t t))
+          (when (zerop n-tok)
+            (error "Native embedding: tokenization returned 0 tokens for ~s" text))
+          (let ((result (make-array n-embd :element-type 'single-float :initial-element 0.0f0)))
+            (cffi:with-foreign-object (batch '(:struct llama-batch))
+              (wrap-batch-init batch n-tok 0 1)
+              (setf (cffi:foreign-slot-value batch '(:struct llama-batch) 'n-tokens) n-tok)
+              (dotimes (i n-tok)
+                (setf (cffi:mem-aref (cffi:foreign-slot-value batch '(:struct llama-batch) 'token) :int32 i)
+                      (cffi:mem-aref tokens :int32 i))
+                (setf (cffi:mem-aref (cffi:foreign-slot-value batch '(:struct llama-batch) 'pos) :int32 i) i)
+                (setf (cffi:mem-aref (cffi:foreign-slot-value batch '(:struct llama-batch) 'n-seq-id) :int32 i) 1)
+                (setf (cffi:mem-aref (cffi:mem-aref (cffi:foreign-slot-value batch '(:struct llama-batch) 'seq-id) :pointer i) :int32 0) 0)
+                (setf (cffi:mem-aref (cffi:foreign-slot-value batch '(:struct llama-batch) 'logits) :int8 i) 1))
+              (let ((enc (wrap-encode *native-context* batch)))
+                (unless (zerop enc)
+                  (error "Native embedding: encode returned ~d" enc)))
+              (let* ((pooling (get-pooling *native-context*))
+                     (eptr (if (= pooling 0)
+                               (embd-ith *native-context* (1- n-tok))
+                               (embd-seq *native-context* 0))))
+                (dotimes (i n-embd)
+                  (setf (aref result i) (cffi:mem-aref eptr :float i))))
+              (wrap-batch-free batch))
+            result))
+      (cffi:foreign-free tokens))))
+#+end_src
+
+** Cleanup and unload
+
+#+begin_src lisp
+(defun embedding-native-unload ()
+  "Release native model and context memory."
+  (when *native-context*
+    (fc *native-context*)
+    (setf *native-context* nil))
+  (when *native-model*
+    (fm *native-model*)
+    (setf *native-model* nil *native-vocab* nil))
+  (values))
+
+(defun embedding-native-get-dim ()
+  "Return embedding dimension of loaded native model (0 if not loaded)."
+  (if *native-model*
+      (ne *native-model*)
+      0))
+#+end_src
+
+** Cosine similarity helper
+
+Used in tests and embedding comparisons.
+
+#+begin_src lisp
+(defun vector-cosine-similarity (a b)
+  "Cosine similarity between two simple-vectors of single-floats."
+  (let ((dot 0.0d0) (anorm 0.0d0) (bnorm 0.0d0))
+    (dotimes (i (length a))
+      (let ((af (float (aref a i) 0.0d0))
+            (bf (float (aref b i) 0.0d0)))
+        (incf dot (* af bf))
+        (incf anorm (* af af))
+        (incf bnorm (* bf bf))))
+    (if (or (zerop anorm) (zerop bnorm))
+        0.0d0
+        (/ dot (sqrt (* anorm bnorm))))))
+#+end_src
+
+* Contract
+
+1. (embedding-backend-native text): computes a 768-dim single-float
+   embedding vector via llama.cpp. Returns a simple-vector. Requires
+   the model file at ~*native-model-path*~ and the C wrapper library at
+   ~/usr/local/lib/libllama_wrap.so~.
+2. (embedding-native-load-model): loads the GGUF model file and creates
+   an inference context. Caches globally in ~*native-model*~ /
+   ~*native-context*~ — subsequent calls are no-ops. Calls
+   ~sb-int:set-floating-point-modes~ and ~llama_backend_init~.
+3. (embedding-native-unload): releases native model and context memory.
+   Sets cached globals to nil.
+4. (embedding-native-get-dim): returns the embedding dimension of the
+   loaded model (768 for nomic-embed-text-v1.5), or 0 if not loaded.
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-embedding-native-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:embedding-native-suite))
+
+(in-package :passepartout-embedding-native-tests)
+
+(def-suite embedding-native-suite :description "Verification of Native Embedding Inference")
+(in-suite embedding-native-suite)
+
+(test test-native-embedding-available
+  "Contract v0.4.1: backend function exists and model file is present."
+  (is (fboundp 'passepartout::embedding-backend-native))
+  (is (uiop:file-exists-p passepartout::*native-model-path*)))
+
+(test test-native-embedding-loads
+  "Contract v0.4.1: model loads and produces a valid context."
+  (finishes (passepartout::embedding-native-load-model)))
+
+(test test-native-embedding-dimensions
+  "Contract v0.4.1: embedding produces correct-dimensional vector."
+  (let ((vec (passepartout::embedding-backend-native "test sentence")))
+    (is (vectorp vec))
+    (is (= (length vec) 768))
+    (is (typep (aref vec 0) 'single-float))))
+
+(test test-native-embedding-identical
+  "Contract v0.4.1: identical texts produce identical embeddings."
+  (let ((v1 (passepartout::embedding-backend-native "hello world"))
+        (v2 (passepartout::embedding-backend-native "hello world")))
+    (is (= (length v1) (length v2)))
+    (let ((sim (passepartout::vector-cosine-similarity v1 v2)))
+      (is (> sim 0.9999)))))
+
+(test test-native-embedding-similar
+  "Contract v0.4.1: semantically similar texts are closer than unrelated."
+  (let ((v-auth (passepartout::embedding-backend-native "implement user login form"))
+        (v-related (passepartout::embedding-backend-native "add password authentication"))
+        (v-unrelated (passepartout::embedding-backend-native "banana fruit yellow")))
+    (let ((sim-related (passepartout::vector-cosine-similarity v-auth v-related))
+          (sim-unrelated (passepartout::vector-cosine-similarity v-auth v-unrelated)))
+      (is (> sim-related 0.5))
+      (is (> sim-related sim-unrelated)))))
+#+end_src
+
+* C Wrapper Source
+
+The C wrapper bridges CFFI's pointer-only interface to llama.cpp's struct-by-value API.
+Compile with: =gcc -shared -fPIC -I/tmp/llama.cpp/include -o libllama_wrap.so llama_wrap.c -L/usr/local/lib -lllama=
+
+#+begin_src c :tangle ../scripts/llama_wrap.c
+// C wrapper for llama.cpp — bridges CFFI pointer params to struct-by-value
+// Compile: gcc -shared -fPIC -I/tmp/llama.cpp/include -o libllama_wrap.so llama_wrap.c -L/usr/local/lib -lllama
+
+#include <llama.h>
+
+struct llama_model * llama_wrap_model_load(const char * path, struct llama_model_params * params) {
+    return llama_model_load_from_file(path, *params);
+}
+
+struct llama_context * llama_wrap_new_context(struct llama_model * model, struct llama_context_params * params) {
+    return llama_init_from_model(model, *params);
+}
+
+int32_t llama_wrap_encode(struct llama_context * ctx, struct llama_batch * batch) {
+    return llama_encode(ctx, *batch);
+}
+
+void llama_wrap_batch_init(struct llama_batch * batch, int32_t n_tokens, int32_t embd, int32_t n_seq_max) {
+    *batch = llama_batch_init(n_tokens, embd, n_seq_max);
+}
+
+void llama_wrap_batch_free(struct llama_batch * batch) {
+    llama_batch_free(*batch);
+}
+#+end_src

org/neuro-explorer.org

@@ -0,0 +1,155 @@
+#+TITLE: SKILL: Model Explorer (org-skill-model-explorer.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:model:explorer:discovery:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/neuro-explorer.lisp
+
+* Architectural Intent
+
+~system-model-explorer~ answers two questions the config screen needs: "What models does my provider offer?" and "Which one should I use for this task?"
+
+It opens a thin pipe to OpenRouter's /api/v1/models endpoint (no API key needed for the model list), parses the JSON into a uniform set of plists, and caches the result. The TUI's model dropdowns and recommendation cards all read from this cache.
+
+Recommended models are curated per task slot — code generation needs different capabilities than casual chat or background summarization. The recommendations are not hardcoded provider hooks; they're hand-picked from the OpenRouter free tier as a sensible default. Users can override via the TUI config screen, which replaces the picked model IDs into their cascade.
+
+** Contract
+
+1. (model-explorer-recommend slot): returns a list of plists with
+   ~:id~ and ~:name~ for the given task slot (~:code~, ~:chat~,
+   ~:plan~, ~:background~). Unknown slots return a fallback list.
+2. (model-explorer-fetch provider): fetches the model list from the
+   provider's API and caches it. Returns nil on failure.
+
+* Implementation
+
+** Cache
+#+begin_src lisp
+(in-package :passepartout)
+
+(defvar *model-cache* (make-hash-table :test 'equal)
+  "Cache: provider keyword -> (timestamp . model-list)")
+
+(defvar *model-cache-ttl* 300
+  "Cache TTL in seconds (default 5 min)")
+#+end_src
+
+** OpenRouter fetch
+#+begin_src lisp
+(defun model-explorer-fetch-openrouter ()
+  "Query OpenRouter /api/v1/models and return parsed model list."
+  (handler-case
+      (let* ((raw (dex:get "https://openrouter.ai/api/v1/models" :connect-timeout 10 :read-timeout 20))
+             (json (cl-json:decode-json-from-string raw))
+             (data (cdr (assoc :data json))))
+        (mapcar (lambda (m)
+                  (let ((pricing (cdr (assoc :pricing m))))
+                    (list :id (cdr (assoc :id m))
+                          :name (cdr (assoc :name m))
+                          :context (cdr (assoc :context_length m))
+                          :free (and pricing
+                                     (string= "0" (cdr (assoc :prompt pricing)))
+                                     (string= "0" (cdr (assoc :completion pricing)))))))
+                data))
+    (error (c)
+      (log-message "MODEL-EXPLORER: OpenRouter API error: ~a" c)
+      nil)))
+#+end_src
+
+** Generic fetch with cache
+#+begin_src lisp
+(defun model-explorer-fetch (provider)
+  "Fetch available models for PROVIDER. Returns list of (:id :name :context :free) plists."
+  (let ((cached (gethash provider *model-cache*)))
+    (when (and cached (< (- (get-universal-time) (car cached)) *model-cache-ttl*))
+      (return-from model-explorer-fetch (cdr cached))))
+  (let ((models (case provider
+                  (:openrouter (model-explorer-fetch-openrouter))
+                  (t nil))))
+    (when models
+      (setf (gethash provider *model-cache*)
+            (cons (get-universal-time) models)))
+    models))
+#+end_src
+
+** List-free convenience
+#+begin_src lisp
+(defun model-explorer-list-free ()
+  "Return all free models from cache or fetch."
+  (remove-if-not (lambda (m) (getf m :free)) (model-explorer-fetch :openrouter)))
+#+end_src
+
+** Curated recommendations per slot
+#+begin_src lisp
+(defun model-explorer-recommend (slot)
+  "Return recommended models for SLOT (:code, :chat, :plan, :background)."
+  (case slot
+    (:code
+     '((:id "qwen/qwen3-coder:free" :name "Qwen3 Coder 480B" :context 262000 :free t :note "Top-tier code MoE, 35B active")
+       (:id "poolside/laguna-m.1:free" :name "Laguna M.1" :context 131072 :free t :note "Flagship coding agent")
+       (:id "openai/gpt-oss-120b:free" :name "gpt-oss-120b" :context 131072 :free t :note "117B MoE open-weight coding")))
+    (:plan
+     '((:id "openrouter/owl-alpha" :name "Owl Alpha" :context 1048756 :free t :note "Agentic, tool use, reasoning")
+       (:id "nousresearch/hermes-3-llama-3.1-405b:free" :name "Hermes 3 405B" :context 131072 :free t :note "405B generalist, strong planning")
+       (:id "minimax/minimax-m2.5:free" :name "MiniMax M2.5" :context 196608 :free t :note "SOTA productivity, long context")))
+    (:chat
+     '((:id "meta-llama/llama-3.3-70b-instruct:free" :name "Llama 3.3 70B" :context 65536 :free t :note "Strong multilingual generalist")
+       (:id "google/gemma-4-31b-it:free" :name "Gemma 4 31B" :context 262144 :free t :note "Dense 31B, thinking mode, long context")
+       (:id "mistralai/mistral-nemo:free" :name "Mistral Nemo" :context 32768 :free t :note "Fast, good for casual conversation")))
+    (:background
+     '((:id "meta-llama/llama-3.2-3b-instruct:free" :name "Llama 3.2 3B" :context 131072 :free t :note "Small, fast, efficient")
+       (:id "liquid/lfm-2.5-1.2b-instruct:free" :name "LFM 2.5 1.2B" :context 32768 :free t :note "Ultra-compact, edge-ready")))
+     (t '((:id "meta-llama/llama-3.3-70b-instruct:free" :name "Llama 3.3 70B" :context 65536 :free t :note "Safe fallback")))))
+#+end_src
+
+** Slot descriptions (for TUI config display)
+;; REPL-verified: 2026-05-04
+#+begin_src lisp
+(defvar *slot-descriptions*
+  '((:code . "Code generation, refactoring, debugging. Needs strong reasoning and large context.\nRecommend: Qwen3 Coder (free, 35B active) or Laguna M.1 (coding agent).")
+    (:chat . "Casual conversation, Q&A, creative writing. Prefer balanced quality, low latency.\nRecommend: Llama 3.3 70B (strong generalist) or Gemma 4 31B (thinking mode).")
+    (:plan . "Strategic planning, architecture design, complex multi-step reasoning.\nRecommend: Owl Alpha (free, tool use, 1M ctx) or Hermes 3 405B (strongest free reasoning).")
+    (:background . "Heartbeat summaries, delegation responses, tool output filtering. Must be small + fast.\nRecommend: Llama 3.2 3B (131K ctx, fast) or LFM 2.5 1.2B (edge-ready).")))
+#+end_src
+
+* Tests
+
+#+begin_src lisp
+;; REPL-verified: 2026-05-04
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ignore-errors (ql:quickload :fiveam :silent t)))
+
+(defpackage :passepartout-neuro-explorer-tests
+  (:use :cl :passepartout)
+  (:export #:model-explorer-suite))
+
+(in-package :passepartout-neuro-explorer-tests)
+
+(fiveam:def-suite model-explorer-suite :description "Tests for the model explorer skill")
+
+(fiveam:in-suite model-explorer-suite)
+
+(fiveam:test model-explorer-recommend-slots
+  "Contract 1: recommend returns models for all standard slots."
+  (dolist (slot '(:code :chat :plan :background))
+    (let ((recs (passepartout::model-explorer-recommend slot)))
+      (fiveam:is (listp recs))
+      (fiveam:is (>= (length recs) 1)))))
+
+(fiveam:test model-explorer-recommend-format
+  "Contract 1: each recommendation has :id and :name."
+  (dolist (rec (passepartout::model-explorer-recommend :chat))
+    (fiveam:is (getf rec :id))
+    (fiveam:is (getf rec :name))))
+
+(fiveam:test model-explorer-recommend-unknown-slot
+  "Contract 1: unknown slot returns fallback list."
+  (let ((recs (passepartout::model-explorer-recommend :unknown)))
+    (fiveam:is (listp recs))
+    (fiveam:is (>= (length recs) 1))))
+
+(fiveam:test model-explorer-fetch-openrouter-count
+  "Contract 2: OpenRouter API returns at least 300 models."
+  (let ((models (passepartout::model-explorer-fetch :openrouter)))
+    (if models
+        (fiveam:is (>= (length models) 300))
+        (fiveam:skip "API unreachable"))))
+#+end_src

org/neuro-provider.org

@@ -0,0 +1,408 @@
+#+TITLE: SKILL: Unified LLM Backend (org-skill-unified-llm-backend.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:model:provider:llm:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/neuro-provider.lisp
+
+* Architectural Intent
+
+~system-model-provider~ is the universal LLM client. It speaks the OpenAI-compatible ~/v1/chat/completions~ protocol, which covers every modern provider — OpenRouter, OpenAI, Anthropic, Groq, Gemini, DeepSeek, NVIDIA NIM, plus any local engine (Ollama, vLLM, LM Studio, llama.cpp) when running behind an OpenAI-compatible adapter.
+
+One function, eight (and counting) providers. The same JSON payload, the same response format, the same error handling. Adding a new provider is a one-line config entry: a keyword, a base URL, an API key env var name, and a default model.
+
+Providers register themselves at boot. No API key? That provider doesn't register. No local URL set? The local entry stays dormant. Only the providers you actually configure appear in ~*probabilistic-backends*~ at runtime. The old code assumed Ollama was always available; this code requires an env var like everything else.
+
+=*provider-cascade*= defaults to cloud-only (all providers except ~:local~ and ~:ollama~). If you want a local fallback, set ~LOCAL_BASE_URL~ in your env and add ~:local~ to the ~PROVIDER_CASCADE~ list.
+
+** Contract
+
+1. (provider-config provider): returns the configuration plist for a
+   provider keyword, or nil if unregistered.
+2. (provider-available-p provider): returns T if the provider's API key
+   or base URL is configured.
+3. (provider-openai-request prompt system-prompt &key model provider):
+   executes an OpenAI-compatible /v1/chat/completions request. Returns
+   ~(:status :success :content ...)~ or ~(:status :error :message ...)~.
+4. (provider-openai-request prompt system-prompt &key model provider tools):
+   when ~:tools~ is provided (a list of plist tool definitions), the request
+   body includes ~"tools"~ and ~"tool_choice": "auto"~ fields. Parses
+   ~tool_calls~ from the response: extracts ~function.name~ and
+   ~function.arguments~ (decoded from JSON string to alist). Returns
+   ~(:status :success :tool-calls ((:name <str> :arguments <alist>)))~
+   when the LLM returns a tool call, or the existing ~:content~ path otherwise.
+4. (provider-cascade-initialize): reads ~PROVIDER_CASCADE~ from env and
+   sets ~*provider-cascade*~.
+5. (provider-openai-stream prompt system-prompt callback &key model provider tools):
+   v0.7.1 — executes a streaming OpenAI-compatible /v1/chat/completions
+   request. Sends ~"stream": true~ in the request body. Reads Server-Sent
+   Events (SSE) from the response stream, parsing ~data: ...~ lines. For
+   each delta with content, calls CALLBACK with the delta string. After
+   all deltas, calls CALLBACK with ~""~ to signal end-of-stream. Returns
+   ~(:status :success)~ on completion or ~(:status :error :message ...)~.
+   If ~*stream-cancel*~ is set to T (by another thread), exits the SSE
+   loop and calls CALLBACK with ~""~.
+6. (parse-sse-line line): parses an SSE line. Returns the data content
+   for ~data: <content>~ lines, ~:done~ for ~data: [DONE]~, and ~nil~
+   for comment lines (starting with ~:~), empty lines, or non-data lines.
+
+* Implementation
+
+** Provider registry
+#+begin_src lisp
+(in-package :passepartout)
+
+(defparameter *provider-configs*
+  '((:local      . (:base-url nil          :key-env nil           :url-env "LOCAL_BASE_URL"            :default-model "llama3"))
+    (:openrouter . (:base-url "https://openrouter.ai/api/v1" :key-env "OPENROUTER_API_KEY" :default-model "openrouter/auto"))
+    (:openai     . (:base-url "https://api.openai.com/v1"    :key-env "OPENAI_API_KEY"     :default-model "gpt-4o-mini"))
+    (:anthropic  . (:base-url "https://api.anthropic.com/v1" :key-env "ANTHROPIC_API_KEY"  :default-model "claude-3-5-sonnet-20241022"))
+    (:groq       . (:base-url "https://api.groq.com/openai/v1" :key-env "GROQ_API_KEY"     :default-model "llama-3.1-70b-versatile"))
+    (:gemini     . (:base-url "https://generativelanguage.googleapis.com/v1beta/openai" :key-env "GEMINI_API_KEY" :default-model "gemini-2.0-flash"))
+    (:deepseek   . (:base-url "https://api.deepseek.com/v1"  :key-env "DEEPSEEK_API_KEY"  :default-model "deepseek-chat"))
+    (:nvidia     . (:base-url "https://integrate.api.nvidia.com/v1" :key-env "NVIDIA_API_KEY" :default-model "meta/llama-3.1-405b-instruct"))))
+#+end_src
+
+** Provider config lookup
+#+begin_src lisp
+(defun provider-config (provider)
+  "Returns the configuration plist for a provider keyword."
+  (cdr (assoc provider *provider-configs*)))
+#+end_src
+
+** Availability check
+#+begin_src lisp
+(defun provider-available-p (provider)
+  "Checks if a provider is configured. Checks API key or URL env vars."
+  (let* ((config (provider-config provider))
+         (key-env (getf config :key-env))
+         (url-env (getf config :url-env))
+         (base-url (getf config :base-url)))
+    (cond (key-env (let ((key (uiop:getenv key-env))) (and key (> (length key) 0))))
+          (url-env (let ((url (uiop:getenv url-env))) (and url (> (length url) 0))))
+          (base-url t))))
+#+end_src
+
+** Unified request execution
+#+begin_src lisp
+(defun provider-openai-request (prompt system-prompt &key model (provider :openrouter) tools)
+  "Executes a request against any OpenAI-compatible API endpoint.
+When :tools is provided, includes function-calling tool definitions in the request."
+  (let* ((config (provider-config provider))
+         (base-url (getf config :base-url))
+         (key-env (getf config :key-env))
+         (url-env (getf config :url-env))
+         (default-model (getf config :default-model))
+         (api-key (when key-env (uiop:getenv key-env)))
+         (model-id (or model default-model))
+         (url (if url-env
+                  (let ((host (uiop:getenv url-env)))
+                    (if host
+                        (format nil "http://~a/v1/chat/completions" host)
+                        (format nil "~a/chat/completions" base-url)))
+                  (format nil "~a/chat/completions" base-url)))
+         (timeout (or (ignore-errors
+                        (parse-integer (uiop:getenv "LLM_REQUEST_TIMEOUT")))
+                      30))
+         (headers `(("Content-Type" . "application/json")
+                    ,@(when api-key `(("Authorization" . ,(format nil "Bearer ~a" api-key))))
+                    ,@(when (eq provider :openrouter)
+                        `(("HTTP-Referer" . "https://github.com/amrgharbeia/passepartout")
+                          ("X-Title" . "Passepartout")))))
+         (body (let ((base `((model . ,model-id)
+                            (messages . (( (role . "system") (content . ,system-prompt) )
+                                         ( (role . "user") (content . ,prompt) ))))))
+                 (if tools
+                     (append base
+                             `((tools . ,(loop for tool in tools
+                                                collect (list (cons :|type| "function")
+                                                              (cons :|function| (loop for (k v) on tool by #'cddr
+                                                                                      collect (cons (intern (string-upcase (string k)) "KEYWORD") v))))))
+                               (:|tool_choice| . "auto")))
+                     base)))
+         (body-json (cl-json:encode-json-to-string body)))
+    (handler-case
+        (let* ((response (dex:post url :headers headers :content body-json
+                                  :connect-timeout (min 5 timeout)
+                                  :read-timeout (max 10 (- timeout 5))))
+               (json (cl-json:decode-json-from-string response))
+               (choices (cdr (assoc :choices json)))
+               (first-choice (car choices))
+               (message (cdr (assoc :message first-choice)))
+               (tool-calls (cdr (assoc :|tool_calls| message)))
+               (content (cdr (assoc :content message))))
+          (cond
+            (tool-calls
+             (list :status :success
+                   :tool-calls
+                   (loop for tc in tool-calls
+                         for fun = (cdr (assoc :|function| tc))
+                         for args-str = (cdr (assoc :|arguments| fun))
+                         for args = (when args-str (cl-json:decode-json-from-string args-str))
+                         collect (list :name (cdr (assoc :|name| fun))
+                                       :arguments args))))
+            (content
+             (list :status :success :content content))
+            (t
+             (list :status :error :message (format nil "~a: No content" provider)))))
+      (error (c)
+        (list :status :error :message (format nil "~a Failure: ~a" provider c))))))
+#+end_src
+
+** Register all available providers
+#+begin_src lisp
+(defun provider-register-all ()
+  "Scans environment variables and registers all available LLM backends."
+  (dolist (entry *provider-configs*)
+    (let ((provider (car entry)))
+      (when (provider-available-p provider)
+        (log-message "LLM BACKEND: Registering provider ~a" provider)
+        (register-probabilistic-backend provider
+          (lambda (prompt system-prompt &key model tools)
+            (provider-openai-request prompt system-prompt :model model :provider provider :tools tools)))))))
+#+end_src
+
+** Initialize cascade
+#+begin_src lisp
+(defun provider-cascade-initialize ()
+  "Reads PROVIDER_CASCADE from env and sets *provider-cascade*."
+  (let ((cascade-str (uiop:getenv "PROVIDER_CASCADE")))
+    (if cascade-str
+        (setf *provider-cascade*
+              (mapcar (lambda (s) (intern (string-upcase (string-trim '(#\Space #\" #\') s)) :keyword))
+                      (uiop:split-string cascade-str :separator '(#\,))))
+        (setf *provider-cascade* (mapcar #'car (remove-if (lambda (e)
+                                                             (member (car e) '(:local)))
+                                                           *provider-configs*))))))
+#+end_src
+
+** Provider connection test (for TUI config)
+;; REPL-verified: 2026-05-04
+#+begin_src lisp
+(defun test-provider-connection (provider &optional api-key)
+  "Test a provider API key by hitting its models endpoint.
+Returns (:ok) on success, (:fail reason) on failure.
+If API-KEY is nil, reads from environment."
+  (let* ((config (provider-config provider))
+         (base-url (getf config :base-url))
+         (key-env (getf config :key-env))
+         (url-env (getf config :url-env))
+         (key (or api-key (when key-env (uiop:getenv key-env)))))
+    (handler-case
+        (let ((url (if url-env
+                       (let ((host (or (uiop:getenv url-env) "")))
+                         (format nil "http://~a/api/tags" host))
+                       (format nil "~a/models" (or base-url "")))))
+          (if key-env
+              (progn (dex:get url :headers `(("Authorization" . ,(format nil "Bearer ~a" key)))
+                              :connect-timeout 5 :read-timeout 10)
+                     '(:ok))
+              (if url-env
+                  (progn (dex:get url :connect-timeout 5 :read-timeout 10) '(:ok))
+                  '(:fail "No URL source for this provider"))))
+      (error (c) `(:fail ,(format nil "~a" c))))))
+#+end_src
+
+** Boot registration
+#+begin_src lisp
+(provider-register-all)
+(provider-cascade-initialize)
+#+end_src
+
+** Skill registration
+#+begin_src lisp
+(defskill :passepartout-neuro-provider
+  :priority 50
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-llm-gateway-tests
+  (:use :cl :passepartout)
+  (:export #:llm-gateway-suite))
+
+(in-package :passepartout-llm-gateway-tests)
+
+(fiveam:def-suite llm-gateway-suite :description "Tests for the LLM provider backend")
+(fiveam:in-suite llm-gateway-suite)
+
+(fiveam:test test-provider-rejects-bad-keyword
+  "Contract 3: provider-config returns nil for unregistered provider."
+  (let ((config (provider-config :not-a-real-provider)))
+    (fiveam:is (null config))))
+
+(fiveam:test test-provider-config-registered
+  "Contract 1: provider-config returns configuration plist for registered provider."
+  (let ((config (provider-config :openrouter)))
+    (fiveam:is (listp config))
+    (fiveam:is (getf config :base-url))))
+
+(fiveam:test test-provider-accepts-tools-parameter
+  "Contract 4: provider-openai-request accepts :tools parameter without error."
+  (let ((result (provider-openai-request "test" "system" :tools (list))))
+    (fiveam:is (member (getf result :status) '(:success :error)))))
+
+;; ── v0.7.1 Streaming ──
+
+(fiveam:test test-parse-sse-line-data
+  "Contract 6: parse-sse-line extracts content from data: lines."
+  (fiveam:is (string= "hello world" (passepartout::parse-sse-line "data: hello world")))
+  (fiveam:is (string= "{\"a\":1}" (passepartout::parse-sse-line "data: {\"a\":1}"))))
+
+(fiveam:test test-parse-sse-line-done
+  "Contract 6: parse-sse-line returns :done for [DONE]."
+  (fiveam:is (eq :done (passepartout::parse-sse-line "data: [DONE]"))))
+
+(fiveam:test test-parse-sse-line-nil
+  "Contract 6: parse-sse-line returns nil for comment, empty, non-data lines."
+  (fiveam:is (null (passepartout::parse-sse-line "")))
+  (fiveam:is (null (passepartout::parse-sse-line ":ok")))
+  (fiveam:is (null (passepartout::parse-sse-line "event: ping"))))
+
+(fiveam:test test-provider-openai-stream-calls-callback
+  "Contract 5: provider-openai-stream calls callback with deltas and final empty string."
+  (let ((collected '()))
+    (flet ((collector (text) (push text collected)))
+      (passepartout::provider-openai-stream "hi" "sys" #'collector :provider :openrouter))
+    (let* ((reversed (nreverse collected))
+           (last (car (last reversed))))
+      (fiveam:is (stringp last))
+      (fiveam:is (string= "" last))
+      (fiveam:is (>= (length reversed) 2)))))
+#+end_src* v0.7.1 — Streaming Backend
+:PROPERTIES:
+:ID:       id-v071-streaming
+:CREATED:  [2026-05-08 Fri]
+:END:
+
+** SSE Parser
+
+*** RED
+#+begin_example
+test-parse-sse-line-data: 0/2 pass — stub returns nil instead of content
+test-parse-sse-line-done: 0/1 pass — stub returns nil instead of :done
+test-parse-sse-line-nil: 3/3 pass — stub correctly returns nil
+#+end_example
+
+*** GREEN
+#+begin_example
+test-parse-sse-line-data: 2/2 pass (100%)
+test-parse-sse-line-done: 1/1 pass (100%)
+test-parse-sse-line-nil: 3/3 pass (100%)
+test-provider-openai-stream-calls-callback: 3/3 pass (100%)
+llm-gateway-suite: 13/13 pass (100%)
+#+end_example
+
+** Cascade Stream
+#+begin_src lisp
+(defun cascade-stream (prompt system-prompt callback)
+  "Streaming cascade: calls provider-openai-stream on the first available backend.
+Calls CALLBACK with each delta string, then with '' to signal end-of-stream."
+  (dolist (backend *provider-cascade*)
+    (when (gethash backend *probabilistic-backends*)
+      (let ((result (provider-openai-stream prompt system-prompt callback
+                                           :provider backend)))
+        (when (eq (getf result :status) :success)
+          (return cascade-stream))))))
+#+end_src
+#+begin_src lisp
+(in-package :passepartout)
+
+(defun parse-sse-line (line)
+  "Parse an SSE line. Returns data string, :done for [DONE], nil otherwise."
+  (cond
+    ((or (null line) (string= line "")) nil)
+    ((char= (char line 0) #\:) nil)
+    ((and (>= (length line) 6) (string-equal (subseq line 0 6) "data: "))
+     (let ((content (subseq line 6)))
+       (if (string= content "[DONE]")
+           :done
+           content)))
+    (t nil)))
+#+end_src
+
+** Streaming request
+#+begin_src lisp
+(defvar *stream-cancel* nil
+  "When T, the streaming SSE loop exits early.")
+
+(defun provider-openai-stream (prompt system-prompt callback &key model (provider :openrouter) tools)
+  "Streaming OpenAI-compatible request. Calls CALLBACK with each delta, then ''."
+  (let* ((config (provider-config provider))
+         (base-url (getf config :base-url))
+         (key-env (getf config :key-env))
+         (url-env (getf config :url-env))
+         (default-model (getf config :default-model))
+         (api-key (when key-env (uiop:getenv key-env)))
+         (model-id (or model default-model))
+         (url (if url-env
+                  (let ((host (uiop:getenv url-env)))
+                    (if host
+                        (format nil "http://~a/v1/chat/completions" host)
+                        (format nil "~a/chat/completions" base-url)))
+                  (format nil "~a/chat/completions" base-url)))
+         (timeout (or (ignore-errors (parse-integer (uiop:getenv "LLM_REQUEST_TIMEOUT"))) 30))
+         (req-headers (list (cons "Content-Type" "application/json")))
+         (base `((model . ,model-id)
+                 (messages . (( (role . "system") (content . ,system-prompt) )
+                              ( (role . "user") (content . ,prompt) )))
+                 (stream . t))))
+    (when api-key
+      (push (cons "Authorization" (format nil "Bearer ~a" api-key)) req-headers))
+    (when (eq provider :openrouter)
+      (setf req-headers
+            (append req-headers
+                    `(("HTTP-Referer" . "https://github.com/amrgharbeia/passepartout")
+                      ("X-Title" . "Passepartout")))))
+    (let ((body (if tools
+                    (append base
+                            `((tools . ,(loop for tool in tools
+                                              collect (list (cons :|type| "function")
+                                                            (cons :|function|
+                                                                  (loop for (k v) on tool by #'cddr
+                                                                        collect (cons (intern (string-upcase (string k)) "KEYWORD") v))))))
+                              (:|tool_choice| . "auto")))
+                    base)))
+      (handler-case
+          (let* ((body-json (cl-json:encode-json-to-string body))
+                 (stall-seconds 30)
+                 (s (dex:post url :headers req-headers :content body-json
+                             :connect-timeout (min 5 timeout)
+                             :read-timeout stall-seconds
+                             :want-stream t)))
+            ;; v0.7.1: track stall timer — reset on each successful chunk
+            (let ((last-chunk-time (get-universal-time)))
+              (loop for raw = (handler-case (read-line s nil nil)
+                                (error (c)
+                                  (declare (ignore c))
+                                  nil))
+                     while raw
+                     do (when *stream-cancel*  ; v0.7.1: cancel check
+                          (setf *stream-cancel* nil)
+                          (funcall callback " [cancelled]")
+                          (return))
+                        (let ((parsed (parse-sse-line raw)))
+                         (cond
+                           ((null parsed))
+                           ((eq parsed :done) (return))
+                           (t (handler-case
+                                  (let* ((json (cl-json:decode-json-from-string parsed))
+                                         (choices (cdr (assoc :choices json)))
+                                         (choice (car choices))
+                                         (delta (cdr (assoc :delta choice)))
+                                         (content (cdr (assoc :content delta))))
+                                    (when content
+                                      (funcall callback content)
+                                      (setf last-chunk-time (get-universal-time))))
+                                (error ())))))
+                    (when (> (- (get-universal-time) last-chunk-time) stall-seconds)
+                      (funcall callback "[Response stalled — timed out at 30s]")
+                      (return))))
+            (funcall callback "")
+            (close s)
+            (list :status :success))
+        (error (c)
+          (list :status :error :message (format nil "~a Stream Failure: ~a" provider c)))))))
+#+end_src

org/neuro-router.org

@@ -0,0 +1,223 @@
+#+TITLE: SKILL: Model Router (org-skill-model-router.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:model:routing:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/neuro-router.lisp
+
+* Overview: Quadrant-Based Model Routing
+
+The Model Router implements the four-quadrant cognitive architecture for
+LLM model selection. Each signal is routed through a pipeline of three
+filters — privacy, quadrant, and complexity — before a model is chosen.
+
+The routing pipeline for every probabilistic signal:
+
+  all backends → privacy filter → quadrant/classifier → per-slot cascade → model
+
+- **Privacy filter** strips cloud backends when content carries ~@personal~ tags.
+- **Quadrant** determines if the signal is foreground or background.
+- **Complexity classifier** assigns foreground signals to one of three slots:
+  ~:code~, ~:plan~, or ~:chat~.
+- **Per-slot cascade** selects a backend and model for the slot, with fallback
+  ordering defined in each cascade list.
+
+The model selector function is registered into the core ~*model-selector*~ hook
+at load time. The core iterates providers, calling the selector for each one.
+
+* Implementation
+
+** Package Context
+
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Configuration: Per-Slot Cascades
+
+Four env-configurable cascade variables, one per slot. Each cascade is a list
+of ~(provider-keyword . "model-name")~ pairs. The first match for the current
+backend is used.
+
+Example:
+  MODEL_CASCADE_CODE='((:ollama . "deepseek-coder:6.7b") (:openrouter . "claude-sonnet"))'
+
+*** *model-cascade-code*
+
+The cascade for ~:code~ tasks (code generation, refactoring, bug fixing).
+Format: ~((:ollama . "model-name") ...)~. Configured via ~MODEL_CASCADE_CODE~.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *model-cascade-code* nil
+  "Cascade for :code tasks: ((:ollama . \"model\") ...)")
+#+end_src
+
+*** *model-cascade-plan*
+
+Cascade for planning and architecture tasks. Configured via ~MODEL_CASCADE_PLAN~.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *model-cascade-plan* nil
+  "Cascade for :plan tasks.")
+#+end_src
+
+*** *model-cascade-chat*
+
+Cascade for general conversation and simple Q&A. Configured via ~MODEL_CASCADE_CHAT~.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *model-cascade-chat* nil
+  "Cascade for :chat tasks.")
+#+end_src
+
+*** *model-cascade-background*
+
+Cascade for background tasks (heartbeat scraping, delegation processing).
+Configured via ~MODEL_CASCADE_BACKGROUND~.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *model-cascade-background* nil
+  "Cascade for background tasks (heartbeat, delegation).")
+#+end_src
+
+*** *local-backends*
+
+List of backend keywords considered local for privacy routing. Content tagged
+with ~@personal~ will only be sent to these backends.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defvar *local-backends* '(:ollama :llama-cpp)
+  "Backend keywords considered local (privacy-safe).")
+#+end_src
+
+** Complexity Classifier
+
+Keyword-based heuristic that assigns signal text to a complexity slot.
+Pluggable — set ~*complexity-classifier*~ to override.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun model-classify-complexity (text)
+  "Classify TEXT into :code, :plan, or :chat."
+  (let ((lower (string-downcase text)))
+    (cond
+      ((or (search "defun" lower) (search "defmacro" lower)
+           (search "write" lower) (search "refactor" lower)
+           (search "fix " lower) (search "implement" lower)
+           (search "code" lower)
+           (search "#+begin_src" lower))
+       :code)
+      ((or (search "plan" lower) (search "roadmap" lower)
+           (search "strategy" lower) (search "design" lower)
+           (search "architecture" lower))
+       :plan)
+      (t :chat))))
+#+end_src
+
+** Cascade Lookup
+
+The core iterates each backend in ~*provider-cascade*~ and calls the model
+selector for each one. This function matches the current backend against the
+per-slot cascade list to find the appropriate model. Returns the first
+~:code~ ~(provider . model)~ entry whose provider matches, or ~nil~ if
+the backend has no entry in that slot's cascade (the core will skip to
+the next provider).
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun model-cascade-find (cascade backend)
+  "Find first (PROVIDER . MODEL) in CASCADE matching BACKEND."
+  (assoc backend cascade
+         :test (lambda (a b) (string-equal (string a) (string b)))))
+#+end_src
+
+** Model Selector
+
+The main routing function. Registered into ~*model-selector*~ at init time.
+Called per-backend by ~backend-cascade-call~. Returns a model name string,
+or ~:skip~ if the backend should not be tried (e.g., privacy filter).
+
+Filter order: privacy → quadrant → complexity → cascade.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun model-select (backend context)
+  "Select model for BACKEND given CONTEXT signal.
+Returns model name or :skip."
+  (let* ((payload (getf context :payload))
+         (text (or (getf payload :text) ""))
+         (sensor (getf payload :sensor))
+         (has-personal (and (boundp '*dispatcher-privacy-tags*)
+                            (some (lambda (tag) (search tag text))
+                                  (symbol-value '*dispatcher-privacy-tags*))))
+         (is-local (member backend *local-backends*)))
+    ;; Privacy: skip cloud backends for personal content
+    (when (and has-personal (not is-local))
+      (log-message "MODEL-ROUTER: Skipping ~a (personal content)" backend)
+      (return-from model-select :skip))
+    ;; Quadrant: background tasks use background cascade
+    (if (member sensor '(:heartbeat :delegation :tool-output :loop-error))
+        (let ((entry (car (or *model-cascade-background*
+                              '((:ollama . "phi-2"))))))
+          (cdr entry))
+        ;; Foreground: classify complexity, use slot cascade
+        (let* ((slot (model-classify-complexity text))
+               (cascade (case slot
+                          (:code *model-cascade-code*)
+                          (:plan *model-cascade-plan*)
+                          (t *model-cascade-chat*)))
+               (entry (model-cascade-find
+                       (or cascade '((:ollama . "qwen2.5:14b"))) backend)))
+          (if entry (cdr entry) nil)))))
+#+end_src
+
+** Initialization
+
+Reads cascade configuration from environment variables and registers
+~model-select~ into the core ~*model-selector*~ hook.
+
+;; REPL-VERIFIED: 2026-05-03T14:00:00
+#+begin_src lisp
+(defun model-router-init ()
+  "Read env vars and wire model-select into *model-selector*."
+  (flet ((parse-cascade (str)
+           (when (and str (> (length str) 0))
+             (let ((*read-eval* nil))
+               (read-from-string str)))))
+    (setf *model-cascade-code* (parse-cascade (uiop:getenv "MODEL_CASCADE_CODE"))
+          *model-cascade-plan* (parse-cascade (uiop:getenv "MODEL_CASCADE_PLAN"))
+          *model-cascade-chat* (parse-cascade (uiop:getenv "MODEL_CASCADE_CHAT"))
+          *model-cascade-background* (parse-cascade (uiop:getenv "MODEL_CASCADE_BACKGROUND"))
+          *local-backends* (let ((env (uiop:getenv "LOCAL_BACKENDS")))
+                             (if env
+                                 (mapcar (lambda (s) (intern (string-upcase (string-trim '(#\Space #\" #\') s)) :keyword))
+                                         (uiop:split-string env :separator '(#\,)))
+                                 '(:ollama :llama-cpp)))))
+    (setf *model-selector* #'model-select)
+    (log-message "MODEL-ROUTER: Initialized, selector=~a" *model-selector*))
+#+end_src
+
+** Skill Registration
+
+The model router is an observer skill — it has no trigger and no
+deterministic gate. All work happens at load time via ~model-router-init~,
+which reads env vars and registers into the core ~*model-selector*~ hook.
+The ~defskill~ call exists only to register metadata (priority, name) for
+telemetry and lifecycle management.
+
+#+begin_src lisp
+(defskill :passepartout-model-router
+  :priority 250
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+** Auto-Init
+
+#+begin_src lisp
+(model-router-init)
+#+end_src
+
+

org/programming-lisp.org

@@ -0,0 +1,341 @@
+#+TITLE: SKILL: Utils Lisp (org-skill-utils-lisp.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:utils:lisp:validation:evaluation:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-lisp.lisp
+
+* Architectural Intent: The Lisp Surgeon's Toolkit
+
+When the agent needs to modify its own code — fix a bug, add a feature, refactor a skill — it reaches for Utils Lisp. This skill provides every operation needed to read, validate, modify, and write Lisp code from within Lisp itself.
+
+This is possible only because Lisp is homoiconic: code is data. The agent can parse a function definition from a string, extract its body, wrap it in a new form, inject a new expression, and validate the result — all using the same data structures that the Lisp runtime uses to execute the code.
+
+The skill has four layers:
+1. **Validation** — three-phase gate: structural (paren balance) → syntactic (reader safety) → semantic (dangerous forms)
+2. **Evaluation** — sandboxed ~eval~ in a jailed package with ~*read-eval*~ nil
+3. **Structural surgery** — extract, inject, wrap, slurp — surgical code transformations without regex
+4. **Formatting** — auto-indentation via Emacs batch mode
+
+** Contract
+
+1. (lisp-structural-check code): returns (values T nil) if parentheses
+   balanced, (values nil error-msg) if reader errors detected.
+2. (lisp-syntactic-check code): alias for lisp-structural-check.
+3. (lisp-semantic-check code): returns (values T nil) if no unsafe forms
+   (eval, load, run-program) found; (values nil reason) if blocked.
+4. (lisp-validate code &key strict): unified gate — returns
+   ~(:status :success)~ or ~(:status :error :reason ...)~.
+5. (lisp-eval code-string): sandboxed eval with captured output.
+   Returns ~(:status :success :result ...)~ or ~(:status :error ...)~.
+6. (lisp-extract code fn-name): extracts a single defun from code.
+7. (lisp-list-definitions code): returns list of defined symbol names.
+8. (lisp-inject code target new-form): injects a form into a function body.
+9. (lisp-slurp code target form): appends a form to a function body.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Structural Validation
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-structural-check (code)
+  "Checks if parentheses are balanced and the code is readable."
+  (handler-case
+      (let ((*read-eval* nil))
+        (with-input-from-string (s code)
+          (loop for form = (read s nil :eof) until (eq form :eof)))
+        (values t nil))
+    (error (c)
+      (values nil (format nil "Reader Error: ~a" c)))))
+#+end_src
+
+** Syntactic Validation
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-syntactic-check (code)
+  "Checks for valid Lisp syntax beyond just balanced parentheses."
+  (lisp-structural-check code))
+#+end_src
+
+** Semantic Validation (Safety)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-semantic-check (code)
+  "Checks for potentially unsafe forms."
+  (let ((unsafe-tokens '("eval" "load" "uiop:run-program" "sb-ext:run-program" "cl-user::eval")))
+    (loop for token in unsafe-tokens
+          when (search token (string-downcase code))
+          do (return-from lisp-semantic-check (values nil (format nil "Unsafe form detected: ~a" token))))
+    (values t nil)))
+#+end_src
+
+** Unified Validation Gate
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-validate (code &key (strict t))
+  "Unified validation gate for Lisp code."
+  (multiple-value-bind (struct-ok struct-err) (lisp-structural-check code)
+    (unless struct-ok
+      (return-from lisp-validate (list :status :error :reason struct-err)))
+    (when strict
+      (multiple-value-bind (sem-ok sem-err) (lisp-semantic-check code)
+        (unless sem-ok
+          (return-from lisp-validate (list :status :error :reason sem-err)))))
+    (list :status :success)))
+#+end_src
+
+** Evaluation (REPL)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-eval (code-string &key (package :passepartout))
+  "Evaluates a Lisp string and captures its output/results."
+  (let ((out (make-string-output-stream))
+        (err (make-string-output-stream)))
+    (handler-case
+        (let* ((*standard-output* out)
+               (*error-output* err)
+               (*package* (or (find-package package) (find-package :passepartout)))
+               (result (with-input-from-string (s code-string)
+                         (let ((last-val nil))
+                           (loop for form = (read s nil :eof) until (eq form :eof)
+                                 do (setf last-val (eval form)))
+                           last-val))))
+          (list :status :success
+                :result (format nil "~a" result)
+                :output (get-output-stream-string out)
+                :error (get-output-stream-string err)))
+      (error (c)
+        (list :status :error
+              :reason (format nil "~a" c)
+              :output (get-output-stream-string out)
+              :error (get-output-stream-string err))))))
+#+end_src
+
+** Formatting (Emacs Batch)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-format (code-string)
+  "Attempts to format Lisp code using Emacs batch mode if available."
+  (handler-case
+      (let ((tmp-file "/tmp/oc-format-temp.lisp"))
+        (uiop:with-output-file (s tmp-file :if-exists :supersede)
+          (format s "~a" code-string))
+        (multiple-value-bind (out err code)
+            (uiop:run-program (list "emacs" "--batch" tmp-file 
+                                   "--eval" "(indent-region (point-min) (point-max))"
+                                   "--eval" "(princ (buffer-string))")
+                             :output :string :error-output :string :ignore-error-status t)
+          (if (= code 0)
+              out
+              (progn
+                (log-message "FORMAT ERROR: ~a" err)
+                code-string))))
+    (error (c)
+      (log-message "FORMAT EXCEPTION: ~a" c)
+      code-string)))
+#+end_src
+
+** Structural Extraction (AST)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-extract (code function-name)
+  "Extracts the definition of a specific function from a code string."
+  (let ((*read-eval* nil))
+    (with-input-from-string (s code)
+      (loop for form = (read s nil :eof) until (eq form :eof)
+            when (and (listp form) 
+                      (symbolp (car form))
+                      (member (symbol-name (car form)) '("DEFUN" "DEFMACRO" "DEFMETHOD") :test #'string-equal)
+                      (symbolp (second form))
+                      (string-equal (symbol-name (second form)) function-name))
+            do (return-from lisp-extract (format nil "~s" form))))
+    nil))
+#+end_src
+
+** Structural Wrapping (AST)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-wrap (code target-name wrapper-symbol)
+  "Wraps a specific form in a wrapper form (e.g., wrap in a let)."
+  (let ((*read-eval* nil) (results nil))
+    (with-input-from-string (s code)
+      (loop for form = (read s nil :eof) until (eq form :eof)
+            do (if (and (listp form) 
+                        (symbolp (second form))
+                        (string-equal (symbol-name (second form)) target-name))
+                   (push (list wrapper-symbol form) results)
+                   (push form results))))
+    (format nil "~{~s~^~%~%~}" (nreverse results))))
+#+end_src
+
+** List Definitions
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-list-definitions (code)
+  "Returns a list of names for all top-level definitions (defun, defmacro, etc.)."
+  (let ((*read-eval* nil) (names nil))
+    (with-input-from-string (s code)
+      (loop for form = (read s nil :eof) until (eq form :eof)
+            when (and (listp form) 
+                      (symbolp (car form))
+                      (member (symbol-name (car form)) 
+                              '("DEFUN" "DEFMACRO" "DEFMETHOD" "DEFVAR" "DEFPARAMETER")
+                              :test #'string-equal)
+                      (symbolp (second form)))
+            do (push (second form) names)))
+    (nreverse names)))
+#+end_src
+
+** Structural Injection (AST)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-inject (code target-name new-form-string)
+  "Injects a new form into the body of a targeted definition."
+  (let ((*read-eval* nil)
+        (new-form (read-from-string new-form-string))
+        (results nil))
+    (with-input-from-string (s code)
+      (loop for form = (read s nil :eof) until (eq form :eof)
+            do (if (and (listp form) 
+                        (symbolp (car form))
+                        (member (symbol-name (car form)) '("DEFUN" "DEFMACRO" "DEFMETHOD") :test #'string-equal)
+                        (symbolp (second form))
+                        (string-equal (symbol-name (second form)) target-name))
+                   (push (append form (list new-form)) results)
+                   (push form results))))
+    (format nil "~{~s~^~%~%~}" (nreverse results))))
+#+end_src
+
+** Structural Slurp (AST)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun lisp-slurp (code target-name form-to-slurp-string)
+  "Adds a form to the end of a named list or definition (Paredit slurp)."
+  (let ((*read-eval* nil)
+        (to-slurp (read-from-string form-to-slurp-string))
+        (results nil))
+    (with-input-from-string (s code)
+      (loop for form = (read s nil :eof) until (eq form :eof)
+            do (if (and (listp form) 
+                        (symbolp (second form))
+                        (string-equal (symbol-name (second form)) target-name))
+                   (push (append form (list to-slurp)) results)
+                   (push form results))))
+    (format nil "~{~s~^~%~%~}" (nreverse results))))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-programming-lisp
+  :priority 400
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+** Plist Keywords Normalize (relocated from core-reason)
+
+Lisp keywords are case-sensitive. The LLM might produce :payload or :PAYLOAD depending on the model. This function normalizes keyword keys to uppercase.
+
+#+begin_src lisp
+(defun plist-keywords-normalize (plist)
+  (when (listp plist)
+    (loop for (k v) on plist by #'cddr
+          collect (if (and (symbolp k) (not (keywordp k)))
+                       (intern (string k) :keyword)
+                       k)
+          collect v)))
+#+end_src
+
+* Test Suite
+Tests for the Lisp Validator structural, syntactic, and semantic gates.
+#+begin_src lisp
+(defpackage :passepartout-utils-lisp-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:utils-lisp-suite))
+
+(in-package :passepartout-utils-lisp-tests)
+
+(def-suite utils-lisp-suite
+  :description "Tests for the Lisp Validator structural, syntactic, and semantic gates")
+
+(in-suite utils-lisp-suite)
+
+(test structural-balanced
+  "Contract 1: balanced code returns T."
+  (is (eq t (passepartout:lisp-structural-check "(+ 1 2)"))))
+
+(test structural-unbalanced-open
+  "Contract 1: missing close paren returns nil + error."
+  (multiple-value-bind (ok reason) (passepartout:lisp-structural-check "(+ 1 2")
+    (is (null ok))
+    (is (search "Reader Error" reason))))
+
+(test structural-unbalanced-close
+  "Contract 1: extra close paren returns nil + error."
+  (multiple-value-bind (ok reason) (passepartout:lisp-structural-check "+ 1 2)")
+    (is (null ok))
+    (is (search "Reader Error" reason))))
+
+(test syntactic-valid
+  "Contract 2: valid syntax passes syntactic check."
+  (is (eq t (passepartout:lisp-syntactic-check "(+ 1 2)"))))
+
+(test semantic-safe
+  "Contract 3: safe code passes semantic check."
+  (is (eq t (passepartout:lisp-semantic-check "(+ 1 2)"))))
+
+(test semantic-blocked-eval
+  "Contract 3: eval forms are blocked by semantic check."
+  (multiple-value-bind (ok reason) (passepartout:lisp-semantic-check "(eval '(+ 1 2))")
+    (is (null ok))
+    (is (search "Unsafe" reason))))
+
+(test unified-success
+  "Contract 4: valid code returns :success via lisp-validate."
+  (let ((result (passepartout:lisp-validate "(+ 1 2)" :strict t)))
+    (is (eq (getf result :status) :success))))
+
+(test unified-failure
+  "Contract 4: invalid code returns :error via lisp-validate."
+  (let ((result (passepartout:lisp-validate "(+ 1 2" :strict nil)))
+    (is (eq (getf result :status) :error))))
+
+(test eval-basic
+  "Contract 5: lisp-eval returns :success with captured result."
+  (let ((result (passepartout:lisp-eval "(+ 1 2)")))
+    (is (eq (getf result :status) :success))
+    (is (string= (getf result :result) "3"))))
+
+(test structural-extract
+  "Contract 6: lisp-extract finds and returns a named function."
+  (let* ((code "(defun hello () (print \"hi\")) (defun bye () (print \"bye\"))")
+         (extracted (passepartout:lisp-extract code "hello")))
+    (is (not (null extracted)))
+    (let ((form (read-from-string extracted)))
+      (is (eq (car form) 'DEFUN))
+      (is (eq (second form) 'HELLO)))))
+
+(test list-definitions
+  "Contract 7: lisp-list-definitions returns all defined names."
+  (let ((code "(defun foo () t) (defmacro bar () nil) (defparameter *baz* 10)"))
+    (let ((names (passepartout:lisp-list-definitions code)))
+      (is (member 'FOO names))
+      (is (member 'BAR names))
+      (is (member '*BAZ* names)))))
+
+(test structural-inject
+  "Contract 8: lisp-inject adds a form to a function body."
+  (let* ((code "(defun my-fun (x) (print x))")
+         (injected (passepartout:lisp-inject code "my-fun" "(finish-output)")))
+    (let ((form (read-from-string injected)))
+      (is (equal (last form) '((FINISH-OUTPUT)))))))
+
+(test structural-slurp
+  "Contract 9: lisp-slurp appends a form to a function body."
+  (let* ((code "(defun work () (step-1))")
+         (slurped (passepartout:lisp-slurp code "work" "(step-2)")))
+    (let ((form (read-from-string slurped)))
+      (is (equal (last form) '((STEP-2)))))))
+#+end_src

org/programming-literate.org

@@ -0,0 +1,145 @@
+#+TITLE: SKILL: Literate Programming (org-skill-literate-programming.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:literate:tangle:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-literate.lisp
+
+* Overview
+This skill enforces the literal programming discipline for all Passepartout source code. It defines the rules for one-function-per-block, prose-before-code, reflecting working code back from the REPL to Org, and the tangle mandate (never edit .lisp directly). Every Org file that contains Lisp code should follow the rules defined here.
+
+** Contract
+
+1. (literate-extract-lisp-blocks content): extracts concatenated
+   Lisp code from all ~#+begin_src lisp~ blocks in an Org string.
+2. (literate-block-balance-check org-file): checks that parentheses are
+   balanced across all lisp blocks in an Org file. Returns T or nil.
+3. (literate-tangle-sync-check org-file lisp-file): verifies the
+   tangled .lisp file matches the Org source. Returns T or mismatch info.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Block Extraction
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun literate-extract-lisp-blocks (content)
+  "Extracts all #+begin_src lisp ... #+end_src blocks from Org CONTENT.
+Returns a list of block strings."
+  (let ((lines (uiop:split-string content :separator '(#\Newline)))
+        (blocks nil)
+        (in-block nil)
+        (current-block nil))
+    (dolist (line lines)
+      (let ((trimmed (string-trim '(#\Space) line)))
+        (cond
+          ((uiop:string-prefix-p "#+begin_src lisp" trimmed)
+           (setf in-block t current-block nil))
+          ((uiop:string-prefix-p "#+end_src" trimmed)
+           (when in-block
+             (push (format nil "~{~a~^~%~}" (nreverse current-block)) blocks)
+             (setf in-block nil current-block nil)))
+          (in-block
+           (push line current-block)))))
+    (nreverse blocks)))
+#+end_src
+
+** Synchronization Logic
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun literate-block-balance-check (org-file)
+  "Verifies that all Lisp source blocks in an Org file have balanced parentheses.
+Returns T if all blocks pass validation, or an error string listing failures."
+  (when (not (uiop:file-exists-p org-file))
+    (return-from literate-block-balance-check
+      (format nil "Org file not found: ~a" org-file)))
+  (let* ((content (uiop:read-file-string org-file))
+         (blocks (literate-extract-lisp-blocks content))
+         (failures nil))
+    (if (null blocks)
+        t
+        (progn
+          (loop for i from 0
+                for block in blocks
+                for (ok reason) = (multiple-value-list
+                                    (lisp-structural-check block))
+                unless ok
+                do (push (format nil "Block ~d: ~a" (1+ i) reason) failures))
+          (if failures
+              (format nil "Unbalanced blocks in ~a:~%~{~a~^~%~}" org-file failures)
+              t)))))
+
+#+end_src
+** literate-tangle-sync-check
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun literate-tangle-sync-check (org-file lisp-file)
+  "Verifies that the .lisp file matches the tangled output of the .org file.
+Compares the concatenation of all lisp blocks from the Org file against the
+contents of the Lisp file. Returns T if they match, or an error message."
+  (when (not (uiop:file-exists-p org-file))
+    (return-from literate-tangle-sync-check
+      (format nil "Org file not found: ~a" org-file)))
+  (when (not (uiop:file-exists-p lisp-file))
+    (return-from literate-tangle-sync-check
+      (format nil "Lisp file not found: ~a" lisp-file)))
+  (let* ((org-content (uiop:read-file-string org-file))
+         (org-blocks (literate-extract-lisp-blocks org-content))
+         (tangled (format nil "~{~a~^~%~%~}" org-blocks))
+         (lisp-content (uiop:read-file-string lisp-file)))
+    (if (string= (string-trim '(#\Space #\Newline) tangled)
+                 (string-trim '(#\Space #\Newline) lisp-content))
+        t
+        (format nil "Tangle sync mismatch: ~a does not match ~a" org-file lisp-file))))
+#+end_src
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-programming-literate
+  :priority 300
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-programming-literate-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:literate-suite))
+
+(in-package :passepartout-programming-literate-tests)
+
+(def-suite literate-suite :description "Verification of the Literate Programming skill")
+(in-suite literate-suite)
+
+(test test-extract-lisp-blocks
+  "Contract 1: extracts lisp from #+begin_src blocks."
+  (let* ((org-content (format nil "#+begin_src lisp~%(+ 1 2)~%#+end_src~%#+begin_src lisp~%(+ 3 4)~%#+end_src"))
+         (extracted (literate-extract-lisp-blocks org-content)))
+    (let ((joined (format nil "~{~a~^~%~}" extracted)))
+      (is (search "(+ 1 2)" joined))
+      (is (search "(+ 3 4)" joined)))))
+
+(test test-block-balance-check-valid
+  "Contract 2: balanced parens return T."
+  (is (eq t (literate-block-balance-check
+             (merge-pathnames "org/core-pipeline.org"
+                              (uiop:ensure-directory-pathname
+                               (uiop:getenv "PASSEPARTOUT_DATA_DIR")))))))
+
+(test test-block-balance-check-missing-close
+  "Contract 2: unbalanced parens return non-T."
+  (is (not (eq t (literate-block-balance-check "org/nonexistent-file-xyz.org")))))
+
+(test test-tangle-sync-check
+  "Contract 3: literate-tangle-sync-check verifies org matches tangled lisp."
+  (let ((result (literate-tangle-sync-check "org/core-pipeline.org" "lisp/core-pipeline.lisp")))
+    (is (or (eq t result) (stringp result))
+        "Should return T or a mismatch description")))
+#+end_src

org/programming-org.org

@@ -0,0 +1,469 @@
+#+TITLE: SKILL: Utils Org (org-skill-utils-org.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:utils:org:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-org.lisp
+
+* Overview
+Structural manipulation tools for Org-mode files. This skill handles reading, writing, and modifying Org files at the AST level: finding headlines by ID or title, setting properties and TODO states, adding new headlines, generating UUIDs, and converting ASTs back to Org text. It also implements the privacy filter — when reading an Org file, it strips headlines tagged with ~@personal~ (or any tag in the Dispatcher's privacy tags) and rejects files with matching ~#+FILETAGS:~.
+
+** Contract
+
+1. (org-id-generate): returns a new UUID string.
+2. (org-id-format id): ensures the ID has an "id:" prefix.
+3. (org-property-set ast target-id property value): recursively sets a
+   property on a headline matching target-id. Returns T on success.
+4. (org-todo-set ast target-id status): sets TODO status via
+   org-property-set.
+5. (org-headline-add ast parent-id title): adds a new child headline.
+6. (org-headline-find-by-id ast id): returns the subtree for a matching
+   headline ID.
+7. (org-id-get-create ast target-id): ensures a headline has an :ID: property.
+   If the headline already has one, returns it. If not, generates a new UUID,
+   sets it, and returns it. Returns nil if the headline is not found.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Reading Files (with Privacy Filter)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-filetags-extract (content)
+  "Extracts the list of tags from a #+FILETAGS: line."
+  (let ((lines (uiop:split-string content :separator '(#\Newline))))
+    (dolist (line lines)
+      (when (uiop:string-prefix-p "#+FILETAGS:" (string-trim '(#\Space) line))
+        (let ((tag-str (string-trim " :" (subseq (string-trim '(#\Space) line) 10))))
+          (return-from org-filetags-extract
+            (mapcar (lambda (tag) (format nil ":~a" (string-trim '(#\Space) tag)))
+                    (uiop:split-string tag-str :separator '(#\space #\tab))))))))
+  nil)
+
+#+end_src
+** org-privacy-tag-p
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-privacy-tag-p (tags-list)
+  "Returns T if any tag in TAGS-LIST matches the Dispatcher's privacy tags."
+  (let ((privacy-tags (symbol-value (find-symbol "*DISPATCHER-PRIVACY-TAGS*" :passepartout))))
+    (when (and tags-list privacy-tags)
+      (some (lambda (tag)
+              (some (lambda (private-tag)
+                      (string-equal (string-trim '(#\: #\space) tag)
+                                    (string-trim '(#\: #\space) private-tag)))
+                    privacy-tags))
+            tags-list))))
+
+#+end_src
+** org-privacy-strip
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-privacy-strip (content)
+  "Removes Org headlines whose :TAGS: property contains a privacy-filtered tag.
+Returns the filtered content as a string."
+  (let* ((lines (uiop:split-string content :separator '(#\Newline)))
+         (result-lines nil)
+         (skip-depth nil)
+         (current-tags nil)
+         (in-properties nil))
+    (dolist (line lines)
+      (cond
+        (skip-depth
+         ;; We're inside a skipped subtree
+         (when (and (uiop:string-prefix-p "*" (string-trim '(#\Space) line))
+                    (<= (length (string-trim '(#\Space) line)) skip-depth))
+           (setf skip-depth nil)))
+        ((uiop:string-prefix-p ":PROPERTIES:" (string-trim '(#\Space) line))
+         (setf in-properties t)
+         (push line result-lines))
+        ((uiop:string-prefix-p ":END:" (string-trim '(#\Space) line))
+         (setf in-properties nil)
+         (when current-tags
+           (when (org-privacy-tag-p (reverse current-tags))
+             (setf skip-depth
+                   (length (car (last result-lines
+                                      (1+ (position-if
+                                           (lambda (l)
+                                             (uiop:string-prefix-p "*" (string-trim '(#\Space) l)))
+                                           (reverse result-lines))))))))
+           (setf current-tags nil))
+         (push line result-lines))
+        ((and in-properties (uiop:string-prefix-p ":TAGS:" (string-trim '(#\Space) line)))
+         (let ((tag-val (string-trim '(#\Space) (subseq (string-trim '(#\Space) line) 6))))
+           (setf current-tags (uiop:split-string tag-val :separator '(#\space #\tab))))
+         (push line result-lines))
+        (t
+         (push line result-lines))))
+    (format nil "~{~a~%~}" (nreverse result-lines))))
+
+#+end_src
+** org-read-file
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-read-file (filepath)
+  "Reads an Org file into a string, applying privacy filtering."
+  (let* ((raw (uiop:read-file-string filepath))
+         (filetags (org-filetags-extract raw)))
+    (if (org-privacy-tag-p filetags)
+        (progn
+          (log-message "UTILS-ORG: Blocked read of ~a — file-level privacy tag(s) ~a" filepath filetags)
+          nil)
+        (org-privacy-strip raw))))
+#+end_src
+#+end_src
+
+** Writing Files
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-write-file (filepath content)
+  "Writes content to an Org file."
+  (uiop:with-output-file (s filepath :if-exists :supersede)
+    (format s "~a" content)))
+#+end_src
+
+** ID Generation
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-id-generate ()
+  "Generates a new UUID for an Org node."
+  (string-downcase (format nil "~a" (uuid:make-v4-uuid))))
+#+end_src
+
+** ID Formatting
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-id-format (id)
+  "Ensures the ID has the 'id:' prefix."
+  (if (uiop:string-prefix-p "id:" id)
+      id
+      (format nil "id:~a" id)))
+#+end_src
+
+** Setting Properties (Recursive)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-property-set (ast target-id property value)
+  "Recursively sets a property on a headline with a matching ID in the AST."
+  (let ((type (getf ast :type))
+        (props (getf ast :properties))
+        (contents (getf ast :contents)))
+    (when (and (eq type :HEADLINE) (string= (getf props :ID) target-id))
+      (setf (getf (getf ast :properties) property) value)
+      (return-from org-property-set t))
+    (dolist (child contents)
+      (when (listp child)
+        (when (org-property-set child target-id property value)
+          (return-from org-property-set t)))))
+  nil)
+#+end_src
+
+** Setting TODO Status
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-todo-set (ast target-id status)
+  "Sets the TODO status of a headline in the AST."
+  (org-property-set ast target-id :TODO status))
+#+end_src
+
+** Adding Headlines
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-headline-add (ast parent-id title)
+  "Adds a new headline as a child of the parent-id in the AST."
+  (let* ((type (getf ast :type))
+         (props (getf ast :properties))
+         (id (getf props :ID))
+         (contents (getf ast :contents)))
+    (when (and (eq type :HEADLINE) (string= id parent-id))
+      (let ((new-node (list :type :HEADLINE
+                           :properties (list :ID (org-id-format (org-id-generate))
+                                            :TITLE title)
+                           :contents nil)))
+        (setf (getf ast :contents) (append contents (list new-node)))
+        (return-from org-headline-add t)))
+    (dolist (child contents)
+      (when (listp child)
+        (when (org-headline-add child parent-id title)
+          (return-from org-headline-add t)))))
+  nil)
+#+end_src
+
+** Searching Headlines (by ID)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-headline-find-by-id (ast id)
+  "Finds a headline by its ID in the AST."
+  (let ((props (getf ast :properties)))
+    (when (string= (getf props :ID) id)
+      (return-from org-headline-find-by-id ast))
+    (dolist (child (getf ast :contents))
+      (when (listp child)
+        (let ((found (org-headline-find-by-id child id)))
+          (when found (return-from org-headline-find-by-id found)))))
+    nil))
+#+end_src
+
+** Searching Headlines (by Title)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-headline-find-by-title (ast title)
+  "Finds a headline by its title in the AST."
+  (let ((props (getf ast :properties)))
+     (when (string-equal (getf props :TITLE) title)
+      (return-from org-headline-find-by-title ast))
+    (dolist (child (getf ast :contents))
+      (when (listp child)
+        (let ((found (org-headline-find-by-title child title)))
+          (when found (return-from org-headline-find-by-title found)))))
+     nil))
+#+end_src
+
+** org-id-get-create — Ensure a Headline Has an ID
+;; REPL-VERIFIED: 2026-05-07T19:00:00
+#+begin_src lisp
+(defun org-id-get-create (ast target-id)
+  "If the headline at TARGET-ID has an :ID property, return it.
+If not, generate a new UUID, set it as the :ID property, and return it.
+TARGET-ID can be a headline's :ID or :TITLE in the AST.
+Returns nil if the headline is not found."
+  (let ((headline (or (org-headline-find-by-id ast target-id)
+                      (org-headline-find-by-title ast target-id))))
+    (when headline
+      (let* ((props (getf headline :properties))
+             (id (getf props :ID)))
+        (if id
+            id
+            (let ((new-id (org-id-format (org-id-generate))))
+              (setf (getf props :ID) new-id)
+              new-id))))))
+#+end_src
+
+** Subtree Extraction (from Org text)
+
+Extracts a specific headline subtree from raw Org text by heading name.
+Used by =context-skill-subtree= for targeted skill source loading.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-subtree-extract (org-content heading-name)
+  "Extracts a subtree by heading name from Org text. Returns the subtree
+content as a string (headline + body + children), or nil if not found."
+  (let* ((lines (uiop:split-string org-content :separator '(#\Newline)))
+         (target-depth nil)
+         (in-target nil)
+         (result nil))
+    (loop for line in lines
+          for trimmed = (string-trim '(#\Space) line)
+          do (let ((depth (when (uiop:string-prefix-p "*" trimmed)
+                            (length (subseq trimmed 0
+                                            (position-if (lambda (c) (not (char= c #\*)))
+                                                         trimmed)))))
+                   (headline-title (when (uiop:string-prefix-p "*" trimmed)
+                                     (string-trim '(#\* #\Space) trimmed))))
+               (when depth
+                 (when (string-equal headline-title heading-name)
+                   (setf target-depth depth in-target t))
+                 (when (and in-target target-depth
+                            (<= depth target-depth)
+                            (not (string-equal headline-title heading-name)))
+                   (return-from org-subtree-extract
+                     (format nil "~{~a~^~%~}" (nreverse result)))))
+               (when in-target (push line result))))
+    (when result
+      (format nil "~{~a~^~%~}" (nreverse result)))))
+
+#+end_src
+** org-heading-list
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-heading-list (org-content)
+  "Returns a list of all top-level heading names in Org text."
+  (let* ((lines (uiop:split-string org-content :separator '(#\Newline)))
+         (headings nil))
+    (dolist (line lines)
+      (let ((trimmed (string-trim '(#\Space) line)))
+        (when (uiop:string-prefix-p "* " trimmed)
+          (let ((title (string-trim '(#\* #\Space) trimmed)))
+            (unless (find title headings :test #'string-equal)
+              (push title headings))))))
+    (nreverse headings)))
+#+end_src
+#+end_src
+
+** Text Modification in Org Files
+Replaces text in Org files with verification. Used by =system-self-improve= for
+surgical edits.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-modify (filepath old-text new-text)
+  "Replaces all occurrences of OLD-TEXT with NEW-TEXT in filepath.
+Returns T if OLD-TEXT was found and replaced, nil if not found."
+  (when (not (uiop:file-exists-p filepath))
+    (log-message "UTILS-ORG: org-modify: file not found: ~a" filepath)
+    (return-from org-modify nil))
+  (let* ((content (uiop:read-file-string filepath))
+         (pos (search old-text content :test #'string=)))
+    (unless pos
+      (log-message "UTILS-ORG: org-modify: text not found in ~a" filepath)
+      (return-from org-modify nil))
+    (let ((modified (cl-ppcre:regex-replace-all
+                      (cl-ppcre:quote-meta-chars old-text)
+                      content new-text)))
+      (org-write-file filepath modified)
+      (log-message "UTILS-ORG: Modified ~a (~d chars replaced)" filepath (length old-text))
+      t)))
+#+end_src
+
+** AST to Org text conversion
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun org-ast-render (ast &key (depth 1))
+  "Converts a plist AST node back to Org text.
+AST format: (:TYPE :HEADLINE :properties (:ID ... :TITLE ... :TAGS (...))
+              :contents (child-ast ...))"
+  (let* ((type (getf ast :TYPE))
+         (props (getf ast :properties))
+         (title (or (getf props :TITLE) "Untitled"))
+         (tags (getf props :TAGS))
+         (todo (getf props :TODO-STATE))
+         (children (getf ast :contents))
+         (raw-content (getf ast :raw-content))
+         (stars (make-string depth :initial-element #\*))
+         (output ""))
+    (unless (eq type :HEADLINE)
+      (return-from org-ast-render (or raw-content "")))
+    ;; Headline
+    (setf output (format nil "~a~@[ ~a~] ~a" stars todo title))
+    (when tags
+      (let ((tag-str (format nil "~{~a~^:~}" (mapcar (lambda (tag) (string-trim '(#\:) tag)) tags))))
+        (setf output (concatenate 'string output (format nil " :~a::~%" tag-str))))
+      (setf output (concatenate 'string output (string #\Newline))))
+    (unless tags
+      (setf output (concatenate 'string output (string #\Newline))))
+    ;; Property drawer
+    (setf output (concatenate 'string output ":PROPERTIES:" (string #\Newline)))
+    (loop for (k v) on props by #'cddr
+          do (unless (or (eq k :TITLE) (eq k :TAGS))
+               (setf output (concatenate 'string output
+                                         (format nil ":~a: ~a~%" k v)))))
+    (setf output (concatenate 'string output ":END:" (string #\Newline)))
+    ;; Content
+    (when raw-content
+      (setf output (concatenate 'string output raw-content (string #\Newline))))
+    ;; Children
+    (dolist (child children)
+      (when (listp child)
+        (setf output (concatenate 'string output
+                                  (org-ast-render child :depth (1+ depth))))))
+    output))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-programming-org
+  :priority 100
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+Verification of the structural manipulation for Org-mode files and their AST representation.
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ignore-errors (ql:quickload :fiveam :silent t)))
+
+(defpackage :passepartout-utils-org-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:utils-org-suite))
+
+(in-package :passepartout-utils-org-tests)
+
+(def-suite utils-org-suite
+  :description "Tests for Utils Org skill.")
+
+(in-suite utils-org-suite)
+
+(test id-generation
+  "Contract 1: org-id-generate returns unique UUID strings."
+  (let ((id1 (org-id-generate))
+        (id2 (org-id-generate)))
+    (is (plusp (length id1)))
+    (is (not (string= id1 id2)))))
+
+(test id-format
+  "Contract 2: org-id-format ensures 'id:' prefix."
+  (let ((formatted (org-id-format "abc12345")))
+    (is (search "id:" formatted))))
+
+(test property-setter
+  "Contract 3: org-property-set modifies a property on a headline."
+  (let ((ast (list :type :HEADLINE
+                  :properties (list :ID "id:test123" :TITLE "Test")
+                  :contents nil)))
+    (org-property-set ast "id:test123" :STATUS "ACTIVE")
+    (is (string= (getf (getf ast :properties) :STATUS) "ACTIVE"))))
+
+(test todo-setter
+  "Contract 4: org-todo-set changes TODO state via org-property-set."
+  (let ((ast (list :type :HEADLINE
+                  :properties (list :ID "id:todo001" :TITLE "Task")
+                  :contents nil)))
+    (org-todo-set ast "id:todo001" "DONE")
+    (is (string= (getf (getf ast :properties) :TODO) "DONE"))))
+
+(test test-org-headline-add
+  "Contract 5: org-headline-add inserts a child headline."
+  (let* ((ast (list :type :HEADLINE
+                   :properties (list :ID "root" :TITLE "Root")
+                   :contents nil)))
+    (is (eq t (org-headline-add ast "root" "New Child")))
+    (is (= 1 (length (getf ast :contents))))
+    (is (string= "New Child" (getf (getf (first (getf ast :contents)) :properties) :TITLE)))))
+
+(test test-org-headline-find-by-id
+  "Contract 6: org-headline-find-by-id finds a headline by ID."
+  (let* ((ast (list :type :HEADLINE
+                    :properties (list :ID "root" :TITLE "Root")
+                    :contents
+                    (list (list :type :HEADLINE
+                                :properties (list :ID "child1" :TITLE "Child"))
+                          (list :type :HEADLINE
+                                :properties (list :ID "child2" :TITLE "Child 2"))))))
+    (let ((found (org-headline-find-by-id ast "child2")))
+      (is (not (null found)))
+      (is (string= "Child 2" (getf (getf found :properties) :TITLE))))
+    (let ((missing (org-headline-find-by-id ast "nonexistent")))
+      (is (null missing) "Missing ID should return nil"))))
+
+(test test-org-id-get-create
+  "Contract 7: org-id-get-create returns existing ID or creates and sets a new one."
+  ;; Case 1: headline already has an ID
+  (let* ((ast (list :type :HEADLINE
+                    :properties (list :ID "id:existing" :TITLE "Has ID")
+                    :contents nil)))
+    (is (string= "id:existing" (org-id-get-create ast "id:existing"))))
+  ;; Case 2: headline exists by title but has no ID — one should be created
+  (let* ((ast (list :type :HEADLINE
+                    :properties (list :TITLE "No ID")
+                    :contents nil)))
+    (let ((new-id (org-id-get-create ast "No ID")))
+      (is (stringp new-id))
+      (is (uiop:string-prefix-p "id:" new-id))
+      ;; Verify the ID was set on the headline
+      (is (string= new-id (getf (getf ast :properties) :ID)))))
+  ;; Case 3: idempotent — calling again returns same ID
+  (let* ((ast (list :type :HEADLINE
+                    :properties (list :TITLE "Idempotent")
+                    :contents nil)))
+    (let ((id1 (org-id-get-create ast "Idempotent"))
+          (id2 (org-id-get-create ast "Idempotent")))
+      (is (string= id1 id2))))
+  ;; Case 4: headline not found returns nil
+  (let* ((ast (list :type :HEADLINE
+                    :properties (list :ID "root" :TITLE "Root")
+                    :contents nil)))
+    (is (null (org-id-get-create ast "nonexistent")))))
+#+end_src

org/programming-repl.org

@@ -0,0 +1,316 @@
+#+TITLE: SKILL: REPL (org-skill-repl.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:repl:interactive:debug:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-repl.lisp
+
+* Overview
+The *REPL Skill* provides persistent Lisp evaluation, inspection, and debugging capabilities. This enables the agent to verify behavior at runtime rather than just at the text level.
+
+* Phase A: Demand (Thinking)
+** Why a REPL?
+The lisp-eval function provides one-shot evaluation but:
+- No state persistence between calls
+- No variable inspection
+- No debugging capabilities
+
+The REPL skill fills this gap by:
+- Maintaining evaluation state across turns
+- Supporting variable inspection
+- Providing debugging commands
+- Optionally connecting to external Swank servers
+
+** Success Criteria
+- Code evaluation returns result + stdout/stderr separately
+- Variables can be inspected
+- Can load code into image
+- Optional: connect to external SLIME/Swank session
+
+* Phase B: Contract
+
+1. (repl-eval code-string &key package): evaluates Lisp code in a
+   sandboxed environment (~*read-eval* nil~). Returns (values result
+   output error) as three strings. Adds to ~*repl-history*~.
+2. (repl-inspect symbol-name &key package): returns a formatted string
+   describing the symbol's value, type, or function documentation.
+3. (repl-list-vars &key package): returns a list of bound variable
+   names in the given package.
+
+* Phase C: Implementation
+
+** Global State
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(in-package :passepartout)
+
+(defvar *repl-package* :passepartout
+  "Default package for REPL evaluations.")
+
+#+end_src
+** *repl-history*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *repl-history* nil
+  "History of evaluated forms for session continuity.")
+
+#+end_src
+** *repl-variables*
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *repl-variables* (make-hash-table :test #'eq)
+  "Cache of bound variables for inspection.")
+#+end_src
+#+end_src
+
+** Core Evaluation
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-eval (code-string &key (package *repl-package*))
+  "Evaluate Lisp code and return (values result output error).
+   - result: the return value as string
+   - output: captured stdout
+   - error: error message or nil on success"
+  (let ((out (make-string-output-stream))
+        (err (make-string-output-stream))
+        (pkg (or (find-package package) (find-package :passepartout))))
+    (handler-case
+        (let* ((*standard-output* out)
+               (*error-output* err)
+               (*package* pkg)
+               (*read-eval* nil)
+               (result nil))
+          (with-input-from-string (s code-string)
+            (loop for form = (read s nil :eof) until (eq form :eof)
+                  do (setf result (eval form))))
+          (push code-string *repl-history*)
+          (values
+           (format nil "~a" result)
+           (get-output-stream-string out)
+           nil))
+      (error (c)
+        (values
+         nil
+         (get-output-stream-string out)
+         (format nil "~a" c))))))
+#+end_src
+
+** Variable Inspection
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-inspect (symbol-name &key (package *repl-package*))
+  "Inspect a variable's value and structure."
+  (let* ((pkg (or (find-package package) (find-package :passepartout)))
+         (sym (find-symbol (string-upcase symbol-name) pkg)))
+    (cond
+      ((null sym)
+       (format nil "Symbol ~a not found in package ~a" symbol-name package))
+      ((boundp sym)
+       (let ((val (symbol-value sym)))
+         (format nil "~a = ~a~%Type: ~a~%~%"
+                 sym val (type-of val))))
+      ((fboundp sym)
+       (format nil "~a is a function~%Args: ~a~%"
+               sym (documentation sym 'function)))
+      (t
+       (format nil "~a is unbound" symbol-name)))))
+#+end_src
+
+** List Bound Variables
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-list-vars (&key (package *repl-package*))
+  "List all bound variables in the package."
+  (let* ((pkg (or (find-package package) (find-package :passepartout)))
+         (vars nil))
+    (do-symbols (sym pkg)
+      (when (boundp sym)
+        (push (format nil "~a" sym) vars)))
+    (sort vars #'string<)))
+#+end_src
+
+** Load File into Image
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-load-file (filepath)
+  "Load a Lisp file into the current image."
+  (handler-case
+      (progn
+        (load filepath)
+        (format nil "Loaded ~a" filepath))
+    (error (c)
+      (format nil "Error loading ~a: ~a" filepath c))))
+#+end_src
+
+** Package Switching
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-set-package (package-name)
+  "Set the default package for REPL evaluations."
+  (let ((pkg (find-package (string-upcase package-name))))
+    (if pkg
+        (setf *repl-package* pkg)
+        (format nil "Package ~a not found" package-name))))
+#+end_src
+
+** Help/Info
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-help ()
+  "Return available REPL commands."
+  (format nil "~%
+REPL Skill Commands:
+-------------------
+(repl-eval \"code\" :package :passepartout)
+  - Evaluate Lisp code, returns (values result output error)
+
+(repl-inspect \"symbol\" :package :passepartout)
+  - Inspect a variable or function
+
+(repl-list-vars :package :passepartout)
+  - List all bound variables
+
+(repl-load-file \"/path/to/file.lisp\")
+  - Load a file into the image
+
+(repl-set-package :package-name)
+  - Switch default package
+
+(repl-help)
+  - Show this message
+"))
+#+end_src
+
+* Phase D: Verification
+
+** Basic Evaluation Test
+#+begin_src lisp :tangle no
+(test test-repl-eval-simple
+  "Test basic arithmetic evaluation."
+  (multiple-value-bind (result output error)
+      (passepartout:repl-eval "(+ 1 2)")
+    (is (string= result "3"))
+    (is (null error))))
+#+end_src
+
+** Error Handling Test
+#+begin_src lisp :tangle no
+(test test-repl-eval-error
+  "Test that errors are caught and returned."
+  (multiple-value-bind (result output error)
+      (passepartout:repl-eval "(+ 1 \"string\")")
+    (is (null result))
+    (is (not (null error)))))
+#+end_src
+
+** REPL-EVAL Pre-Reason Handler
+
+Registers a handler for =:repl-eval= sensor signals. When the daemon
+receives a framed message with =:sensor :repl-eval=, this handler
+evaluates the Lisp code directly and writes the result back through
+the reply-stream, bypassing the LLM pipeline entirely.
+
+Since this handler is registered via =register-pre-reason-handler=,
+the perceive gate calls it before any LLM reasoning occurs. The
+handler returns T (consumed), so the signal never reaches Reason.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-handle (signal)
+  "Pre-reason handler for :repl-eval sensor. Evaluates code and
+writes the result back through the reply-stream."
+  (let* ((payload (getf signal :payload))
+         (code (getf payload :code))
+         (stream (getf (getf signal :meta) :reply-stream))
+         (result (multiple-value-bind (val out err)
+                     (repl-eval code)
+                   (if err
+                       (list :status :error :message err)
+                       (list :status :success :value (or val ""))))))
+    (when stream
+      (handler-case
+          (progn
+            (write-sequence (frame-message result) stream)
+            (finish-output stream))
+        (error (c)
+          (log-message "REPL-EVAL: Failed to write response: ~a" c))))
+    ;; Return T to signal the message was consumed
+    t))
+
+;; Register the handler at load time
+(register-pre-reason-handler :repl-eval #'repl-handle)
+#+end_src
+
+* Phase E: Lifecycle
+The REPL skill loads at priority 200 (after diagnostics at 100, before utils-lisp at 400).
+
+** Standing Mandate (repl-mandate)
+
+The REPL-first mandate is registered as a standing mandate — it runs on every ~think()~ cycle, inspecting the user input for code-related keywords. When it matches, the mandate text is injected into the IDENTITY section of the system prompt.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun repl-mandate (context)
+  "Returns REPL-first engineering mandate when context involves code editing."
+  (let ((raw (or (proto-get (proto-get context :payload) :text) "")))
+    (when (or (search "org-skill-" raw :test #'char-equal)
+              (and (search ".org" raw :test #'char-equal)
+                   (or (search "defun" raw :test #'char-equal)
+                       (search "tangle" raw :test #'char-equal)
+                       (search "write-file" raw :test #'char-equal)
+                       (search "lisp" raw :test #'char-equal)))
+              (search "defun " raw :test #'char-equal)
+              (search "repl-eval" raw :test #'char-equal)
+              (search "validate" raw :test #'char-equal))
+      (format nil "~%REPL-FIRST MANDATE:~%Before writing any defun to an Org file, prototype it in the REPL first. Set :repl-verified t on the write action. On rejection, fix the error and retry.~%"))))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-programming-repl
+  :priority 200
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil)
+  :deterministic (lambda (action ctx) (declare (ignore action ctx)) nil))
+#+end_src
+
+#+begin_src lisp
+(eval-when (:load-toplevel :execute)
+  (push #'repl-mandate *standing-mandates*))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-programming-repl-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:repl-suite))
+
+(in-package :passepartout-programming-repl-tests)
+
+(def-suite repl-suite :description "Verification of the REPL skill")
+(in-suite repl-suite)
+
+(test test-repl-eval-success
+  "Contract 1: repl-eval returns result and no error for valid code."
+  (multiple-value-bind (result output error) (repl-eval "(+ 1 2)")
+    (is (equal "3" result))
+    (is (null error))))
+
+(test test-repl-eval-error
+  "Contract 1: repl-eval returns error message for invalid code."
+  (multiple-value-bind (result output error) (repl-eval "(+ 1 ")
+    (is (null result))
+    (is (stringp error))))
+
+(test test-repl-inspect-found
+  "Contract 2: repl-inspect returns description for a bound symbol."
+  (let ((desc (repl-inspect "+" :package :cl)))
+    (is (search "+" desc))))
+
+(test test-repl-list-vars
+  "Contract 3: repl-list-vars returns a list of symbol name strings."
+  (let ((vars (repl-list-vars :package :keyword)))
+    (is (listp vars))
+    (is (member "PASSEPARTOUT" vars :test #'string-equal))))
+#+end_src

org/programming-standards.org

@@ -0,0 +1,133 @@
+#+TITLE: SKILL: Engineering Standards (org-skill-engineering-standards.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:engineering:chaos:
+#+DEPENDS_ON: org-skill-utils-lisp
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-standards.lisp
+
+* Overview
+The *Engineering Standards Skill* defines the REPL-first engineering lifecycle and enforces technical invariants, including the **Commit-Before-Modify** rule and **Chaos-Driven Development**.
+
+** Architectural Intent + Testable Contract
+
+Every Org module must open with an ~* Architectural Intent~ section.
+This section is the machine-readable specification that tests are written
+against. A test that does not verify a stated intent is testing trivia.
+An intent without a test is aspirational.
+
+*** Template
+
+Place this before ~* Implementation~ in every Org file:
+
+#+begin_src org
+,* Architectural Intent
+
+[Prose: why this module exists, what problem it solves.]
+
+,** Contract
+
+The functions in this module guarantee the following:
+
+1. (function-name): accepts X, returns Y. Preserves invariant Z.
+2. (function-name): when given A, guarantees B (error, signal, or result).
+3. ...
+
+,** Boundaries
+
+What this module explicitly does NOT do, and where that responsibility
+lives instead.
+#+end_src
+
+The ~* Test Suite~ section at the bottom of the file lists each test
+with a cross-reference to which contract item it verifies:
+
+#+begin_src org
+,* Test Suite
+
+,** test-rejection (verifies Contract item 3)
+,** test-pass-through (verifies Contract item 1)
+#+end_src
+
+*** Example: ~symbolic-diagnostics.org~
+
+#+begin_src org
+,* Architectural Intent
+
+The Diagnostics skill is the self-knowledge of Passepartout. It answers
+"Is everything working?" by probing external dependencies at startup.
+
+,** Contract
+
+1. (diagnostics-dependencies-check): probes PATH for every binary in
+   *diagnostics-binaries*. Returns T if all found, NIL if any is
+   missing. Side-effect: populates *doctor-missing-deps*.
+2. (diagnostics-env-check): validates XDG directories exist. Returns T
+   if all critical dirs present, NIL otherwise.
+3. (diagnostics-run-all): orchestrates 1-3. Returns a plist with
+   :deps, :env, :llm keys. Respects :auto-install nil.
+
+,** Boundaries
+
+- Does NOT fix missing dependencies — that is diagnostics-dependencies-install.
+- Does NOT start or stop LLM services — that is the provider layer.
+#+end_src
+
+*** Rules
+
+1. Every ~.org~ file with ≥1 ~defun~ MUST have an ~* Architectural Intent~ section.
+2. The ~** Contract~ section MUST list every public function.
+3. Every test in ~* Test Suite~ MUST reference a specific Contract item.
+4. If you change a function's signature, you MUST update its Contract item.
+
+** Contract
+
+The standards skill itself guarantees:
+
+1. (standards-git-clean-p dir): checks whether directory ~dir~ has
+   uncommitted git changes. Returns T if clean, NIL if dirty. Runs
+   ~git status --porcelain~ in the target directory.
+2. (standards-lisp-verify code): validates Lisp code string for
+   structural correctness. Delegates to ~lisp-syntax-validate~.
+3. (standards-lisp-format code): applies formatting conventions to
+   Lisp code. Delegates to ~lisp-format~.
+
+* Implementation
+
+** Standards Enforcement
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(in-package :passepartout)
+
+(defun standards-git-clean-p (dir)
+  "Checks if a directory has uncommitted changes."
+  (let ((status (uiop:run-program (list "git" "-C" (namestring dir) "status" "--porcelain")
+                                 :output :string
+                                 :ignore-error-status t)))
+    (string= "" (string-trim '(#\Space #\Newline #\Tab) status))))
+
+#+end_src
+** standards-lisp-verify
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun standards-lisp-verify (code)
+  "Enforces Lisp structural and semantic standards using utils-lisp."
+  (let ((result (lisp-validate code :strict t)))
+    (if (eq (getf result :status) :success)
+        t
+        (error (getf result :reason)))))
+
+#+end_src
+** standards-lisp-format
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun standards-lisp-format (code)
+  "Ensures Lisp code adheres to formatting standards."
+  (lisp-format code))
+#+end_src
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-programming-standards
+  :priority 100
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src

org/programming-tools.org

@@ -0,0 +1,844 @@
+#+TITLE: SKILL: Programming Tools (programming-tools.org)
+#+AUTHOR: Agent
+#+FILETAGS: :programming:tools:cognitive:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/programming-tools.lisp
+
+* Cognitive Tools for Codebase Operations
+
+This skill registers ten cognitive tools that let the LLM search codebases, read and write files, evaluate Lisp expressions, run tests, and manipulate Org files. Without these tools, the agent can chat and run shell commands but cannot perform the core operations of a programming assistant.
+
+Each tool is registered via ~def-cognitive-tool~ and appears in the LLM's tool belt prompt via ~cognitive-tool-prompt~. Tools receive arguments as a plist and return a plist with ~:status~ (~:success or :error~) and either ~:content~ (success) or ~:message~ (error). The tool executor (~action-tool-execute~) normalizes nested argument lists, dispatches by name, and feeds results back into the perception pipeline.
+
+** Contract
+
+1. Every tool returns a plist with at least ~:status~. On success: ~(:status :success :content "...")~. On error: ~(:status :error :message "...")~.
+2. Every tool guards against missing required parameters and returns a clear error message.
+3. Every tool handles runtime exceptions (~handler-case~) — a tool must never crash the daemon.
+4. ~search-files~: given ~:pattern~, ~:path~, optional ~:include~ (glob), returns matched lines with file:line prefixes.
+5. ~find-files~: given ~:pattern~ (glob), ~:path~, returns list of matching file paths.
+6. ~read-file~: given ~:filepath~, optional ~:start~, ~:limit~ (lines), returns file contents.
+7. ~write-file~: given ~:filepath~, ~:content~, creates directories, writes file, returns byte count.
+8. ~list-directory~: given ~:path~, optional ~:pattern~, returns sorted directory entries.
+9. ~run-shell~: given ~:cmd~, optional ~:timeout~, returns stdout, stderr, and exit code.
+10. ~eval-form~: given ~:code~ (Lisp expression string), returns evaluated result. Disables ~*read-eval*~.
+11. ~run-tests~: given optional ~:test-name~, runs specific test or all suites via ~fiveam:run-all-tests~.
+12. ~org-find-headline~: given ~:id~ or ~:title~, searches ~*memory-store*~ for matching memory objects.
+13. ~org-modify-file~: given ~:filepath~, ~:old-text~, ~:new-text~, performs exact-string replacement. Returns error if text not found.
+14. (tool-register-modified filepath &key old-content new-content):
+    appends a modification record to ~*modified-files-this-turn*~.
+    Returns the record plist ~(:filepath <s> :timestamp <unix>
+    :lines-added <n> :lines-removed <n>)~.
+15. (tool-modified-files-summary): returns the list of modified-file
+    plists accumulated this turn and clears ~*modified-files-this-turn*~.
+    Returns nil when no files were modified.
+
+** v0.8.0 — Modified Files Tracking
+
+The sidebar's Files panel needs to know which files the agent modified in
+the most recent tool execution. ~*modified-files-this-turn*~ is a list of
+plists tracking each write operation: ~(:filepath <string> :timestamp <unix>
+:lines-added <int> :lines-removed <int>)~.
+
+~tool-register-modified~ is called by ~write-file~ and ~org-modify-file~
+after successful writes. It computes line counts by comparing the old and
+new content (when available) or records the operation with nil counts.
+~tool-modified-files-summary~ returns the accumulated list and resets
+it for the next turn (reset happens at the start of each ~think()~ cycle
+in ~core-reason.lisp~).
+
+The tracking is per-turn, not cumulative — the sidebar shows what changed
+in the /last/ tool execution, matching the tool-execution visualization
+pattern from v0.7.1. Cumulative file tracking belongs in the version
+control system.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+
+(defun tools-write-file (filepath content)
+  "Write string CONTENT to FILEPATH, creating parent directories."
+  (uiop:ensure-all-directories-exist (list filepath))
+  (with-open-file (stream filepath :direction :output :if-exists :supersede :if-does-not-exist :create)
+    (write-string content stream)))
+#+end_src
+
+** Tool: search-files
+
+Searches file contents recursively under a directory using regex pattern matching.
+
+#+begin_src lisp
+(def-cognitive-tool search-files
+  "Search file contents under a directory for a regex pattern."
+  ((:name "pattern" :description "The regex pattern to search for." :type "string")
+   (:name "path" :description "Directory to search recursively." :type "string")
+   (:name "include" :description "Optional glob filter for filenames (e.g. \"*.lisp\")." :type "string"))
+  :read-only-p t
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((pattern (getf args :pattern))
+                   (path (getf args :path))
+                   (include (getf args :include))
+                   (results nil))
+              (unless (and pattern path)
+                (return (list :status :error :message "search-files requires :pattern and :path")))
+              (handler-case
+                  (dolist (file (directory (merge-pathnames
+                                            (if include
+                                                (make-pathname :name :wild :type (subseq include 2) :defaults path)
+                                                (make-pathname :name :wild :type :wild :defaults path))
+                                            path)))
+                    (let ((base (file-namestring file)))
+                      (with-open-file (stream file :direction :input :if-does-not-exist nil)
+                        (when stream
+                          (loop for line = (read-line stream nil nil)
+                                for line-num from 1
+                                while line
+                                when (cl-ppcre:scan pattern line)
+                                do (push (format nil "~a:~d: ~a" base line-num (string-trim '(#\Space #\Tab) line))
+                                         results))))))
+                (t (c) (return (list :status :error :message (format nil "~a" c)))))
+              (list :status :success
+                    :content (if results
+                                 (format nil "~d matches:~%~a" (length results)
+                                         (format nil "~{~a~^~%~}" (reverse results)))
+                                 (format nil "No matches for '~a' in ~a" pattern path)))))))
+#+end_src
+
+** Tool: find-files
+
+Glob file matching using SBCL's ~directory~.
+
+#+begin_src lisp
+(def-cognitive-tool find-files
+  "Find files matching a glob pattern."
+  ((:name "pattern" :description "The glob pattern to match (e.g. \"*.lisp\")." :type "string")
+   (:name "path" :description "Directory to search in." :type "string"))
+  :read-only-p t
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((pattern (getf args :pattern))
+                   (path (getf args :path)))
+              (unless (and pattern path)
+                (return (list :status :error :message "find-files requires :pattern and :path")))
+              (let ((full (merge-pathnames pattern path)))
+              (handler-case
+                  (let ((files (directory full)))
+                    (list :status :success
+                          :content (if files
+                                       (format nil "~d files:~%~{~a~^~%~}" (length files) files)
+                                       (format nil "No files matching '~a' in ~a" pattern path))))
+                (t (c) (list :status :error :message (format nil "~a" c)))))))))
+#+end_src
+
+** Tool: read-file
+
+Reads a file into a string. Supports optional ~:start~ and ~:limit~ for partial reads.
+
+#+begin_src lisp
+(def-cognitive-tool read-file
+  "Read the contents of a file."
+  ((:name "filepath" :description "Path to the file to read." :type "string")
+   (:name "start" :description "Optional: line number to start reading from (1-based)." :type "integer")
+   (:name "limit" :description "Optional: maximum number of lines to read." :type "integer"))
+  :read-only-p t
+  :guard (lambda (args) (declare (ignore args)) nil)
+  :body (lambda (args)
+          (block nil
+            (let* ((filepath (getf args :filepath))
+                   (start (getf args :start))
+                   (limit (getf args :limit)))
+              (unless filepath
+                (return (list :status :error :message "read-file requires :filepath")))
+              (handler-case
+                  (let ((content (uiop:read-file-string filepath)))
+                    (if (or start limit)
+                        (let* ((lines (uiop:split-string content :separator '(#\Newline)))
+                               (start-idx (max 0 (1- (or start 1))))
+                               (end (if limit (min (length lines) (+ start-idx limit)) (length lines)))
+                               (selected (subseq lines start-idx end)))
+                          (list :status :success
+                                :content (format nil "~{~a~^~%~}" selected)))
+                        (list :status :success :content content)))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: write-file
+
+Writes string content to a file, creating parent directories as needed.
+
+#+begin_src lisp
+(def-cognitive-tool write-file
+  "Write string content to a file. Created directories as needed."
+  ((:name "filepath" :description "Path to the file to write." :type "string")
+   (:name "content" :description "The text content to write." :type "string"))
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((filepath (getf args :filepath))
+                   (content (getf args :content)))
+              (unless (and filepath content)
+                (return (list :status :error :message "write-file requires :filepath and :content")))
+                (handler-case
+                    (progn
+                      (tools-write-file filepath content)
+                      (verify-write filepath content)
+                      (tool-register-modified filepath :new-content content)
+                      (list :status :success
+                           :content (format nil "Written ~d bytes to ~a" (length content) filepath)))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: list-directory
+
+Lists the contents of a directory, optionally filtered by a glob pattern.
+
+#+begin_src lisp
+(def-cognitive-tool list-directory
+  "List the contents of a directory."
+  ((:name "path" :description "Directory path to list." :type "string")
+    (:name "pattern" :description "Optional glob filter (e.g. \"*.org\")." :type "string"))
+   :read-only-p t
+   :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((path (getf args :path))
+                   (pattern (getf args :pattern)))
+              (unless path
+                (return (list :status :error :message "list-directory requires :path")))
+              (let ((full-pattern (if pattern
+                                    (merge-pathnames pattern path)
+                                    (make-pathname :name :wild :type :wild :defaults path))))
+              (handler-case
+                  (let ((entries (directory full-pattern)))
+                    (list :status :success
+                          :content (if entries
+                                       (format nil "~d entries in ~a:~%~{~a~^~%~}" (length entries) path entries)
+                                       (format nil "No entries in ~a" path))))
+                (t (c) (list :status :error :message (format nil "~a" c)))))))))
+#+end_src
+
+** Tool: run-shell
+
+Executes a shell command and returns stdout, stderr, and exit code.
+
+#+begin_src lisp
+(def-cognitive-tool run-shell
+  "Execute a shell command and return stdout, stderr, and exit code."
+  ((:name "cmd" :description "The shell command to execute." :type "string")
+   (:name "timeout" :description "Optional timeout in seconds (default 30)." :type "integer"))
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((cmd (getf args :cmd))
+                   (timeout (or (getf args :timeout) 30)))
+              (unless cmd
+                (return (list :status :error :message "run-shell requires :cmd")))
+              (handler-case
+                  (multiple-value-bind (out err code)
+                      (uiop:run-program (list "timeout" (format nil "~a" timeout) "bash" "-c" cmd)
+                                        :output :string :error-output :string
+                                        :ignore-error-status t)
+                    (list :status :success
+                          :content (format nil "~a~@[~%~%stderr:~%~a~]~%exit: ~d"
+                                           (or out "") (when (and err (> (length err) 0)) err) code)))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: eval-form
+
+Evaluates a Lisp expression in the running image. Binds ~*read-eval*~ to nil for safety.
+
+#+begin_src lisp
+(def-cognitive-tool eval-form
+  "Evaluate a Lisp expression in the running image and return the result."
+  ((:name "code" :description "The Lisp expression to evaluate as a string." :type "string"))
+  :read-only-p t
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((code (getf args :code)))
+              (unless code
+                (return (list :status :error :message "eval-form requires :code")))
+              (handler-case
+                  (let* ((*read-eval* nil)
+                         (form (read-from-string code))
+                         (result (eval form)))
+                    (list :status :success :content (format nil "~a" result)))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: run-tests
+
+Runs FiveAM test suites. Without arguments, runs all tests via ~fiveam:run-all-tests~.
+
+#+begin_src lisp
+(def-cognitive-tool run-tests
+  "Run FiveAM tests. With no arguments, runs all test suites."
+  ((:name "test-name" :description "Optional: specific test name to run. If nil, runs all tests." :type "string"))
+  :read-only-p t
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((test-name (getf args :test-name)))
+              (handler-case
+                  (if test-name
+                      (let* ((sym (find-symbol (string-upcase test-name) :passepartout))
+                             (result (when sym (fiveam:run (intern (string-upcase test-name) :passepartout)))))
+                        (list :status :success
+                              :content (format nil "Test '~a' ~a" test-name
+                                               (if result "completed" "not found"))))
+                      (let ((result (fiveam:run-all-tests)))
+                        (list :status :success :content (format nil "~a" result))))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: org-find-headline
+
+Finds Org headlines in the memory store by ID property or title substring match.
+
+#+begin_src lisp
+(def-cognitive-tool org-find-headline
+  "Find an Org headline by ID or title in the memory store."
+  ((:name "id" :description "Optional: Org ID property to search for." :type "string")
+   (:name "title" :description "Optional: headline title to search for (case-insensitive substring)." :type "string"))
+  :read-only-p t
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((id (getf args :id))
+                   (title (getf args :title))
+                   (results nil))
+              (unless (or id title)
+                (return (list :status :error :message "org-find-headline requires :id or :title")))
+              (handler-case
+                  (let ((is-mem (find-symbol "MEMORY-OBJECT-P" :passepartout))
+                        (get-id (find-symbol "MEMORY-OBJECT-ID" :passepartout))
+                        (get-title (find-symbol "MEMORY-OBJECT-TITLE" :passepartout)))
+                    (unless (and is-mem get-id get-title)
+                      (return (list :status :error :message "Memory store not loaded")))
+                    (maphash (lambda (k obj)
+                               (declare (ignore k))
+                               (when (and (funcall is-mem obj)
+                                          (or (and id (string-equal id (funcall get-id obj)))
+                                              (and title (search title (funcall get-title obj) :test #'char-equal))))
+                                 (push obj results)))
+                             *memory-store*)
+                    (list :status :success
+                          :content (if results
+                                       (format nil "~d headlines found:~%~{~a~^~%~}"
+                                               (length results)
+                                               (mapcar (lambda (r) (funcall get-title r)) results))
+                                       (format nil "No headlines matching ~a" (or id title)))))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Tool: org-modify-file
+
+Surgical text replacement in an Org file — matches exact text and replaces it.
+
+#+begin_src lisp
+(def-cognitive-tool org-modify-file
+  "Replace text in an Org file via exact string match. Returns error if old-text not found."
+  ((:name "filepath" :description "Path to the Org file." :type "string")
+   (:name "old-text" :description "Exact text to replace." :type "string")
+   (:name "new-text" :description "Text to insert in its place." :type "string"))
+  :guard nil
+  :body (lambda (args)
+          (block nil
+            (let* ((filepath (getf args :filepath))
+                   (old-text (getf args :old-text))
+                   (new-text (getf args :new-text)))
+              (unless (and filepath old-text new-text)
+                (return (list :status :error :message "org-modify-file requires :filepath, :old-text, and :new-text")))
+              (handler-case
+                  (let ((content (uiop:read-file-string filepath)))
+                    (let ((pos (search old-text content)))
+                      (if pos
+                           (let ((new-content (concatenate 'string
+                                                           (subseq content 0 pos)
+                                                           new-text
+                                                           (subseq content (+ pos (length old-text))))))
+                             (tools-write-file filepath new-content)
+                             (tool-register-modified filepath :old-content content :new-content new-content)
+                             (list :status :success
+                                  :content (format nil "Replaced at position ~d in ~a" pos filepath)))
+                          (list :status :error :message (format nil "Text not found in ~a" filepath)))))
+                (error (c) (list :status :error :message (format nil "~a" c))))))))
+#+end_src
+
+** Skill Registration
+
+#+begin_src lisp
+(defskill :passepartout-programming-tools
+  :priority 50
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil)
+  :deterministic (lambda (action ctx) (declare (ignore action ctx)) nil))
+#+end_src
+
+** Package Definition and Export List
+The package definition. All public symbols are exported here.
+#+begin_src lisp :tangle no
+(defpackage :passepartout
+  (:use :cl)
+  (:export
+   #:frame-message
+   #:read-framed-message
+    #:PROTO-GET
+    #:proto-get
+   #:*VAULT-MEMORY*
+   #:make-hello-message
+   #:validate-communication-protocol-schema
+   #:start-daemon
+   #:log-message
+   #:main
+    #:diagnostics-run-all
+    #:diagnostics-main
+    #:diagnostics-dependencies-check
+    #:diagnostics-env-check
+    #:register-provider
+    #:provider-openai-request
+    #:provider-config
+   #:run-setup-wizard
+   #:ingest-ast
+   #:memory-object-get
+   #:*memory-store*
+   #:memory-object
+   #:make-memory-object
+   #:memory-object-id
+   #:memory-object-type
+   #:memory-object-attributes
+   #:memory-object-parent-id
+   #:memory-object-children
+   #:memory-object-version
+   #:memory-object-last-sync
+   #:memory-object-vector
+   #:memory-object-content
+   #:memory-object-hash
+   #:memory-object-scope
+   #:snapshot-memory
+   #:rollback-memory
+    #:context-get-system-logs
+    #:context-assemble-global-awareness
+    #:context-awareness-assemble
+    #:context-query
+   #:push-context
+   #:pop-context
+   #:current-context
+   #:current-scope
+   #:context-stack-depth
+   #:context-save
+   #:context-load
+   #:focus-project
+   #:focus-session
+   #:focus-memex
+   #:unfocus
+   #:process-signal
+   #:loop-process
+    #:perceive-gate
+    #:loop-gate-perceive
+    #:act-gate
+    #:loop-gate-act
+    #:reason-gate
+    #:loop-gate-reason
+    #:cognitive-verify
+    #:backend-cascade-call
+    #:json-alist-to-plist
+    #:inject-stimulus
+    #:stimulus-inject
+    #:hitl-create
+    #:hitl-approve
+    #:hitl-deny
+    #:hitl-handle-message
+    #:dispatcher-check-secret-path
+    #:dispatcher-check-shell-safety
+    #:dispatcher-check-privacy-tags
+    #:dispatcher-check-network-exfil
+    #:dispatcher-gate
+    #:wildcard-match
+    #:actuator-initialize
+   #:action-dispatch
+   #:register-actuator
+   #:load-skill-from-org
+    #:skill-initialize-all
+    #:lisp-syntax-validate
+    #:defskill
+       #:*skill-registry*
+       #:*scope-resolver*
+       #:*embedding-backend*
+       #:*embedding-queue*
+       #:*embedding-provider*
+       #:embed-queue-object
+       #:embed-object
+       #:embed-all-pending
+       #:embedding-backend-hashing
+       #:embedding-backend-native
+       #:embedding-native-load-model
+       #:embedding-native-unload
+       #:embedding-native-ensure-loaded
+       #:embedding-native-get-dim
+       #:embeddings-compute
+       #:mark-vector-stale
+     #:skill
+   #:skill-name
+   #:skill-priority
+   #:skill-dependencies
+   #:skill-trigger-fn
+   #:skill-probabilistic-prompt
+   #:skill-deterministic-fn
+   #:def-cognitive-tool
+   #:*cognitive-tool-registry*
+    #:org-read-file
+    #:org-write-file
+    #:org-headline-add
+    #:org-headline-find-by-id
+    #:literate-tangle-sync-check
+    #:archivist-create-note
+    #:gateway-start
+    #:org-property-set
+    #:org-todo-set
+    #:org-id-generate
+    #:org-id-format
+    #:org-modify
+    #:lisp-validate
+    #:lisp-structural-check
+    #:lisp-syntactic-check
+    #:lisp-semantic-check
+    #:lisp-eval
+    #:lisp-format
+    #:lisp-list-definitions
+    #:lisp-extract
+    #:lisp-inject
+    #:lisp-slurp
+   #:get-oc-config-dir
+    #:get-tool-permission
+    #:set-tool-permission
+    #:check-tool-permission-gate
+    #:permission-get
+    #:permission-set
+   #:cognitive-tool
+   #:cognitive-tool-name
+   #:cognitive-tool-description
+   #:cognitive-tool-parameters
+   #:cognitive-tool-guard
+   #:cognitive-tool-body
+   #:register-probabilistic-backend
+   #:*probabilistic-backends*
+   #:*provider-cascade*
+    #:vault-get
+    #:vault-set
+    #:vault-get-secret
+    #:vault-set-secret
+    #:memory-objects-by-attribute
+    #:channel-cli-input
+    #:repl-eval
+    #:repl-inspect
+    #:repl-list-vars
+    #:policy-compliance-check
+    #:validator-protocol-check
+    #:archivist-extract-headlines
+    #:archivist-headline-to-filename
+    #:literate-extract-lisp-blocks
+    #:literate-block-balance-check
+    #:gateway-registry-initialize
+    #:messaging-link
+    #:messaging-unlink
+    #:gateway-configured-p))
+#+end_src
+
+** Package Implementation
+The package implementation section defines the low-level utilities and global state that are shared across all harness components and skills.
+
+*** Robust plist access (plist-get)
+Retrieves a value from a plist, checking both upper and lowercase keyword variants. This is needed because different components use different keyword conventions.
+#+begin_src lisp :tangle no
+(in-package :passepartout)
+
+(defun plist-get (plist key)
+  "Robust plist accessor — checks both :KEY and :key variants."
+  (let* ((s (string key))
+         (up (intern (string-upcase s) :keyword))
+         (dn (intern (string-downcase s) :keyword)))
+    (or (getf plist up) (getf plist dn))))
+#+end_src
+
+*** Logging state
+The harness maintains a bounded ring buffer of log messages for inclusion in LLM context. Access is thread-safe via a lock.
+#+begin_src lisp :tangle no
+(defvar *log-buffer* nil)
+(defvar *log-lock* (bordeaux-threads:make-lock "log-messages-lock"))
+(defvar *log-limit* 100)
+#+end_src
+
+*** Skill registry
+The global registry of all loaded skills. This is the authoritative list that the deterministic engine iterates.
+#+begin_src lisp :tangle no
+(defvar *skill-registry* (make-hash-table :test 'equal)
+  "Global registry of all loaded skills.")
+#+end_src
+
+*** Skill telemetry
+Tracks execution metrics per skill (count, duration, failures) for diagnostics and performance analysis.
+#+begin_src lisp :tangle no
+(defvar *telemetry-table* (make-hash-table :test 'equal))
+(defvar *telemetry-lock* (bordeaux-threads:make-lock "harness-telemetry-lock"))
+
+(defun telemetry-track (skill-name duration status)
+  "Updates performance metrics for a skill. STATUS is :success or :rejected."
+  (when skill-name
+    (bordeaux-threads:with-lock-held (*telemetry-lock*)
+      (let ((entry (or (gethash skill-name *telemetry-table*) (list :executions 0 :total-time 0 :failures 0))))
+        (incf (getf entry :executions))
+        (incf (getf entry :total-time) duration)
+        (when (eq status :rejected) (incf (getf entry :failures)))
+        (setf (gethash skill-name *telemetry-table*) entry)))))
+#+end_src
+
+*** Cognitive tool registry
+Tools that the LLM can invoke are registered here. Each tool has a name, description, parameters, optional guard, and implementation body. The ~def-cognitive-tool~ macro handles registration. ~cognitive-tool-prompt~ serialises the registry into the LLM's system prompt.
+#+begin_src lisp :tangle no
+(defvar *cognitive-tool-registry* (make-hash-table :test 'equal))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-programming-tools-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:programming-tools-suite))
+
+(in-package :passepartout-programming-tools-tests)
+
+(def-suite programming-tools-suite :description "Verification of programming cognitive tools")
+(in-suite programming-tools-suite)
+
+(defun tools-tmpdir ()
+  (let ((d (merge-pathnames "tmp/passepartout-tool-tests/" (user-homedir-pathname))))
+    (uiop:ensure-all-directories-exist (list d))
+    d))
+
+(defun tools-cleanup ()
+  (let ((d (tools-tmpdir)))
+    (uiop:delete-directory-tree d :validate t :if-does-not-exist :ignore)))
+
+(defun tools-write-file (filepath content)
+  (uiop:ensure-all-directories-exist (list filepath))
+  (with-open-file (stream filepath :direction :output :if-exists :supersede :if-does-not-exist :create)
+    (write-string content stream)))
+
+(defun call-tool (tool-name &rest args)
+  (let ((tool (gethash (string-downcase (string tool-name)) *cognitive-tool-registry*)))
+    (unless tool (error "Tool ~a not found" tool-name))
+    (funcall (cognitive-tool-body tool) args)))
+
+;; search-files
+(test test-search-files-finds-matches
+  "Contract 1: search-files finds lines matching a regex pattern."
+  (let* ((dir (tools-tmpdir))
+         (file-a (merge-pathnames "src-a.lisp" dir))
+         (file-b (merge-pathnames "src-b.lisp" dir)))
+    (tools-write-file file-a "(defun foo () 'hello)")
+    (tools-write-file file-b "(defun bar () 'world)")
+    (let ((result (call-tool 'search-files :pattern "defun" :path (namestring dir) :include "*.lisp")))
+      (is (eq (getf result :status) :success))
+      (is (search "src-a.lisp:1:" (getf result :content)))
+      (is (search "src-b.lisp:1:" (getf result :content))))
+    (tools-cleanup)))
+
+(test test-search-files-missing-params
+  "search-files returns error when required params are missing."
+  (let ((result (call-tool 'search-files :pattern "x")))
+    (is (eq (getf result :status) :error))))
+
+;; find-files
+(test test-find-files-by-extension
+  "Contract 5: find-files returns files matching a glob."
+  (let ((dir (tools-tmpdir)))
+    (tools-write-file (merge-pathnames "a.lisp" dir) "test")
+    (tools-write-file (merge-pathnames "b.lisp" dir) "test")
+    (tools-write-file (merge-pathnames "c.org" dir) "test")
+    (let ((result (call-tool 'find-files :pattern "*.lisp" :path (namestring dir))))
+      (is (eq (getf result :status) :success))
+      (is (search "a.lisp" (getf result :content)))
+      (is (search "b.lisp" (getf result :content)))
+      (is (not (search "c.org" (getf result :content)))))
+    (tools-cleanup)))
+
+(test test-find-files-missing-params
+  "find-files returns error without required params."
+  (let ((result (call-tool 'find-files :pattern "*.lisp")))
+    (is (eq (getf result :status) :error))))
+
+;; read-file
+(test test-read-file-full
+  "Contract 6: read-file returns full file contents."
+  (let* ((dir (tools-tmpdir))
+         (file (merge-pathnames "readme.txt" dir)))
+    (tools-write-file file (format nil "line one~%line two~%line three"))
+    (let ((result (call-tool 'read-file :filepath (namestring file))))
+      (is (eq (getf result :status) :success))
+      (is (search "line one" (getf result :content))))
+    (tools-cleanup)))
+
+(test test-read-file-missing-params
+  "read-file returns error without :filepath."
+  (let ((result (call-tool 'read-file)))
+    (is (eq (getf result :status) :error))))
+
+;; write-file
+(test test-write-file-creates
+  "Contract 7: write-file creates file with content."
+  (let* ((dir (tools-tmpdir))
+         (file (merge-pathnames "output.txt" dir)))
+    (let ((result (call-tool 'write-file :filepath (namestring file) :content "hello world")))
+      (is (eq (getf result :status) :success))
+      (is (search "11 bytes" (getf result :content))))
+    (is (string-equal "hello world" (uiop:read-file-string file)))
+    (tools-cleanup)))
+
+(test test-write-file-missing-params
+  "write-file returns error without required params."
+  (let ((result (call-tool 'write-file :content "x")))
+    (is (eq (getf result :status) :error))))
+
+;; list-directory
+(test test-list-directory-all
+  "Contract 8: list-directory returns all entries."
+  (let ((dir (tools-tmpdir)))
+    (tools-write-file (merge-pathnames "alpha.txt" dir) "x")
+    (tools-write-file (merge-pathnames "beta.txt" dir) "y")
+    (let ((result (call-tool 'list-directory :path (namestring dir))))
+      (is (eq (getf result :status) :success))
+      (is (search "alpha.txt" (getf result :content)))
+      (is (search "beta.txt" (getf result :content))))
+    (tools-cleanup)))
+
+(test test-list-directory-missing-params
+  "list-directory returns error without :path."
+  (let ((result (call-tool 'list-directory)))
+    (is (eq (getf result :status) :error))))
+
+;; run-shell
+(test test-run-shell-echo
+  "Contract 9: run-shell executes a command and returns output."
+  (let ((result (call-tool 'run-shell :cmd "echo hello")))
+    (is (eq (getf result :status) :success))
+    (is (search "hello" (getf result :content)))))
+
+(test test-run-shell-missing-params
+  "run-shell returns error without :cmd."
+  (let ((result (call-tool 'run-shell)))
+    (is (eq (getf result :status) :error))))
+
+;; eval-form
+(test test-eval-form-arithmetic
+  "Contract 10: eval-form evaluates a Lisp expression."
+  (let ((result (call-tool 'eval-form :code "(+ 1 2)")))
+    (is (eq (getf result :status) :success))
+    (is (search "3" (getf result :content)))))
+
+(test test-eval-form-missing-params
+  "eval-form returns error without :code."
+  (let ((result (call-tool 'eval-form)))
+    (is (eq (getf result :status) :error))))
+
+;; org-modify-file
+(test test-org-modify-file-replace
+  "Contract 13: org-modify-file replaces exact text in file."
+  (let* ((dir (tools-tmpdir))
+         (file (merge-pathnames "doc.org" dir)))
+    (tools-write-file file "* TODO Buy milk~%* DONE Walk dog~%")
+    (let ((result (call-tool 'org-modify-file
+                             :filepath (namestring file)
+                             :old-text "TODO" :new-text "WAITING")))
+      (is (eq (getf result :status) :success))
+      (is (search "WAITING" (uiop:read-file-string file))))
+    (tools-cleanup)))
+
+(test test-org-modify-file-not-found
+  "org-modify-file returns error when text not in file."
+  (let* ((dir (tools-tmpdir))
+         (file (merge-pathnames "file.org" dir)))
+    (tools-write-file file "some content")
+    (let ((result (call-tool 'org-modify-file
+                             :filepath (namestring file)
+                             :old-text "not-in-file" :new-text "anything")))
+      (is (eq (getf result :status) :error))
+      (is (search "not found" (getf result :message))))
+    (tools-cleanup)))
+
+(test test-org-modify-file-missing-params
+  "org-modify-file returns error without required params."
+  (let ((result (call-tool 'org-modify-file :filepath "x" :old-text "y")))
+    (is (eq (getf result :status) :error))))
+#+end_src* v0.8.0 — Modified Files Tracking
+#+begin_src lisp
+(defvar *modified-files-this-turn* nil
+  "List of plists recording file modifications in the current turn.")
+
+(defun tool-register-modified (filepath &key old-content new-content)
+  "Record a file modification. Returns the record plist."
+  (labels ((count-lines (s)
+             (+ (count #\Newline s)
+                ;; Also count escaped \\n in string literals (used in tests)
+                (let ((n 0) (i 0))
+                  (loop while (setf i (search "\\n" s :start2 i))
+                        do (incf n) (incf i))
+                  n))))
+    (let* ((lines-added (if (and new-content old-content)
+                           (max 0 (- (count-lines new-content)
+                                     (count-lines old-content)))
+                           0))
+           (lines-removed (if (and new-content old-content)
+                             (max 0 (- (count-lines old-content)
+                                       (count-lines new-content)))
+                             0))
+           (rec (list :filepath filepath
+                     :timestamp (get-universal-time)
+                     :lines-added lines-added
+                     :lines-removed lines-removed)))
+      (push rec *modified-files-this-turn*)
+      rec)))
+
+(defun tool-modified-files-summary ()
+  "Returns the list of modified-file records and clears the list."
+  (prog1 (nreverse *modified-files-this-turn*)
+    (setf *modified-files-this-turn* nil)))
+#+end_src
+
+* v0.8.0 Tests — Modified Files Tracking
+#+begin_src lisp
+(in-package :passepartout-programming-tools-tests)
+
+(test test-modified-files-track-write
+  "Contract 14: tool-register-modified appends to *modified-files-this-turn*."
+  (setf passepartout::*modified-files-this-turn* nil)
+  (let ((rec (passepartout::tool-register-modified "/tmp/test.org"
+                :old-content "old" :new-content "line1
+line2")))
+    (is (string= "/tmp/test.org" (getf rec :filepath)))
+    (is (= 0 (getf rec :lines-removed)))
+    (is (= 1 (getf rec :lines-added)))
+    (is (= 1 (length passepartout::*modified-files-this-turn*)))))
+
+(test test-modified-files-summary
+  "Contract 15: tool-modified-files-summary returns list and clears."
+  (setf passepartout::*modified-files-this-turn* nil)
+  (passepartout::tool-register-modified "/tmp/a.org")
+  (passepartout::tool-register-modified "/tmp/b.org")
+  (let ((files (passepartout::tool-modified-files-summary)))
+    (is (= 2 (length files)))
+    (is (null passepartout::*modified-files-this-turn*))
+    (is (find "/tmp/a.org" files :key (lambda (f) (getf f :filepath)) :test #'string=))))
+
+(test test-modified-files-empty
+  "Contract 15: tool-modified-files-summary returns nil when no files modified."
+  (setf passepartout::*modified-files-this-turn* nil)
+  (is (null (passepartout::tool-modified-files-summary))))
+#+end_src

org/security-permissions.org

@@ -0,0 +1,98 @@
+#+TITLE: SKILL: Tool Permissions (org-skill-tool-permissions.org)
+#+AUTHOR: Agent
+#+FILETAGS: :skill:security:permissions:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/security-permissions.lisp
+
+* Overview: The Authorization Matrix
+
+Every cognitive tool (file read, file write, shell execute, etc.) has a permission level: ~:allow~ (executed without asking), ~:ask~ (user is prompted before execution), or ~:deny~ (blocked entirely). Tool Permissions maintains the registry of these levels and provides the ~permission-gate-check~ that the Dispatcher calls before dispatching a tool action.
+
+The complexity lives in the Dispatcher (security-dispatcher.org), which
+consults this table as one of its ten scan vectors.
+
+** Contract
+
+1. (permission-set tool-name level): stores ~level~ for ~tool-name~
+   in ~*permission-table*~. Tool names are normalized to lowercase.
+2. (permission-get tool-name): returns the stored level, or ~:ask~ if
+   no entry exists.
+3. Tool name matching is case-insensitive — ~(permission-set :FOO :allow)~
+   and ~(permission-get :foo)~ return ~:allow~.
+
+** Boundaries
+
+- Does NOT enforce permissions — the Dispatcher does that.
+- Does NOT persist permissions to disk — this is runtime-only.
+- Does NOT validate that ~level~ is one of ~(:allow :ask :deny)~.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Permission store (tool level)
+Hash table mapping tool names to their permission level.
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *permission-table* (make-hash-table :test 'equal))
+#+end_src
+
+** Set permission
+Sets the permission level for a specific cognitive tool.
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun permission-set (tool-name level)
+  "Sets the permission level for a tool."
+  (setf (gethash (string-downcase (string tool-name)) *permission-table*) level))
+#+end_src
+
+** Get permission
+Retrieves the current permission level for a tool. Defaults to ~:ask~ if unset.
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun permission-get (tool-name)
+  "Retrieves the permission level for a tool. Defaults to :ask."
+  (gethash (string-downcase (string tool-name)) *permission-table* :ask))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-security-permissions
+  :priority 600
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-security-permissions-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:permissions-suite))
+
+(in-package :passepartout-security-permissions-tests)
+
+(def-suite permissions-suite :description "Verification of Tool Permissions")
+(in-suite permissions-suite)
+
+(test test-permission-round-trip
+  "Contract 1: permission-set stores a level; permission-get retrieves it."
+  (permission-set "test-tool" :allow)
+  (is (eq :allow (permission-get "test-tool")))
+  ;; Clean up
+  (permission-set "test-tool" nil))
+
+(test test-permission-default
+  "Contract 2: unregistered tools default to :ask."
+  (is (eq :ask (permission-get "never-registered-tool-xyz"))))
+
+(test test-permission-case-insensitive
+  "Contract 3: tool names are normalized to lowercase."
+  (permission-set :CapitalTool :deny)
+  (is (eq :deny (permission-get :capitaltool)))
+  (permission-set "CapitalTool" nil))
+#+end_src

org/security-policy.org

@@ -0,0 +1,92 @@
+#+TITLE: SKILL: Policy (org-skill-policy.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:policy:constitutional:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/security-policy.lisp
+
+* Architectural Intent: The Constitutional Layer
+
+The Policy skill encodes the non-negotiable values of Passepartout. Every action the agent proposes must pass through this gate. If the action lacks justification, it is blocked — not because it's dangerous, but because it's opaque.
+
+This is the "Radical Transparency" invariant in practice. The agent must explain *why* it wants to do something, not just *what* it wants to do. An action with ~:explanation "Because I said so"~ is rejected. An action with ~:explanation "The user asked me to read their TODO list and summarize it"~ passes.
+
+The Policy skill is intentionally simple. It has one job: ensure every action has a meaningful explanation. Other security concerns (secret scanning, path blocking, network exfiltration) are handled by the Dispatcher. The Policy is about values, not threats.
+
+** Contract
+
+1. (policy-compliance-check action context): if ~action~ has an
+   ~:explanation~ string longer than 10 characters, returns the action
+   unchanged. Otherwise, returns a ~:LOG~ rejection plist with
+   ~:level :warn~.
+
+** Boundaries
+
+- Does NOT check for dangerous content — the Dispatcher does that.
+- Does NOT validate explanation quality — only length and presence.
+- Does NOT consider ~context~ — implementation ignores it currently.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Policy Logic (policy-compliance-check)
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun policy-compliance-check (action context)
+  "Enforces constitutional invariants on proposed actions."
+  (declare (ignore context))
+  (let* ((payload (proto-get action :payload))
+         (explanation (proto-get payload :explanation)))
+    (if (and explanation (stringp explanation) (> (length explanation) 10))
+        action
+        (progn
+          (log-message "POLICY VIOLATION: Action lacks sufficient explanation.")
+          (list :type :LOG
+                :payload (list :level :warn
+                              :text "Action blocked: Missing or insufficient :explanation. Please justify your reasoning."))))))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-security-policy
+  :priority 500
+  :trigger (lambda (ctx) (declare (ignore ctx)) t)
+  :deterministic #'policy-compliance-check)
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-security-policy-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:policy-suite))
+
+(in-package :passepartout-security-policy-tests)
+
+(def-suite policy-suite :description "Verification of the Constitutional Policy Layer")
+(in-suite policy-suite)
+
+(test test-policy-passes-valid-explanation
+  "Contract 1: action with sufficient explanation passes through unchanged."
+  (let* ((action '(:type :REQUEST :payload (:action :read :explanation "The user asked me to read the TODO list for today.")))
+         (result (policy-compliance-check action nil)))
+    (is (equal action result))))
+
+(test test-policy-rejects-short-explanation
+  "Contract 1: action with explanation ≤10 characters is rejected with :LOG."
+  (let* ((action '(:type :REQUEST :payload (:action :read :explanation "hi")))
+         (result (policy-compliance-check action nil)))
+    (is (eq :LOG (getf result :type)))
+    (is (search "blocked" (getf (getf result :payload) :text) :test #'char-equal))))
+
+(test test-policy-rejects-missing-explanation
+  "Contract 1: action without :explanation is rejected."
+  (let* ((action '(:type :REQUEST :payload (:action :read)))
+         (result (policy-compliance-check action nil)))
+    (is (eq :LOG (getf result :type)))))
+#+end_src

org/security-validator.org

@@ -0,0 +1,88 @@
+#+TITLE: SKILL: Protocol Validator (org-skill-protocol-validator.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:protocol:validation:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/security-validator.lisp
+
+* Overview
+The Protocol Validator enforces schema compliance on every message entering or leaving the cognitive pipeline. It checks that messages are valid plists, that they have the required ~:type~ and ~:payload~ fields, and that the type is one of the known types (~:REQUEST~, ~:EVENT~, ~:RESPONSE~, ~:LOG~, ~:STATUS~). This prevents malformed messages from crashing the pipeline and ensures backward compatibility when the protocol evolves.
+
+* Architectural Intent
+
+The Protocol Validator wraps ~validate-communication-protocol-schema~
+(the core communication function) in a skill-level gate. It is the first
+filter every message passes through — malformed messages are rejected
+before they reach any cognitive stage.
+
+** Contract
+
+1. (validator-protocol-check msg): returns ~msg~ if valid per
+   ~validate-communication-protocol-schema~. Signals ~error~ on
+   malformed messages (caught by the skill's deterministic gate).
+2. The skill's deterministic gate wraps the validator: valid actions pass
+   through; invalid actions produce a ~:LOG~ rejection with
+   ~:level :error~.
+
+** Boundaries
+
+- Does NOT define the schema — that is ~core-transport.org~.
+- Does NOT validate semantic content — that is the Dispatcher and Policy.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Validation Logic
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun validator-protocol-check (msg)
+  "Enforces structural schema compliance on protocol messages."
+  (validate-communication-protocol-schema msg))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-security-validator
+  :priority 95
+  :trigger (lambda (ctx) (declare (ignore ctx)) t)
+  :deterministic (lambda (action ctx)
+                   (declare (ignore ctx))
+                   (handler-case
+                       (progn (validator-protocol-check action) action)
+                     (error (c)
+                       (list :type :LOG :payload (list :level :error :text (format nil "Protocol Violation: ~a" c)))))))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-security-validator-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:validator-suite))
+
+(in-package :passepartout-security-validator-tests)
+
+(def-suite validator-suite :description "Verification of the Protocol Validator")
+(in-suite validator-suite)
+
+(test test-validator-passes-valid-message
+  "Contract 1: a valid message passes protocol check."
+  (let ((msg '(:type :EVENT :payload (:sensor :heartbeat))))
+    (handler-case
+        (progn
+          (validator-protocol-check msg)
+          (pass))
+      (error (c)
+        (fail "Validator rejected a valid message: ~a" c)))))
+
+(test test-validator-rejects-missing-type
+  "Contract 1: a message missing :type is rejected."
+  (let ((msg '(:payload (:sensor :heartbeat))))
+    (signals error
+      (validator-protocol-check msg))))
+#+end_src

org/security-vault.org

@@ -0,0 +1,159 @@
+#+TITLE: SKILL: Credentials Vault (org-skill-credentials-vault.org)
+#+AUTHOR: Agent
+#+FILETAGS: :system:security:vault:
+#+PROPERTY: header-args:lisp :tangle /home/user/.local/share/passepartout/lisp/security-vault.lisp
+
+* Overview
+The *Credentials Vault* provides secure in-memory storage for sensitive API keys and session tokens.
+
+* Architectural Intent
+
+The Credentials Vault isolates secrets from the rest of the system in
+a dedicated hash-table. It provides simple get/set primitives with
+environment-variable fallback for known providers. This is the single
+place where credentials enter the system — every provider skill routes
+through here.
+
+** Contract
+
+1. (vault-set provider secret &key type): stores secret under
+   ~(format nil "~a-~a" provider type)~ in ~*vault-memory*~.
+2. (vault-get provider &key type): returns the stored secret, or falls
+   back to the appropriate environment variable for known providers
+   (~:openai~, ~:anthropic~, ~:openrouter~, ~:gemini~). Returns NIL
+   if neither exists.
+3. (vault-get-secret provider): wrapper — calls ~vault-get~ with
+   ~:type :secret~.
+4. (vault-set-secret provider secret): wrapper — calls ~vault-set~
+   with ~:type :secret~.
+5. Vault isolation: storing a secret for provider A does not affect
+   provider B's entry. Different ~:type~ values produce different keys.
+
+** Boundaries
+
+- Does NOT encrypt at rest — that is the session layer's responsibility.
+- Does NOT validate key format — the provider skill does that.
+- Does NOT rotate or expire keys — this is a simple store.
+
+* Implementation
+
+** Package Context
+#+begin_src lisp
+(in-package :passepartout)
+#+end_src
+
+** Vault Storage
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defvar *vault-memory* (make-hash-table :test 'equal)
+  "In-memory cache of sensitive credentials.")
+#+end_src
+
+** Secret Management
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun vault-get (provider &key (type :api-key))
+  "Retrieves a credential from the vault or environment."
+  (let* ((key (format nil "~a-~a" provider type))
+         (val (gethash key *vault-memory*)))
+    (if val
+        val
+        (let ((env-var (case provider
+                          (:gemini "GEMINI_API_KEY")
+                          (:openai "OPENAI_API_KEY")
+                          (:anthropic "ANTHROPIC_API_KEY")
+                          (:openrouter "OPENROUTER_API_KEY")
+                          (otherwise nil))))
+          (when env-var (uiop:getenv env-var))))))
+
+#+end_src
+** vault-set
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun vault-set (provider secret &key (type :api-key))
+  "Stores a secret in the vault."
+  (let ((key (format nil "~a-~a" provider type)))
+    (setf (gethash key *vault-memory*) secret)))
+#+end_src
+
+** Secret Wrappers (gateway-messaging)
+
+Thin wrappers that match the export names used by =gateway-messaging=.
+Delegates to the existing =vault-get=/=vault-set= with ~:type :secret~.
+
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun vault-get-secret (provider)
+  "Retrieves a stored secret or token for a gateway provider."
+  (vault-get provider :type :secret))
+
+#+end_src
+** vault-set-secret
+;; REPL-VERIFIED: 2026-05-03T13:00:00
+#+begin_src lisp
+(defun vault-set-secret (provider secret)
+  "Stores a secret or token for a gateway provider."
+  (vault-set provider secret :type :secret))
+#+end_src
+
+** Skill Registration
+#+begin_src lisp
+(defskill :passepartout-security-vault
+  :priority 600
+  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
+#+end_src
+
+* Test Suite
+
+#+begin_src lisp
+(eval-when (:compile-toplevel :load-toplevel :execute)
+  (ql:quickload :fiveam :silent t))
+
+(defpackage :passepartout-security-vault-tests
+  (:use :cl :fiveam :passepartout)
+  (:export #:vault-suite))
+
+(in-package :passepartout-security-vault-tests)
+
+(def-suite vault-suite :description "Verification of the Credentials Vault")
+(in-suite vault-suite)
+
+(test test-vault-round-trip
+  "Contract 1: vault-set stores a value; vault-get retrieves it."
+  (let ((test-key :vault-test-round-trip)
+        (test-secret "secret-abc123"))
+    (vault-set test-key test-secret)
+    (is (string= test-secret (vault-get test-key)))
+    ;; Clean up
+    (vault-set test-key nil)))
+
+(test test-vault-missing-key
+  "Contract 2: vault-get returns NIL for an unset, unknown provider."
+  (is (null (vault-get :nonexistent-provider-xyz))))
+
+(test test-vault-isolation
+  "Contract 5: storing for provider A does not affect provider B."
+  (vault-set :vault-prov-a "secret-a")
+  (vault-set :vault-prov-b "secret-b")
+  (is (string= "secret-a" (vault-get :vault-prov-a)))
+  (is (string= "secret-b" (vault-get :vault-prov-b)))
+  (vault-set :vault-prov-a nil)
+  (vault-set :vault-prov-b nil))
+
+(test test-vault-secret-wrappers
+  "Contracts 3,4: vault-get-secret and vault-set-secret use :type :secret."
+  (let ((test-provider :vault-secret-test))
+    (vault-set-secret test-provider "my-token")
+    (is (string= "my-token" (vault-get-secret test-provider)))
+    ;; Clean up
+    (vault-set-secret test-provider nil)))
+
+(test test-vault-type-isolation
+  "Contract 5: different :type values produce different keys."
+  (vault-set :vault-type-test "key-value" :type :api-key)
+  (vault-set :vault-type-test "secret-value" :type :secret)
+  (is (string= "key-value" (vault-get :vault-type-test :type :api-key)))
+  (is (string= "secret-value" (vault-get :vault-type-test :type :secret)))
+  (vault-set :vault-type-test nil :type :api-key)
+  (vault-set :vault-type-test nil :type :secret))
+#+end_src