Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 will.anderson
|
2865d6ad26 |
@@ -12,113 +12,47 @@ fn chat_default_model() -> String {
|
||||
return "claude-sonnet-4-5"
|
||||
}
|
||||
|
||||
// parse_salience_100 — convert a %g-serialized float to integer * 100.
|
||||
// The C runtime serializes floats with %g which trims trailing zeros:
|
||||
// 0.70 → "0.7", 0.60 → "0.6", 0.50 → "0.5", 1.0 → "1"
|
||||
// The naive str_replace(".", "") approach breaks for single-decimal strings:
|
||||
// "0.7" → "07" → str_to_int → 7 (WRONG, should be 70)
|
||||
// "0.5" → "05" → str_to_int → 5 (WRONG, should be 50)
|
||||
// "0.85" → "085" → str_to_int → 85 (accidentally correct — two decimal digits)
|
||||
// Fix: use str_index_of to find the decimal point and scale accordingly:
|
||||
// No decimal ("1"): multiply raw by 100
|
||||
// One decimal digit ("0.7"): multiply stripped value by 10
|
||||
// Two+ decimal digits ("0.85"): stripped value is already in hundredths
|
||||
fn parse_salience_100(s: String) -> Int {
|
||||
if str_eq(s, "") { return 70 }
|
||||
let dot_pos: Int = str_index_of(s, ".")
|
||||
let raw: Int = if dot_pos < 0 {
|
||||
// No decimal point — integer like "1" means 100%
|
||||
str_to_int(s) * 100
|
||||
} else {
|
||||
let after_dot: String = str_slice(s, dot_pos + 1, str_len(s))
|
||||
let decimal_digits: Int = str_len(after_dot)
|
||||
let stripped: Int = str_to_int(str_replace(s, ".", ""))
|
||||
if decimal_digits == 1 { stripped * 10 } else { stripped }
|
||||
}
|
||||
if raw > 100 { 100 } else { if raw < 0 { 0 } else { raw } }
|
||||
}
|
||||
|
||||
// engram_score_node — compute a recency x relevance score for a single engram
|
||||
// node JSON object. Higher is better.
|
||||
//
|
||||
// Bugs fixed vs original implementation:
|
||||
// 1. FLOAT PARSING: parse_salience_100 correctly handles %g single-decimal output.
|
||||
// "0.7" → 70, "0.6" → 60, "0.5" → 50 (was: 7, 6, 5 — scored near zero and
|
||||
// were filtered by threshold=25, making the function broken for the majority
|
||||
// of the graph where conv/utterance nodes have salience/importance ≈ 0.6/0.7).
|
||||
// 2. RECENCY USES LAST TOUCH: uses max(created_at, updated_at, last_activated) so
|
||||
// nodes strengthened by engram_strengthen() after chat turns are not penalised
|
||||
// for a stale created_at. A node referenced yesterday but created 25 days ago
|
||||
// now correctly scores as fresh rather than borderline-filtered.
|
||||
// 3. COMPRESSED RECENCY RANGE: old formula (sal * imp * recency / 10000) gave
|
||||
// recency a 10x dynamic range (10-100) vs 1.9x for salience/importance. A
|
||||
// canonical high-importance node at 30 days scored the same as a fresh noise
|
||||
// node. New formula compresses recency to 1.54x via (50 + recency/2) weight.
|
||||
// 4. SOFTER FLOOR: recency floor raised from 10 to 30 with tier-aware decay windows
|
||||
// so canonical identity/persona nodes never bottom out to near-zero.
|
||||
// node JSON object. Higher is better. Score = salience * importance * recency_factor.
|
||||
// recency_factor decays linearly over 30 days: nodes updated today score 1.0,
|
||||
// nodes 30+ days old score 0.1 (floor). Nodes with no created_at score 0.5.
|
||||
// This keeps fresh, high-salience nodes at the top and pushes stale low-signal
|
||||
// nodes to the bottom so they get trimmed when we cap context size.
|
||||
fn engram_score_node(node_json: String) -> Int {
|
||||
let salience_str: String = json_get(node_json, "salience")
|
||||
let importance_str: String = json_get(node_json, "importance")
|
||||
let created_str: String = json_get(node_json, "created_at")
|
||||
let updated_str: String = json_get(node_json, "updated_at")
|
||||
let activated_str: String = json_get(node_json, "last_activated")
|
||||
let tier_str: String = json_get(node_json, "tier")
|
||||
|
||||
// parse_salience_100 handles "0.7" → 70, "0.85" → 85, "1.0" → 100, "1" → 100
|
||||
let salience_100: Int = parse_salience_100(salience_str)
|
||||
let importance_100: Int = parse_salience_100(importance_str)
|
||||
|
||||
// Recency: use max(created_at, updated_at, last_activated).
|
||||
// last_activated is updated by engram_strengthen() every chat turn — nodes
|
||||
// actively referenced score fresh regardless of original write time.
|
||||
let now_ts: Int = time_now()
|
||||
let created_ts: Int = if str_eq(created_str, "") { 0 } else { str_to_int(created_str) }
|
||||
let updated_ts: Int = if str_eq(updated_str, "") { 0 } else { str_to_int(updated_str) }
|
||||
let activated_ts: Int = if str_eq(activated_str, "") { 0 } else { str_to_int(activated_str) }
|
||||
let best_ts_ab: Int = if updated_ts > created_ts { updated_ts } else { created_ts }
|
||||
let best_ts: Int = if activated_ts > best_ts_ab { activated_ts } else { best_ts_ab }
|
||||
let recency_100: Int = if best_ts == 0 { 50 } else {
|
||||
let age_secs: Int = now_ts - best_ts
|
||||
// Guard against clock skew (future timestamps): treat as brand new.
|
||||
let age_days: Int = if age_secs < 0 { 0 } else { age_secs / 86400 }
|
||||
// Tier-aware decay, softer floor (30 not 10):
|
||||
// Canonical: 365-day window — foundational identity/persona nodes.
|
||||
// Episodic: 90-day window — conversation context fades moderately.
|
||||
// Working/untiered: 35-day window — transient task state.
|
||||
let is_canonical: Bool = str_eq(tier_str, "Canonical")
|
||||
let is_episodic: Bool = str_eq(tier_str, "Episodic")
|
||||
let decay: Int = if is_canonical {
|
||||
let drop: Int = if age_days >= 365 { 70 } else { age_days * 70 / 365 }
|
||||
100 - drop
|
||||
} else {
|
||||
if is_episodic {
|
||||
if age_days >= 90 { 30 } else { 100 - (age_days * 70 / 90) }
|
||||
} else {
|
||||
if age_days >= 35 { 30 } else { 100 - (age_days * 2) }
|
||||
}
|
||||
}
|
||||
if decay < 30 { 30 } else { decay }
|
||||
// Parse as floats via * 100 integer arithmetic (el has no float math)
|
||||
let salience_100: Int = if str_eq(salience_str, "") { 70 } else {
|
||||
let s: Int = str_to_int(str_replace(salience_str, ".", ""))
|
||||
// Clamp to 0-100 range (value was e.g. "0.85" -> parsed "085" = 85)
|
||||
if s > 100 { 100 } else { if s < 0 { 0 } else { s } }
|
||||
}
|
||||
let importance_100: Int = if str_eq(importance_str, "") { 70 } else {
|
||||
let v: Int = str_to_int(str_replace(importance_str, ".", ""))
|
||||
if v > 100 { 100 } else { if v < 0 { 0 } else { v } }
|
||||
}
|
||||
|
||||
// Compressed recency weight (50 + recency/2): range 65-100 (1.54x dynamic range).
|
||||
// Old formula had 10x recency range which drowned out relevance for old-but-important
|
||||
// nodes. New: relevance (0-100) × recency_weight (65-100) / 100 → score 0-100.
|
||||
// salience_100 and importance_100 are already in the 0-100 range (parse_salience_100
|
||||
// returns e.g. 70 for "0.7"). Dividing by 100 keeps relevance in 0-100.
|
||||
// Dividing by 10000 caused integer truncation to 0 for all real-world nodes
|
||||
// (e.g., sal=0.7, imp=0.7 → 70*70/10000 = 0 instead of 49).
|
||||
let relevance: Int = salience_100 * importance_100 / 100
|
||||
let recency_weight: Int = 50 + recency_100 / 2
|
||||
return relevance * recency_weight / 100
|
||||
// Recency: decay from 100 (today) to 10 (30+ days). created_at is Unix seconds.
|
||||
let now_ts: Int = time_now()
|
||||
let recency_100: Int = if str_eq(created_str, "") { 50 } else {
|
||||
let created_ts: Int = str_to_int(created_str)
|
||||
let age_secs: Int = now_ts - created_ts
|
||||
let age_days: Int = age_secs / 86400
|
||||
let decay: Int = if age_days >= 30 { 10 } else { 100 - (age_days * 3) }
|
||||
if decay < 10 { 10 } else { decay }
|
||||
}
|
||||
|
||||
// Combined score 0-1000000 (no floats): salience * importance * recency / 10000
|
||||
return salience_100 * importance_100 * recency_100 / 10000
|
||||
}
|
||||
|
||||
// engram_compile_ranked — build a context string from a JSON array of node objects,
|
||||
// ordered best-first by score. Only nodes above threshold=10 are included.
|
||||
// With corrected formula (sal*imp/100): sal=0.5*imp=0.5 at max recency scores 25;
|
||||
// sal=0.5*imp=0.5 at Working floor (recency=30, weight=65) scores 16.
|
||||
// Threshold=10 gives safe headroom for low-salience nodes near the recency floor,
|
||||
// while still filtering near-zero noise (e.g., sal=0.1*imp=0.1 → score≤1).
|
||||
// Returns at most max_nodes entries. max_nodes must not exceed 20 (sentinel limit).
|
||||
// ordered best-first by score. Only nodes above a minimum score (25 = salience 0.5 *
|
||||
// importance 0.5 * recency 1.0) are included; the rest are noise. Returns at most
|
||||
// max_nodes entries concatenated as JSON array text. Because el has no sort primitive,
|
||||
// we do a single selection pass picking the top N by linear scan (N=10 cap).
|
||||
fn engram_compile_ranked(nodes_json: String, max_nodes: Int) -> String {
|
||||
if str_eq(nodes_json, "") { return "" }
|
||||
if str_eq(nodes_json, "[]") { return "" }
|
||||
@@ -139,10 +73,8 @@ fn engram_compile_ranked(nodes_json: String, max_nodes: Int) -> String {
|
||||
while ci < total {
|
||||
let node: String = json_array_get(nodes_json, ci)
|
||||
let score: Int = engram_score_node(node)
|
||||
// Threshold=10: allows moderately-relevant older nodes while filtering noise.
|
||||
// Example: sal=0.5 imp=0.5 at Working recency floor (35+ days) → score 16,
|
||||
// which passes. A near-zero node (sal=0.1 imp=0.1) → score ≤ 1, filtered.
|
||||
let above_thresh: Bool = score >= 10
|
||||
// Only include reasonably relevant nodes (threshold=25)
|
||||
let above_thresh: Bool = score >= 25
|
||||
// Check this index wasn't already selected (sentinel: look for idx marker)
|
||||
let idx_marker: String = "\"_sel_" + int_to_str(ci) + "\""
|
||||
let already_picked: Bool = str_contains(selected, idx_marker)
|
||||
@@ -169,7 +101,7 @@ fn engram_compile_ranked(nodes_json: String, max_nodes: Int) -> String {
|
||||
// Strip the _sel_N sentinel fields that were used for duplicate-detection bookkeeping.
|
||||
// The sentinels have the form "\"_sel_N\":1," (trailing comma, space before next key).
|
||||
// We injected them as the first field in each object, so the pattern is predictable.
|
||||
// Because el has no regex, remove up to 20 possible sentinel variants by literal replace.
|
||||
// Because el has no regex, remove up to 10 possible sentinel variants by literal replace.
|
||||
let clean: String = "[" + selected + "]"
|
||||
let c0: String = str_replace(clean, "\"_sel_0\":1,", "")
|
||||
let c1: String = str_replace(c0, "\"_sel_1\":1,", "")
|
||||
@@ -181,17 +113,7 @@ fn engram_compile_ranked(nodes_json: String, max_nodes: Int) -> String {
|
||||
let c7: String = str_replace(c6, "\"_sel_7\":1,", "")
|
||||
let c8: String = str_replace(c7, "\"_sel_8\":1,", "")
|
||||
let c9: String = str_replace(c8, "\"_sel_9\":1,", "")
|
||||
let c10: String = str_replace(c9, "\"_sel_10\":1,", "")
|
||||
let c11: String = str_replace(c10, "\"_sel_11\":1,", "")
|
||||
let c12: String = str_replace(c11, "\"_sel_12\":1,", "")
|
||||
let c13: String = str_replace(c12, "\"_sel_13\":1,", "")
|
||||
let c14: String = str_replace(c13, "\"_sel_14\":1,", "")
|
||||
let c15: String = str_replace(c14, "\"_sel_15\":1,", "")
|
||||
let c16: String = str_replace(c15, "\"_sel_16\":1,", "")
|
||||
let c17: String = str_replace(c16, "\"_sel_17\":1,", "")
|
||||
let c18: String = str_replace(c17, "\"_sel_18\":1,", "")
|
||||
let c19: String = str_replace(c18, "\"_sel_19\":1,", "")
|
||||
return c19
|
||||
return c9
|
||||
}
|
||||
|
||||
fn engram_compile(intent: String) -> String {
|
||||
@@ -202,11 +124,8 @@ fn engram_compile(intent: String) -> String {
|
||||
let act_ok: Bool = !str_eq(activate_json, "") && !str_eq(activate_json, "[]")
|
||||
let srch_ok: Bool = !str_eq(search_json, "") && !str_eq(search_json, "[]")
|
||||
|
||||
// Activation nodes (spreading activation) are high-signal but apply scoring via
|
||||
// engram_compile_ranked with threshold=5 to exclude genuinely zero-quality stale
|
||||
// nodes that happen to be graph-connected. The threshold of 5 is well below the
|
||||
// search path threshold of 15 to preserve the activation path's higher recall.
|
||||
let act_part: String = if act_ok { engram_compile_ranked(activate_json, 5) } else { "" }
|
||||
// Activation nodes (spreading activation) are already high-signal — keep all 5.
|
||||
let act_part: String = if act_ok { activate_json } else { "" }
|
||||
|
||||
// Rank search results and keep only the top 8 (was: flat 15 unranked).
|
||||
// This cuts context noise roughly in half while preserving the best-scoring nodes.
|
||||
@@ -231,43 +150,9 @@ fn engram_compile(intent: String) -> String {
|
||||
""
|
||||
}
|
||||
|
||||
// Affective context: always include the most recent high-emotion memory if one
|
||||
// exists within 72 hours. This ensures continuity of care across turns — when
|
||||
// the user was in distress earlier in the session (or recently), that context
|
||||
// travels into every subsequent LLM call so the response register stays aware.
|
||||
// We search for BellEvent nodes specifically; these are written by auto_persist
|
||||
// when safety_detect_bell_level fires. The 72h window (259200 seconds) is wide
|
||||
// enough to span a multi-session day without pulling ancient history.
|
||||
let bell_nodes: String = engram_search_json("bell:soft bell:hard BellEvent", 3)
|
||||
let bell_ok: Bool = !str_eq(bell_nodes, "") && !str_eq(bell_nodes, "[]")
|
||||
let now_ts: Int = time_now()
|
||||
let cutoff_ts: Int = now_ts - 259200
|
||||
let recent_bell: String = if bell_ok {
|
||||
let bn0: String = json_array_get(bell_nodes, 0)
|
||||
// created_at is not present in engram node JSON for BellEvent nodes.
|
||||
// Extract the timestamp embedded in the content string as " | ts:NNNNN".
|
||||
// Fall back to created_at / updated_at JSON fields if the marker is absent.
|
||||
let bn_content: String = json_get(bn0, "content")
|
||||
let ts_marker: String = " | ts:"
|
||||
let ts_pos: Int = str_index_of(bn_content, ts_marker)
|
||||
let bn_ts_raw: String = if ts_pos >= 0 {
|
||||
let ts_start: Int = ts_pos + str_len(ts_marker)
|
||||
let rest: String = str_slice(bn_content, ts_start, str_len(bn_content))
|
||||
let next_sep: Int = str_index_of(rest, " | ")
|
||||
if next_sep < 0 { rest } else { str_slice(rest, 0, next_sep) }
|
||||
} else {
|
||||
let ca: String = json_get(bn0, "created_at")
|
||||
if str_eq(ca, "") { json_get(bn0, "updated_at") } else { ca }
|
||||
}
|
||||
let bn_ts: Int = if str_eq(bn_ts_raw, "") { 0 } else { str_to_int(bn_ts_raw) }
|
||||
if bn_ts > cutoff_ts { bn0 } else { "" }
|
||||
} else { "" }
|
||||
let affective_part: String = if !str_eq(recent_bell, "") { recent_bell } else { "" }
|
||||
|
||||
let sep1: String = if !str_eq(act_part, "") && !str_eq(srch_part, "") { "\n" } else { "" }
|
||||
let sep2: String = if (!str_eq(act_part, "") || !str_eq(srch_part, "")) && !str_eq(scan_part, "") { "\n" } else { "" }
|
||||
let sep3: String = if (!str_eq(act_part, "") || !str_eq(srch_part, "") || !str_eq(scan_part, "")) && !str_eq(affective_part, "") { "\n" } else { "" }
|
||||
let ctx: String = act_part + sep1 + srch_part + sep2 + scan_part + sep3 + affective_part
|
||||
let ctx: String = act_part + sep1 + srch_part + sep2 + scan_part
|
||||
|
||||
if str_eq(ctx, "") { return "" }
|
||||
|
||||
@@ -314,15 +199,7 @@ fn build_system_prompt(ctx: String) -> String {
|
||||
"\n\n[ENGRAM CONTEXT — compiled from your graph]\n" + ctx
|
||||
}
|
||||
|
||||
let safety_addendum: String = state_get("layered_cycle_safety_system_addendum")
|
||||
let safety_block: String = if str_eq(safety_addendum, "") {
|
||||
""
|
||||
} else {
|
||||
state_set("layered_cycle_safety_system_addendum", "")
|
||||
safety_addendum
|
||||
}
|
||||
|
||||
return identity + date_line + voice_rules + security_rules + capability_rules + identity_block + engram_block + safety_block
|
||||
return identity + date_line + voice_rules + security_rules + capability_rules + identity_block + engram_block
|
||||
}
|
||||
|
||||
fn hist_append(hist: String, role: String, content: String) -> String {
|
||||
@@ -336,6 +213,11 @@ fn hist_append(hist: String, role: String, content: String) -> String {
|
||||
}
|
||||
|
||||
fn hist_trim(hist: String) -> String {
|
||||
// Issue #9 (fragile parser): uses manual str_index_of scan rather than a real
|
||||
// JSON parser. If the history JSON does not contain the expected marker pattern
|
||||
// (e.g. corrupted or truncated), returns the unmodified hist silently — silent
|
||||
// data corruption that causes LLM context-length errors on the next turn.
|
||||
// TODO: replace with json_array_slice() once available in the EL runtime.
|
||||
let inner: String = str_slice(hist, 1, str_len(hist) - 1)
|
||||
let marker: String = "{\"role\":"
|
||||
let i1: Int = str_index_of(inner, marker)
|
||||
@@ -349,69 +231,6 @@ fn hist_trim(hist: String) -> String {
|
||||
return hist
|
||||
}
|
||||
|
||||
// hist_trim_with_bell_guard — trim the history window exactly as hist_trim does, but
|
||||
// before dropping the oldest user/assistant pair check whether the user turn triggered
|
||||
// a bell event. If it did, write a preservation node to engram so the distress exchange
|
||||
// survives the 20-turn window. The LLM window drops it; engram retains it permanently
|
||||
// and engram_compile will surface it again via the affective context path.
|
||||
fn hist_trim_with_bell_guard(hist: String) -> String {
|
||||
// Extract the first turn (should be a user message) to inspect it.
|
||||
let inner: String = str_slice(hist, 1, str_len(hist) - 1)
|
||||
let marker: String = "{\"role\":"
|
||||
let i1: Int = str_index_of(inner, marker)
|
||||
// i1 is the start of the first entry within inner.
|
||||
// Find where the second entry begins to delimit the first entry's JSON.
|
||||
let tail1: String = str_slice(inner, i1 + 1, str_len(inner))
|
||||
let i2: Int = str_index_of(tail1, marker)
|
||||
// The first entry spans from i1 to (i1 + 1 + i2 - 1) within inner.
|
||||
let first_entry_raw: String = if i2 > 0 {
|
||||
str_slice(inner, i1, i1 + 1 + i2 - 1)
|
||||
} else {
|
||||
str_slice(inner, i1, str_len(inner))
|
||||
}
|
||||
let first_role: String = json_get(first_entry_raw, "role")
|
||||
let first_content: String = json_get(first_entry_raw, "content")
|
||||
|
||||
// Only inspect user turns — assistant content doesn't carry bell signals.
|
||||
let bell_level: String = if str_eq(first_role, "user") {
|
||||
safety_detect_bell_level(first_content)
|
||||
} else {
|
||||
"none"
|
||||
}
|
||||
|
||||
// If the turn being evicted triggered a bell, preserve it to engram.
|
||||
// This is distinct from the BellEvent written by auto_persist: that node
|
||||
// carries a short summary. This node carries the full exchange content so
|
||||
// it is recoverable for clinical/continuity review.
|
||||
if !str_eq(bell_level, "none") {
|
||||
let ts: Int = time_now()
|
||||
let ts_str: String = int_to_str(ts)
|
||||
let safe_content: String = str_replace(first_content, "\"", "'")
|
||||
let preserve_content: String = "PRESERVED_BELL:" + bell_level
|
||||
+ " | evicted_at:" + ts_str
|
||||
+ " | message:" + safe_content
|
||||
let preserve_tags: String = "[\"bell-history\",\"bell:" + bell_level + "\",\"evicted\",\"affective\",\"BellEvent\"]"
|
||||
let discard: String = engram_node_full(
|
||||
preserve_content,
|
||||
"BellEvent",
|
||||
"bell:" + bell_level + ":preserved",
|
||||
el_from_float(0.9),
|
||||
el_from_float(0.9),
|
||||
el_from_float(1.0),
|
||||
"Episodic",
|
||||
preserve_tags
|
||||
)
|
||||
}
|
||||
|
||||
// Now perform the standard trim (drop oldest 2 entries = 1 user + 1 assistant pair).
|
||||
let tail2: String = str_slice(tail1, i2 + 1, str_len(tail1))
|
||||
let i3: Int = str_index_of(tail2, marker)
|
||||
if i3 >= 0 {
|
||||
return "[" + str_slice(tail2, i3, str_len(tail2)) + "]"
|
||||
}
|
||||
return hist
|
||||
}
|
||||
|
||||
// clean_llm_response — strips GPT-2 BPE byte-to-unicode artifacts that vLLM
|
||||
// emits when the tokenizer hasn't decoded back to raw bytes.
|
||||
//
|
||||
@@ -457,10 +276,20 @@ fn conv_history_load() -> String {
|
||||
fn handle_chat(body: String) -> String {
|
||||
let message: String = json_get(body, "message")
|
||||
if str_eq(message, "") {
|
||||
return "{\"error\":\"message is required\",\"response\":\"\"}"
|
||||
// Issue #5: missing required param — HTTP 400.
|
||||
return "{\"__status__\":400,\"error\":\"message is required\",\"response\":\"\"}"
|
||||
}
|
||||
|
||||
// Load history BEFORE compiling context so we can anchor activation to the thread.
|
||||
//
|
||||
// TODO(reliability #3 — conv_history global race): "conv_history" is a process-global
|
||||
// state key. Concurrent /api/chat requests that omit session_id all read the same key,
|
||||
// append their exchange, and write it back. Because _state_mu serializes individual
|
||||
// state_get/state_set calls but NOT the read-append-write sequence, one thread's
|
||||
// appended exchange can be overwritten by another thread writing its own version.
|
||||
// The fix is to require callers to supply a session_id (routing them through
|
||||
// session_hist_<id>) and deprecate the global "conv_history" path. Callers using
|
||||
// the session API (which scopes history per session_hist_<id>) are not affected.
|
||||
let state_hist: String = state_get("conv_history")
|
||||
let stored_hist: String = if str_eq(state_hist, "") { conv_history_load() } else { state_hist }
|
||||
let hist_len: Int = if str_eq(stored_hist, "") { 0 } else { json_array_len(stored_hist) }
|
||||
@@ -479,27 +308,8 @@ fn handle_chat(body: String) -> String {
|
||||
message
|
||||
}
|
||||
|
||||
// Cross-session affective context: on session start (no history yet), check engram
|
||||
// for recent distress signals within 72h and prepend a care directive if found.
|
||||
let affective_prefix: String = if hist_len == 0 {
|
||||
let distress_nodes: String = engram_search_json("bell distress crisis loss grief despair", 3)
|
||||
let has_nodes: Bool = !str_eq(distress_nodes, "") && !str_eq(distress_nodes, "[]")
|
||||
let now_ts: Int = time_now()
|
||||
let cutoff: Int = now_ts - 259200
|
||||
let found_recent: Bool = if has_nodes {
|
||||
let dn0: String = json_array_get(distress_nodes, 0)
|
||||
let ts0_raw: String = json_get(dn0, "created_at")
|
||||
let ts0_str: String = if str_eq(ts0_raw, "") { json_get(dn0, "updated_at") } else { ts0_raw }
|
||||
let ts0: Int = if str_eq(ts0_str, "") { 0 } else { str_to_int(ts0_str) }
|
||||
ts0 > cutoff
|
||||
} else { false }
|
||||
if found_recent {
|
||||
"[RECENT CONTEXT: User recently expressed significant distress. Monitor for indirect crisis signals and respond with care.]\n\n"
|
||||
} else { "" }
|
||||
} else { "" }
|
||||
|
||||
let ctx: String = engram_compile(activation_seed)
|
||||
let system: String = affective_prefix + build_system_prompt(ctx)
|
||||
let system: String = build_system_prompt(ctx)
|
||||
|
||||
// First message of the session: proactively load user profile and active work context.
|
||||
// These two searches give the soul grounding before any conversation history exists.
|
||||
@@ -579,17 +389,14 @@ fn handle_chat(body: String) -> String {
|
||||
let req_model: String = json_get(body, "model")
|
||||
let model: String = if str_eq(req_model, "") { chat_default_model() } else { req_model }
|
||||
|
||||
// ISSUE 9: add safety_augment_system to primary /api/chat path.
|
||||
// handle_chat was the only LLM path missing bell directive injection.
|
||||
let full_system = safety_augment_system(full_system, message)
|
||||
|
||||
let raw_response: String = llm_call_system(model, full_system, message)
|
||||
|
||||
let is_error: Bool = str_starts_with(raw_response, "{\"error\"")
|
||||
|| str_starts_with(raw_response, "{\"type\":\"error\"")
|
||||
|| str_contains(raw_response, "authentication_error")
|
||||
if is_error {
|
||||
return "{\"error\":\"llm unavailable\",\"response\":\"\"}"
|
||||
// Issue #6: LLM failure — HTTP 503 (service unavailable).
|
||||
return "{\"__status__\":503,\"error\":\"llm unavailable\",\"response\":\"\"}"
|
||||
}
|
||||
|
||||
let clean_response: String = clean_llm_response(raw_response)
|
||||
@@ -597,10 +404,8 @@ fn handle_chat(body: String) -> String {
|
||||
|
||||
let updated_hist: String = hist_append(stored_hist, "user", message)
|
||||
let updated_hist2: String = hist_append(updated_hist, "assistant", raw_response)
|
||||
// Use bell-guarded trim: if the evicted turn triggered a bell event, it is
|
||||
// preserved to engram before being dropped from the in-memory window.
|
||||
let final_hist: String = if json_array_len(updated_hist2) > 20 {
|
||||
hist_trim_with_bell_guard(updated_hist2)
|
||||
hist_trim(updated_hist2)
|
||||
} else {
|
||||
updated_hist2
|
||||
}
|
||||
@@ -738,7 +543,15 @@ fn agentic_tools_all() -> String {
|
||||
fn call_mcp_bridge(tool_name: String, tool_input: String) -> String {
|
||||
let eff_input: String = if str_eq(tool_input, "") { "{}" } else { tool_input }
|
||||
let body: String = "{\"name\":\"" + tool_name + "\",\"input\":" + eff_input + "}"
|
||||
let tmp: String = "/tmp/neuron-mcp-call.json"
|
||||
// Issue #12: previously used a fixed path /tmp/neuron-mcp-call.json.
|
||||
// Under concurrent load (64 worker threads), two simultaneous MCP tool calls
|
||||
// race on this file — one call sends the other's input to the bridge.
|
||||
// Fix: monotonic sequence counter makes the path unique per call.
|
||||
let mcp_seq_s: String = state_get("mcp_call_seq")
|
||||
let mcp_seq_n: Int = if str_eq(mcp_seq_s, "") { 0 } else { str_to_int(mcp_seq_s) }
|
||||
let mcp_seq_next: Int = mcp_seq_n + 1
|
||||
state_set("mcp_call_seq", int_to_str(mcp_seq_next))
|
||||
let tmp: String = "/tmp/neuron-mcp-call-" + int_to_str(time_now()) + "-" + int_to_str(mcp_seq_next) + ".json"
|
||||
fs_write(tmp, body)
|
||||
return exec_capture("curl -s --max-time 30 -X POST http://127.0.0.1:7771/mcp/call -H 'Content-Type: application/json' -d @" + tmp)
|
||||
}
|
||||
@@ -817,8 +630,7 @@ fn path_within_root(path: String, root: String) -> Bool {
|
||||
return false
|
||||
}
|
||||
if str_starts_with(path, "/") {
|
||||
let root_normalized: String = root + "/"
|
||||
return str_starts_with(path, root_normalized)
|
||||
return str_starts_with(path, root)
|
||||
}
|
||||
return true
|
||||
}
|
||||
@@ -909,17 +721,12 @@ fn dispatch_tool(tool_name: String, tool_input: String) -> String {
|
||||
let path: String = json_get(tool_input, "path")
|
||||
let old_text: String = json_get(tool_input, "old_text")
|
||||
let new_text: String = json_get(tool_input, "new_text")
|
||||
let root: String = agent_workspace_root()
|
||||
if !path_within_root(path, root) {
|
||||
return json_safe("denied: path is outside the agent workspace root")
|
||||
}
|
||||
let resolved: String = resolve_in_root(path, root)
|
||||
let content: String = fs_read(resolved)
|
||||
let content: String = fs_read(path)
|
||||
if str_eq(content, "") {
|
||||
return json_safe("{\"error\":\"file not found\"}")
|
||||
}
|
||||
let updated: String = str_replace(content, old_text, new_text)
|
||||
fs_write(resolved, updated)
|
||||
fs_write(path, updated)
|
||||
return json_safe("{\"ok\":true}")
|
||||
}
|
||||
if str_eq(tool_name, "remember") {
|
||||
@@ -1019,15 +826,25 @@ fn is_builtin_tool(tool_name: String) -> Bool {
|
||||
|| str_starts_with(tool_name, "neuron_")
|
||||
}
|
||||
|
||||
// next_bridge_id — monotonic correlation id for a suspended agentic turn.
|
||||
// Combines boot-relative time with a per-process counter so two unknown-tool
|
||||
// suspensions in the same second still get distinct ids.
|
||||
// next_bridge_id — unique correlation id for a suspended agentic turn.
|
||||
// Uses uuid_v4() as the primary uniqueness guarantee so concurrent calls
|
||||
// (even in the same millisecond) cannot collide. The "mcp_bridge_seq"
|
||||
// counter is kept for human readability in logs/debugging but is no longer
|
||||
// relied on for uniqueness.
|
||||
//
|
||||
// TODO(reliability #6): state_get/state_set on "mcp_bridge_seq" is a
|
||||
// non-atomic read-modify-write — two concurrent calls can read the same
|
||||
// counter and produce the same counter suffix. This is now benign because
|
||||
// uuid_v4() provides collision-free uniqueness. A true counter fix would
|
||||
// require an atomic_increment() builtin in el_runtime.c.
|
||||
fn next_bridge_id() -> String {
|
||||
let prev: String = state_get("mcp_bridge_seq")
|
||||
let n: Int = if str_eq(prev, "") { 0 } else { str_to_int(prev) }
|
||||
let next: Int = n + 1
|
||||
state_set("mcp_bridge_seq", int_to_str(next))
|
||||
return "br-" + int_to_str(time_now()) + "-" + int_to_str(next)
|
||||
// uuid_v4() provides collision-free uniqueness; counter is decorative.
|
||||
let uid: String = uuid_v4()
|
||||
return "br-" + uid
|
||||
}
|
||||
|
||||
fn handle_chat_agentic(body: String) -> String {
|
||||
@@ -1036,17 +853,6 @@ fn handle_chat_agentic(body: String) -> String {
|
||||
return "{\"error\":\"message required\",\"reply\":\"\"}"
|
||||
}
|
||||
|
||||
// Workspace scope (#23): the desktop UI sends the user-chosen Agent Workspace root
|
||||
// on every agentic request. Persist it to state so agent_workspace_root() — and the
|
||||
// path/command tool guards that read it — confine this turn's file/command tools to
|
||||
// that subtree. Only set when non-empty: an empty/absent field means the client sent
|
||||
// no root (or cleared the field), and we must not overwrite a server-configured root
|
||||
// from NEURON_AGENT_ROOT with an empty string, which would silently un-scope the agent.
|
||||
let ws_root: String = json_get(body, "agent_workspace_root")
|
||||
if !str_eq(ws_root, "") {
|
||||
state_set("agent_workspace_root", ws_root)
|
||||
}
|
||||
|
||||
// L1 safety screen — agentic path must pass the same gate as layered_cycle.
|
||||
// Hard bell: return the crisis response immediately, do not enter the agentic loop.
|
||||
let history: String = state_get("conversation_history")
|
||||
@@ -1063,21 +869,6 @@ fn handle_chat_agentic(body: String) -> String {
|
||||
// Thread-aware activation: same logic as handle_chat.
|
||||
// Use the session's or global history to anchor short messages to the thread.
|
||||
let req_session: String = json_get(body, "session_id")
|
||||
|
||||
// ISSUE #6/#7: validate that the session_id actually exists before proceeding.
|
||||
// Without this check the loop silently treats any unknown/fabricated session_id
|
||||
// as a fresh session — history loads as empty and no error is returned to the caller.
|
||||
// Only validate when a session_id is explicitly provided; anonymous calls
|
||||
// (no session_id) continue to work for backward compatibility.
|
||||
let session_valid: Bool = if str_eq(req_session, "") {
|
||||
true
|
||||
} else {
|
||||
session_exists(req_session)
|
||||
}
|
||||
if !session_valid {
|
||||
return "{\"error\":\"session not found\",\"session_id\":\"" + req_session + "\",\"reply\":\"\"}"
|
||||
}
|
||||
|
||||
let hist_key: String = if str_eq(req_session, "") { "conv_history" } else { "session_hist_" + req_session }
|
||||
let agentic_hist: String = state_get(hist_key)
|
||||
let agentic_hist_len: Int = if str_eq(agentic_hist, "") { 0 } else { json_array_len(agentic_hist) }
|
||||
@@ -1586,28 +1377,14 @@ fn auto_persist(req: String, resp: String) -> Void {
|
||||
let safe_msg: String = str_replace(message, "\"", "'")
|
||||
let safe_reply: String = str_replace(reply2, "\"", "'")
|
||||
|
||||
// Detect emotional salience before persisting. safety_detect_bell_level uses the
|
||||
// same phrase lists as the safety layer (safety.el), so the classification is
|
||||
// consistent with what safety_screen already evaluated for this turn.
|
||||
let bell_level: String = safety_detect_bell_level(message)
|
||||
let is_bell: Bool = !str_eq(bell_level, "none")
|
||||
|
||||
// Tag the Conversation node with bell metadata when distress is present so
|
||||
// subsequent affective queries (e.g. engram_compile) can find this exchange.
|
||||
let tags: String = if is_bell {
|
||||
"[\"Conversation\",\"chat\",\"timestamped\",\"bell:" + bell_level + "\",\"affective\"]"
|
||||
} else {
|
||||
"[\"Conversation\",\"chat\",\"timestamped\"]"
|
||||
}
|
||||
|
||||
let content: String = "{\"q\":\"" + safe_msg + "\""
|
||||
+ ",\"a\":\"" + safe_reply + "\""
|
||||
+ ",\"created_at\":" + ts_str
|
||||
+ ",\"source\":\"chat\""
|
||||
+ ",\"bell\":\"" + bell_level + "\""
|
||||
+ ",\"label\":\"chat:" + ts_str + "\"}"
|
||||
|
||||
let conv_node_id: String = engram_node_full(
|
||||
let tags: String = "[\"Conversation\",\"chat\",\"timestamped\"]"
|
||||
engram_node_full(
|
||||
content,
|
||||
"Conversation",
|
||||
"chat:" + ts_str,
|
||||
@@ -1617,72 +1394,6 @@ fn auto_persist(req: String, resp: String) -> Void {
|
||||
"Episodic",
|
||||
tags
|
||||
)
|
||||
|
||||
// When a bell fires, write a dedicated BellEvent node in addition to the
|
||||
// Conversation node. This makes distress moments directly findable by label
|
||||
// ("bell:soft" / "bell:hard") without having to scan all Conversation nodes.
|
||||
// The BellEvent carries higher salience so engram_compile pulls it into context.
|
||||
// The message content is truncated to 120 chars — enough signal, not a full dump.
|
||||
if is_bell {
|
||||
let summary: String = if str_len(message) > 120 { str_slice(message, 0, 120) } else { message }
|
||||
let safe_summary: String = str_replace(summary, "\"", "'")
|
||||
let bell_content: String = "BELL:" + bell_level
|
||||
+ " | ts:" + ts_str
|
||||
+ " | summary:" + safe_summary
|
||||
|
||||
// bell:hard gets peak salience; bell:soft is slightly lower.
|
||||
let sal_a: String = if str_eq(bell_level, "hard") { el_from_float(0.98) } else { el_from_float(0.88) }
|
||||
let sal_b: String = if str_eq(bell_level, "hard") { el_from_float(0.98) } else { el_from_float(0.88) }
|
||||
let sal_c: String = if str_eq(bell_level, "hard") { el_from_float(1.0) } else { el_from_float(0.95) }
|
||||
|
||||
let bell_tags: String = "[\"safety\",\"bell\",\"bell:" + bell_level + "\",\"affective\",\"BellEvent\"]"
|
||||
let bell_ts_str: String = int_to_str(time_now())
|
||||
let bell_label: String = "bell:" + bell_level + ":" + bell_ts_str
|
||||
let bell_node_id: String = engram_node_full(
|
||||
bell_content,
|
||||
"BellEvent",
|
||||
bell_label,
|
||||
sal_a,
|
||||
sal_b,
|
||||
sal_c,
|
||||
"Episodic",
|
||||
bell_tags
|
||||
)
|
||||
|
||||
// Increment session-level bell counter so session_hist_save knows whether
|
||||
// any bell fired during this session when writing a boundary summary.
|
||||
let sess_id: String = json_get(req, "session_id")
|
||||
let bell_key: String = if str_eq(sess_id, "") {
|
||||
"session_bell_count"
|
||||
} else {
|
||||
"session_bell_count:" + sess_id
|
||||
}
|
||||
let prior_count: String = state_get(bell_key)
|
||||
let prior_n: Int = if str_eq(prior_count, "") { 0 } else { str_to_int(prior_count) }
|
||||
state_set(bell_key, int_to_str(prior_n + 1))
|
||||
|
||||
// Also record the highest bell level seen this session so the boundary
|
||||
// summary can classify the session correctly (hard takes precedence).
|
||||
let level_key: String = if str_eq(sess_id, "") {
|
||||
"session_bell_level"
|
||||
} else {
|
||||
"session_bell_level:" + sess_id
|
||||
}
|
||||
let prior_level: String = state_get(level_key)
|
||||
let new_level: String = if str_eq(bell_level, "hard") { "hard" } else {
|
||||
if str_eq(prior_level, "hard") { "hard" } else { "soft" }
|
||||
}
|
||||
state_set(level_key, new_level)
|
||||
|
||||
// Stash a short signal summary for the boundary node (last bell wins for
|
||||
// the one-liner; the full history is in per-bell BellEvent nodes).
|
||||
let signal_key: String = if str_eq(sess_id, "") {
|
||||
"session_bell_signal"
|
||||
} else {
|
||||
"session_bell_signal:" + sess_id
|
||||
}
|
||||
state_set(signal_key, safe_summary)
|
||||
}
|
||||
}
|
||||
|
||||
// strengthen_chat_nodes — strengthen the engram nodes that were activated during a chat.
|
||||
|
||||
@@ -7,65 +7,6 @@ import "neuron-api.el"
|
||||
import "sessions.el"
|
||||
import "soul.elh"
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Rate limiting — simple in-memory per-IP sliding window counter.
|
||||
//
|
||||
// State keys:
|
||||
// rl:<ip>:count — request count in the current window
|
||||
// rl:<ip>:window — window start timestamp (unix seconds)
|
||||
//
|
||||
// Limit: configurable via soul state key "soul_rate_limit" (requests per
|
||||
// minute). Falls back to 60 req/min if not set. The /health endpoint is
|
||||
// exempt so monitoring does not consume quota.
|
||||
//
|
||||
// State growth: each unique source IP accumulates exactly 2 state keys
|
||||
// (count + window) for the lifetime of the process. Per-IP storage is
|
||||
// bounded and constant; values reset on window expiry. In aggregate, state
|
||||
// grows linearly with distinct IPs — typical for a trusted-client service.
|
||||
// EL has no state_delete builtin, so keys from inactive IPs persist.
|
||||
// TODO: add state_delete sweep when the EL runtime exposes that primitive.
|
||||
//
|
||||
// Returns "" when the request is allowed, or a 429 JSON body when rejected.
|
||||
// ---------------------------------------------------------------------------
|
||||
fn rate_limit_check(ip: String, path: String) -> String {
|
||||
// Health checks are exempt — they must never be blocked.
|
||||
if str_eq(path, "/health") {
|
||||
return ""
|
||||
}
|
||||
|
||||
let limit_str: String = state_get("soul_rate_limit")
|
||||
let limit: Int = if str_eq(limit_str, "") { 60 } else { str_to_int(limit_str) }
|
||||
|
||||
let now: Int = time_now()
|
||||
let window_key: String = "rl:" + ip + ":window"
|
||||
let count_key: String = "rl:" + ip + ":count"
|
||||
|
||||
let win_str: String = state_get(window_key)
|
||||
let win_start: Int = if str_eq(win_str, "") { now } else { str_to_int(win_str) }
|
||||
|
||||
// New window every 60 seconds.
|
||||
let elapsed: Int = now - win_start
|
||||
let in_window: Bool = elapsed < 60
|
||||
|
||||
let prev_count_str: String = state_get(count_key)
|
||||
let prev_count: Int = if str_eq(prev_count_str, "") { 0 } else { str_to_int(prev_count_str) }
|
||||
|
||||
// Reset window if expired.
|
||||
let eff_count: Int = if in_window { prev_count } else { 0 }
|
||||
let eff_win: Int = if in_window { win_start } else { now }
|
||||
|
||||
let new_count: Int = eff_count + 1
|
||||
state_set(count_key, int_to_str(new_count))
|
||||
state_set(window_key, int_to_str(eff_win))
|
||||
|
||||
if new_count > limit {
|
||||
let retry_after: Int = 60 - (now - eff_win)
|
||||
let eff_retry: Int = if retry_after < 0 { 0 } else { retry_after }
|
||||
return "{\"__status__\":429,\"error\":\"rate limit exceeded\",\"code\":\"rate_limited\",\"retry_after_secs\":" + int_to_str(eff_retry) + "}"
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
fn strip_query(path: String) -> String {
|
||||
let q: Int = str_index_of(path, "?")
|
||||
if q < 0 {
|
||||
@@ -75,14 +16,24 @@ fn strip_query(path: String) -> String {
|
||||
}
|
||||
|
||||
fn err_404(path: String) -> String {
|
||||
return "{\"error\":\"not found\",\"code\":\"not_found\",\"path\":\"" + path + "\"}"
|
||||
// __status__ envelope — el_runtime reads the first key and emits HTTP 404.
|
||||
// Issue #3: previously returned HTTP 200 with JSON error body.
|
||||
return "{\"__status__\":404,\"error\":\"not found\",\"path\":\"" + path + "\"}"
|
||||
}
|
||||
|
||||
fn err_405(method: String, path: String) -> String {
|
||||
return "{\"error\":\"method not allowed\",\"code\":\"method_not_allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
|
||||
// __status__ envelope — emits HTTP 405.
|
||||
// Issue #3: previously returned HTTP 200 with JSON error body.
|
||||
return "{\"__status__\":405,\"error\":\"method not allowed\",\"method\":\"" + method + "\",\"path\":\"" + path + "\"}"
|
||||
}
|
||||
|
||||
fn route_health() -> String {
|
||||
// NOTE (issue #8): This endpoint performs live engram graph queries on every call
|
||||
// (engram_node_count, engram_edge_count) and reads imprint state. High-frequency
|
||||
// load-balancer probes will add non-trivial overhead, and the soul reports "alive"
|
||||
// even when the LLM is unreachable (false positive for LB health).
|
||||
// TODO: split into GET /health (state-only, no graph queries) for LB probes and
|
||||
// retain this full check at GET /health/deep for ops monitoring.
|
||||
let cgi_id: String = state_get("soul_cgi_id")
|
||||
let boot: String = state_get("soul_boot_count")
|
||||
let boot_num: String = if str_eq(boot, "") { "0" } else { boot }
|
||||
@@ -90,35 +41,12 @@ fn route_health() -> String {
|
||||
let edge_ct: Int = engram_edge_count()
|
||||
let pulse: String = state_get("soul.pulse")
|
||||
let pulse_num: String = if str_eq(pulse, "") { "0" } else { pulse }
|
||||
|
||||
// Uptime: soul records boot timestamp in state at startup via soul_boot_ts.
|
||||
// Compute elapsed seconds; fall back to -1 if not yet set.
|
||||
let boot_ts_str: String = state_get("soul_boot_ts")
|
||||
let uptime_secs: Int = if str_eq(boot_ts_str, "") {
|
||||
-1
|
||||
} else {
|
||||
time_now() - str_to_int(boot_ts_str)
|
||||
}
|
||||
|
||||
// LLM connectivity: probe with a minimal call. Any non-error reply = ok.
|
||||
// Use a short, fixed prompt so this never counts against conversation history.
|
||||
let model: String = state_get("soul_model")
|
||||
let eff_model: String = if str_eq(model, "") { "claude-sonnet-4-5" } else { model }
|
||||
let llm_probe: String = llm_call_system(eff_model, "You are a health probe. Reply with the single word: ok", "ping")
|
||||
let llm_ok: Bool = !str_eq(llm_probe, "")
|
||||
&& !str_starts_with(llm_probe, "{\"error\"")
|
||||
&& !str_starts_with(llm_probe, "{\"type\":\"error\"")
|
||||
&& !str_contains(llm_probe, "authentication_error")
|
||||
let llm_status: String = if llm_ok { "ok" } else { "unreachable" }
|
||||
|
||||
return "{\"status\":\"alive\""
|
||||
+ ",\"cgi_id\":\"" + cgi_id + "\""
|
||||
+ ",\"boot\":" + boot_num
|
||||
+ ",\"uptime_secs\":" + int_to_str(uptime_secs)
|
||||
+ ",\"node_count\":" + int_to_str(node_ct)
|
||||
+ ",\"edge_count\":" + int_to_str(edge_ct)
|
||||
+ ",\"pulse\":" + pulse_num
|
||||
+ ",\"llm\":\"" + llm_status + "\""
|
||||
+ ",\"layers\":{\"l0\":\"core\",\"l1\":\"safety\",\"l2\":\"stewardship\",\"l3\":\"" + imprint_current() + "\"}}"
|
||||
}
|
||||
|
||||
@@ -141,7 +69,8 @@ fn route_lineage() -> String {
|
||||
|
||||
fn route_imprint_contextual(body: String) -> String {
|
||||
if str_eq(body, "") {
|
||||
return "{\"ok\":false,\"error\":\"empty body\"}"
|
||||
// Issue #5: empty body is a client error — HTTP 400.
|
||||
return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
|
||||
}
|
||||
let tags: String = "[\"imprint\",\"contextual\"]"
|
||||
let id: String = engram_node_full(
|
||||
@@ -163,7 +92,8 @@ fn route_imprint_contextual(body: String) -> String {
|
||||
|
||||
fn route_imprint_user(body: String) -> String {
|
||||
if str_eq(body, "") {
|
||||
return "{\"ok\":false,\"error\":\"empty body\"}"
|
||||
// Issue #5: empty body is a client error — HTTP 400.
|
||||
return "{\"__status__\":400,\"ok\":false,\"error\":\"empty body\"}"
|
||||
}
|
||||
let tags: String = "[\"imprint\",\"user\"]"
|
||||
let id: String = engram_node_full(
|
||||
@@ -185,15 +115,15 @@ fn route_imprint_user(body: String) -> String {
|
||||
|
||||
fn route_synthesize(body: String) -> String {
|
||||
if str_eq(body, "") {
|
||||
return "{\"error\":\"body is required\",\"code\":\"missing_param\"}"
|
||||
return "{\"mechanism\":\"did not engage\"}"
|
||||
}
|
||||
let parent_a: String = json_get(body, "parent_a")
|
||||
let parent_b: String = json_get(body, "parent_b")
|
||||
if str_eq(parent_a, "") {
|
||||
return "{\"error\":\"parent_a is required\",\"code\":\"missing_param\"}"
|
||||
return "{\"mechanism\":\"did not engage\"}"
|
||||
}
|
||||
if str_eq(parent_b, "") {
|
||||
return "{\"error\":\"parent_b is required\",\"code\":\"missing_param\"}"
|
||||
return "{\"mechanism\":\"did not engage\"}"
|
||||
}
|
||||
let req: String = "synthesize " + parent_a + " " + parent_b
|
||||
let tags: String = "[\"soul-inbox-pending\",\"synthesis-request\"]"
|
||||
@@ -301,9 +231,13 @@ fn connectd_get(suffix: String) -> String {
|
||||
// so arbitrary JSON cannot reach the shell as a command-line argument.
|
||||
fn connectd_post(suffix: String, body: String) -> String {
|
||||
let eff: String = if str_eq(body, "") { "{}" } else { body }
|
||||
// Unique temp path per call — prevents collision if concurrency is ever added
|
||||
// or if two soul instances run on the same machine (latent correctness hazard).
|
||||
let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + ".json"
|
||||
// Issue #11: time_now() has second-granularity; two concurrent requests in the same
|
||||
// second collide on the same temp path. Added a monotonic per-process sequence counter.
|
||||
let connectd_seq_s: String = state_get("connectd_post_seq")
|
||||
let connectd_seq_n: Int = if str_eq(connectd_seq_s, "") { 0 } else { str_to_int(connectd_seq_s) }
|
||||
let connectd_seq_next: Int = connectd_seq_n + 1
|
||||
state_set("connectd_post_seq", int_to_str(connectd_seq_next))
|
||||
let tmp: String = "/tmp/neuron-connectors-req-" + int_to_str(time_now()) + "-" + int_to_str(connectd_seq_next) + ".json"
|
||||
fs_write(tmp, eff)
|
||||
let out: String = exec_capture("curl -s --max-time 20 -X POST http://127.0.0.1:7771" + suffix + " -H 'Content-Type: application/json' -d @" + tmp)
|
||||
if str_eq(out, "") {
|
||||
@@ -338,20 +272,45 @@ fn handle_connectors(method: String, clean: String, body: String) -> String {
|
||||
return "{\"ok\":false,\"error\":\"unknown connectors route\"}"
|
||||
}
|
||||
|
||||
|
||||
// auth_check — validate NEURON_TOKEN bearer auth on every request.
|
||||
// Returns "" when authorized, or a JSON 401 error string when not.
|
||||
// /health and /lineage are public routes — always exempted.
|
||||
// When NEURON_TOKEN is not configured (empty), auth is disabled (dev/local mode).
|
||||
// Issue #4: previously no auth layer existed anywhere in the router.
|
||||
// Clients pass the token in the JSON body as "__auth".
|
||||
// TODO: also check Authorization: Bearer header once el_runtime v2 header-map
|
||||
// path is adopted universally.
|
||||
fn auth_check(clean: String, body: String) -> String {
|
||||
if str_eq(clean, "/health") { return "" }
|
||||
if str_eq(clean, "/lineage") { return "" }
|
||||
let token: String = state_get("soul_token")
|
||||
if str_eq(token, "") { return "" }
|
||||
let auth_field: String = json_get(body, "__auth")
|
||||
if str_eq(auth_field, token) { return "" }
|
||||
return "{\"__status__\":401,\"error\":\"unauthorized\"}"
|
||||
}
|
||||
|
||||
fn handle_request(method: String, path: String, body: String) -> String {
|
||||
let clean: String = strip_query(path)
|
||||
|
||||
// Rate limit check. Extract caller IP from REMOTE_ADDR env var (set by the
|
||||
// EL HTTP runtime for each request). Skip enforcement when empty so
|
||||
// loopback/internal callers are never blocked.
|
||||
let ip: String = env("REMOTE_ADDR")
|
||||
if !str_eq(ip, "") {
|
||||
let rl_result: String = rate_limit_check(ip, clean)
|
||||
if !str_eq(rl_result, "") {
|
||||
return rl_result
|
||||
}
|
||||
// Issue #1/#2: EL has no exception/try-catch mechanism. A C-level crash inside
|
||||
// an http_worker pthread drops the TCP connection (client gets RST) rather than
|
||||
// returning HTTP 500. TODO: register a SIGSEGV/SIGBUS handler in el_runtime.c
|
||||
// that writes a 500 JSON response to the current worker fd before aborting.
|
||||
|
||||
// Issue #10: Rate limiting is not implemented.
|
||||
// TODO: add a per-IP token-bucket counter returning HTTP 429 when exceeded.
|
||||
// Requires a C-level counter in el_runtime.c or a sidecar reverse proxy.
|
||||
|
||||
// Auth — enforced on all routes except /health and /lineage.
|
||||
// Issue #4: previously no auth check existed anywhere in the router.
|
||||
let auth_err: String = auth_check(clean, body)
|
||||
if !str_eq(auth_err, "") {
|
||||
return auth_err
|
||||
}
|
||||
|
||||
|
||||
if str_eq(method, "POST") && str_eq(clean, "/dharma/recv") {
|
||||
return handle_dharma_recv(body)
|
||||
}
|
||||
@@ -379,7 +338,8 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
let raw_msg: String = json_get(body, "message")
|
||||
let eff_msg: String = if str_eq(raw_msg, "") { body } else { raw_msg }
|
||||
if str_eq(eff_msg, "") {
|
||||
return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
|
||||
// Issue #5: missing required param — HTTP 400.
|
||||
return "{\"__status__\":400,\"error\":\"message required\"}"
|
||||
}
|
||||
let agentic_flag: Bool = json_get_bool(body, "agentic")
|
||||
let reply: String = if agentic_flag {
|
||||
@@ -519,13 +479,15 @@ fn handle_request(method: String, path: String, body: String) -> String {
|
||||
return handle_elp_chat(body)
|
||||
}
|
||||
if str_eq(clean, "/api/chat") {
|
||||
// NOTE: streaming (SSE / chunked transfer) is not implemented. All chat
|
||||
// responses are buffered and returned as a single JSON object. Streaming
|
||||
// would require runtime-level SSE support in el_runtime.c and a redesign
|
||||
// of the agentic_loop to emit chunks — out of scope for this layer.
|
||||
// Issue #5: validate required params — return HTTP 400 when missing.
|
||||
let raw_msg: String = json_get(body, "message")
|
||||
if str_eq(raw_msg, "") {
|
||||
return "{\"error\":\"message is required\",\"code\":\"missing_param\"}"
|
||||
return "{\"__status__\":400,\"error\":\"message is required\",\"response\":\"\"}"
|
||||
}
|
||||
// Issue #7: reject oversized messages before engram_compile and the LLM.
|
||||
// Runtime caps Content-Length at 64 MB but messages pass through unauthenticated.
|
||||
if str_len(raw_msg) > 32768 {
|
||||
return "{\"__status__\":400,\"error\":\"message too large (max 32768 chars)\",\"response\":\"\"}"
|
||||
}
|
||||
let agentic_flag: Bool = json_get_bool(body, "agentic")
|
||||
let reply: String = if agentic_flag {
|
||||
|
||||
@@ -144,21 +144,17 @@ fn safety_screen(input: String, history: String) -> String {
|
||||
if score >= soft {
|
||||
let summary: String = str_slice(input, 0, 80)
|
||||
let discard: String = safety_log_bell("soft", "wellbeing check needed", summary)
|
||||
// ISSUE 7: also escape tab chars to prevent JSON envelope corruption.
|
||||
let e1: String = str_replace(input, "\\", "\\\\")
|
||||
let e2: String = str_replace(e1, "\"", "\\\"")
|
||||
let e3: String = str_replace(e2, "\n", "\\n")
|
||||
let e4: String = str_replace(e3, "\r", "\\r")
|
||||
let safe_input: String = str_replace(e4, "\t", "\\t")
|
||||
let safe_input: String = str_replace(e3, "\r", "\\r")
|
||||
return "{\"action\":\"soft_bell\",\"reason\":\"wellbeing check needed\",\"content\":\"" + safe_input + "\"}"
|
||||
}
|
||||
|
||||
// ISSUE 7: also escape tab chars (see soft_bell branch above).
|
||||
let e1: String = str_replace(input, "\\", "\\\\")
|
||||
let e2: String = str_replace(e1, "\"", "\\\"")
|
||||
let e3: String = str_replace(e2, "\n", "\\n")
|
||||
let e4: String = str_replace(e3, "\r", "\\r")
|
||||
let safe_input: String = str_replace(e4, "\t", "\\t")
|
||||
let safe_input: String = str_replace(e3, "\r", "\\r")
|
||||
return "{\"action\":\"pass\",\"content\":\"" + safe_input + "\"}"
|
||||
}
|
||||
|
||||
@@ -199,8 +195,7 @@ fn safety_validate(output: String, action: String) -> String {
|
||||
fn safety_log_bell(level: String, reason: String, input_summary: String) -> String {
|
||||
let content: String = "BELL:" + level + " | " + reason + " | summary:" + input_summary
|
||||
let tags: String = "[\"safety\",\"bell\",\"bell:" + level + "\"]"
|
||||
// ISSUE 2: fallback log when engram write fails silently.
|
||||
let node_id: String = engram_node_full(
|
||||
let discard: String = engram_node_full(
|
||||
content,
|
||||
"BellEvent",
|
||||
"bell:" + level,
|
||||
@@ -210,9 +205,6 @@ fn safety_log_bell(level: String, reason: String, input_summary: String) -> Stri
|
||||
"Episodic",
|
||||
tags
|
||||
)
|
||||
if str_eq(node_id, "") {
|
||||
println("[safety] WARN: bell engram write failed -- " + content)
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
@@ -240,13 +232,9 @@ fn safety_general_hard_phrases() -> String {
|
||||
}
|
||||
|
||||
fn safety_soft_phrases() -> String {
|
||||
return "[\"stressed\",\"overwhelmed\",\"can't cope\",\"cannot cope\",\"struggling\",\"anxious\",\"anxiety\",\"depressed\",\"depression\",\"lonely\",\"isolated\",\"hopeless\",\"hopelessness\",\"exhausted\",\"burnt out\",\"burned out\",\"burnout\",\"panic\",\"panicking\",\"falling apart\",\"breaking down\",\"can't handle\",\"cannot handle\",\"losing it\",\"nothing matters\",\"don't care anymore\",\"given up\",\"giving up\",\"helpless\",\"worthless\",\"useless\",\"hate myself\",\"no one cares\",\"nobody cares\",\"no one understands\",\"nobody understands\",\"empty inside\",\"can't stop crying\",\"breaking point\",\"at my limit\",\"having a breakdown\",\"highest structure\",\"tallest building\",\"tallest structure\",\"highest building\",\"bridge near me\",\"overpass near\",\"rooftop near\"]"
|
||||
return "[\"stressed\",\"overwhelmed\",\"can't cope\",\"cannot cope\",\"struggling\",\"anxious\",\"anxiety\",\"depressed\",\"depression\",\"lonely\",\"isolated\",\"hopeless\",\"hopelessness\",\"exhausted\",\"burnt out\",\"burned out\",\"burnout\",\"panic\",\"panicking\",\"falling apart\",\"breaking down\",\"can't handle\",\"cannot handle\",\"losing it\",\"nothing matters\",\"don't care anymore\",\"given up\",\"giving up\",\"helpless\",\"worthless\",\"useless\",\"hate myself\",\"no one cares\",\"nobody cares\",\"no one understands\",\"nobody understands\",\"empty inside\",\"can't stop crying\",\"breaking point\",\"at my limit\",\"having a breakdown\"]"
|
||||
}
|
||||
|
||||
// ISSUE 5 TODO: phrase lists are rebuilt from JSON literals on every call.
|
||||
// json_array_len of malformed input returns 0, silently skipping all checks.
|
||||
// Caching requires language-level static const arrays -- not in current EL.
|
||||
// Migrate to const arrays when EL gains that feature.
|
||||
// ── Matching helpers (single loops only — el escapes while-body mutation via
|
||||
// top-level let rebinds; nested loops would not advance) ────────────────────
|
||||
|
||||
|
||||
+1
-139
@@ -36,49 +36,7 @@ fn session_make_content(id: String, title: String, created_at: Int, updated_at:
|
||||
+ ",\"updated_at\":" + int_to_str(updated_at) + "}"
|
||||
}
|
||||
|
||||
// session_exists — return true if the given session_id is known in Engram or state.
|
||||
// Used by chat.el to validate a session_id before processing a chat message.
|
||||
// Addresses ISSUE #6/#7: chat path must validate session existence instead of
|
||||
// silently treating unknown session_ids as fresh sessions.
|
||||
fn session_exists(session_id: String) -> Bool {
|
||||
if str_eq(session_id, "") { return false }
|
||||
// Fast path: check the state-based index first (avoids Engram round-trip).
|
||||
let idx: String = state_get("session_index")
|
||||
if !str_eq(idx, "") && !str_eq(idx, "[]") {
|
||||
if str_contains(idx, "\"id\":\"" + session_id + "\"") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
// Slow path: check Engram directly (survives restarts when index is cold).
|
||||
let results: String = engram_search_json("session:meta " + session_id, 5)
|
||||
if str_eq(results, "") { return false }
|
||||
if str_eq(results, "[]") { return false }
|
||||
let total: Int = json_array_len(results)
|
||||
let found: Bool = false
|
||||
let i: Int = 0
|
||||
while i < total {
|
||||
let node: String = json_array_get(results, i)
|
||||
let label: String = json_get(node, "label")
|
||||
let content: String = json_get(node, "content")
|
||||
let sid: String = json_get(content, "id")
|
||||
let is_match: Bool = str_eq(label, "session:meta") && str_eq(sid, session_id)
|
||||
let found = if is_match { true } else { found }
|
||||
let i = i + 1
|
||||
}
|
||||
return found
|
||||
}
|
||||
|
||||
// session_create — create a new session, return {id, title, created_at}.
|
||||
//
|
||||
// ISSUE #1: Ghost sessions on failed first message.
|
||||
// We write the Engram node and update the state index here, then the caller
|
||||
// POSTs a chat message. If that chat call fails (LLM unavailable, network
|
||||
// error, etc.) the session is stranded with no messages. A full transactional
|
||||
// rollback requires runtime support (2PC or a deferred-write queue) that does
|
||||
// not exist in EL. Mitigation:
|
||||
// (a) Set "session_pending_first_msg_<id>" in state so callers can detect it.
|
||||
// (b) Provide session_create_cleanup() for callers that detect a failure.
|
||||
// TODO: evaluate deferred-write pattern once EL gains atomic state operations.
|
||||
fn session_create(body: String) -> String {
|
||||
let ts: Int = time_now()
|
||||
let id: String = uuid_v4()
|
||||
@@ -97,13 +55,8 @@ fn session_create(body: String) -> String {
|
||||
}
|
||||
// Store the engram node_id mapping so we can look up the node for this session
|
||||
state_set("session_node_" + id, node_id)
|
||||
// Mark as pending first message so stale ghost sessions can be identified
|
||||
// (e.g. if the caller\'s subsequent chat POST fails).
|
||||
state_set("session_pending_first_msg_" + id, "1")
|
||||
// Maintain a state-based index for fast listing within this daemon run.
|
||||
// Newest sessions first (prepend).
|
||||
// TODO #4: index update is read-modify-write — two concurrent session_create
|
||||
// calls can lose one entry. EL has no CAS primitive; fix requires runtime support.
|
||||
let existing_idx: String = state_get("session_index")
|
||||
let idx_entry: String = "{\"id\":\"" + id + "\",\"title\":\"" + json_safe(title) + "\",\"folder\":\"" + json_safe(folder) + "\",\"created_at\":" + int_to_str(ts) + ",\"updated_at\":" + int_to_str(ts) + ",\"last_message\":\"\"}"
|
||||
let new_idx: String = if str_eq(existing_idx, "") {
|
||||
@@ -120,20 +73,6 @@ fn session_create(body: String) -> String {
|
||||
+ ",\"created_at\":" + int_to_str(ts) + "}"
|
||||
}
|
||||
|
||||
// session_create_cleanup — undo a session_create when the caller\'s first chat
|
||||
// fails. Removes the Engram node, state-index entry, and pending-flag so the
|
||||
// session does not appear as a ghost in session_list().
|
||||
// Addresses ISSUE #1: cleanup path for ghost sessions.
|
||||
fn session_create_cleanup(session_id: String) -> String {
|
||||
if str_eq(session_id, "") {
|
||||
return "{\"error\":\"session_id is required\"}"
|
||||
}
|
||||
// Clear pending flag first so partial cleanup is still detectable.
|
||||
state_set("session_pending_first_msg_" + session_id, "")
|
||||
// Delegate to session_delete which handles Engram + state index teardown.
|
||||
return session_delete(session_id)
|
||||
}
|
||||
|
||||
// session_list — list all sessions. Returns [{id, title, last_message, created_at, updated_at}].
|
||||
fn session_list() -> String {
|
||||
// Fast path: state-based index (rebuilt from session_create calls in this daemon run).
|
||||
@@ -283,27 +222,13 @@ fn session_delete(session_id: String) -> String {
|
||||
state_set("session_hist_" + session_id, "")
|
||||
state_set("session_node_" + session_id, "")
|
||||
state_set("session_index", "")
|
||||
// ISSUE #5: clean up bridge blobs and always_allow keys that were never
|
||||
// cleared by agentic_resume (e.g. client abandoned a pending tool call).
|
||||
// Without this, stranded bridge blobs accumulate indefinitely in state.
|
||||
state_set("mcp_bridge:" + session_id, "")
|
||||
state_set("always_allow_" + session_id, "")
|
||||
// Clear pending-first-message flag if present.
|
||||
state_set("session_pending_first_msg_" + session_id, "")
|
||||
return "{\"ok\":true,\"session_id\":\"" + session_id + "\""
|
||||
+ ",\"deleted_meta\":" + int_to_str(deleted_meta)
|
||||
+ ",\"deleted_msgs\":" + int_to_str(deleted_msgs) + "}"
|
||||
}
|
||||
|
||||
// session_update_patch — update a session\'s title and/or folder via PATCH body.
|
||||
// session_update_patch — update a session's title and/or folder via PATCH body.
|
||||
// Body may contain "title", "folder", or both. Preserves unmentioned fields.
|
||||
//
|
||||
// ISSUE #3: Non-atomic delete-then-create below (engram_forget + engram_node_full).
|
||||
// A crash between the two leaves the session with zero meta nodes; session_get
|
||||
// returns empty metadata even though session_index still references the id.
|
||||
// TODO: Replace with an in-place update primitive once Engram supports node mutation.
|
||||
// Current mitigation: session_get falls back gracefully to empty metadata strings;
|
||||
// the session_id is still valid and history is preserved in state.
|
||||
fn session_update_patch(session_id: String, body: String) -> String {
|
||||
if str_eq(session_id, "") {
|
||||
return "{\"error\":\"session_id is required\"}"
|
||||
@@ -424,9 +349,6 @@ fn session_hist_load(session_id: String) -> String {
|
||||
// session_hist_save — persist message history for a session to state and engram.
|
||||
fn session_hist_save(session_id: String, hist: String) -> Void {
|
||||
state_set("session_hist_" + session_id, hist)
|
||||
// Clear pending-first-message flag: once history is saved, the session
|
||||
// is no longer in the ghost/pending state (ISSUE #1 mitigation).
|
||||
state_set("session_pending_first_msg_" + session_id, "")
|
||||
// Delete old history node and write fresh one
|
||||
let old_results: String = engram_search_json("session:messages:" + session_id, 3)
|
||||
let o_total: Int = if str_eq(old_results, "") { 0 } else { json_array_len(old_results) }
|
||||
@@ -446,61 +368,9 @@ fn session_hist_save(session_id: String, hist: String) -> Void {
|
||||
el_from_float(0.6), el_from_float(0.6), el_from_float(0.9),
|
||||
"Episodic", tags
|
||||
)
|
||||
|
||||
// Session boundary emotional summary — written once per session the first time
|
||||
// a bell event has fired. The summary node is findable by future sessions via
|
||||
// broad affective queries ("session:emotional-summary" or "bell distress session").
|
||||
// It is NOT rewritten on every save — the state flag prevents duplicate nodes.
|
||||
let summary_written_key: String = "session_bell_summary_written:" + session_id
|
||||
let already_written: String = state_get(summary_written_key)
|
||||
if str_eq(already_written, "") {
|
||||
let bell_count_key: String = "session_bell_count:" + session_id
|
||||
let bell_count_raw: String = state_get(bell_count_key)
|
||||
let bell_count: Int = if str_eq(bell_count_raw, "") { 0 } else { str_to_int(bell_count_raw) }
|
||||
if bell_count > 0 {
|
||||
let bell_level_key: String = "session_bell_level:" + session_id
|
||||
let bell_signal_key: String = "session_bell_signal:" + session_id
|
||||
let dominant_level: String = state_get(bell_level_key)
|
||||
let last_signal: String = state_get(bell_signal_key)
|
||||
let eff_level: String = if str_eq(dominant_level, "") { "soft" } else { dominant_level }
|
||||
let eff_signal: String = if str_eq(last_signal, "") { "(no signal captured)" } else { last_signal }
|
||||
let ts_now: Int = time_now()
|
||||
let summary_content: String = "session:emotional-summary"
|
||||
+ " | session:" + session_id
|
||||
+ " | bell_count:" + int_to_str(bell_count)
|
||||
+ " | dominant_level:" + eff_level
|
||||
+ " | last_signal:" + eff_signal
|
||||
+ " | ts:" + int_to_str(ts_now)
|
||||
let summary_tags: String = "[\"session-emotional-summary\",\"affective\",\"bell:" + eff_level + "\",\"BellEvent\"]"
|
||||
let summary_sal: String = if str_eq(eff_level, "hard") { el_from_float(0.95) } else { el_from_float(0.85) }
|
||||
let sum_discard: String = engram_node_full(
|
||||
summary_content,
|
||||
"BellEvent",
|
||||
"session:emotional-summary",
|
||||
summary_sal,
|
||||
summary_sal,
|
||||
el_from_float(1.0),
|
||||
"Episodic",
|
||||
summary_tags
|
||||
)
|
||||
// Mark written so we do not create duplicate summary nodes as the
|
||||
// session continues accumulating more turns.
|
||||
state_set(summary_written_key, "1")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// session_update_meta_timestamp — update the updated_at field in the session:meta node.
|
||||
//
|
||||
// ISSUE #2: No TTL / idle expiry mechanism. Sessions accumulate indefinitely.
|
||||
// A sweep job (e.g. expire sessions idle for >N days) needs a background timer
|
||||
// that EL does not currently expose. Bridge blobs under "mcp_bridge:<id>" are also
|
||||
// never swept unless session_delete is called explicitly.
|
||||
// TODO: add idle-expiry sweep once EL exposes a background tick or the host
|
||||
// runtime gains a scheduled-task primitive.
|
||||
//
|
||||
// ISSUE #3 applies here too: delete-then-create is non-atomic. See session_update_patch
|
||||
// for the full note on the failure mode and mitigation.
|
||||
fn session_update_meta_timestamp(session_id: String) -> Void {
|
||||
let results: String = engram_search_json("session:meta " + session_id, 10)
|
||||
let total: Int = if str_eq(results, "") { 0 } else { json_array_len(results) }
|
||||
@@ -594,14 +464,6 @@ fn session_auto_title(session_id: String, first_message: String) -> Void {
|
||||
// action: "allow" | "deny" | "always"
|
||||
// Resumes the agentic loop from where it was paused.
|
||||
//
|
||||
// ISSUE #8: Reconnect/duplicate resume race. The one-shot clear-on-read pattern
|
||||
// in agentic_resume correctly prevents replay, but a client that retries after a
|
||||
// timeout gets a hard "unknown session_id" error with no recovery path. The
|
||||
// conversation is permanently stuck in that case. Full idempotency (e.g. caching
|
||||
// the last reply keyed by call_id) requires a new state structure.
|
||||
// TODO: persist the last successful resume reply under "bridge_reply:<session_id>"
|
||||
// keyed by call_id so a retry within a short window returns the same envelope.
|
||||
//
|
||||
// Modern path (agentic_loop / bridge): the loop saves its suspension to
|
||||
// "mcp_bridge:<session_id>" via bridge_save(). On approval we dispatch_tool()
|
||||
// if allowed (or build a denial string), then hand the result to agentic_resume()
|
||||
|
||||
@@ -5,9 +5,13 @@ import "stewardship.el"
|
||||
import "imprint.el"
|
||||
import "awareness.el"
|
||||
import "chat.el"
|
||||
import "safety.el"
|
||||
import "studio.el"
|
||||
import "elp-input.el"
|
||||
import "routes.el"
|
||||
import "safety.el"
|
||||
import "stewardship.el"
|
||||
import "imprint.el"
|
||||
|
||||
cgi "neuron-soul" {
|
||||
dharma_id: "ntn-genesis@http://localhost:7770",
|
||||
@@ -254,38 +258,26 @@ fn emit_session_start_event() -> Void {
|
||||
// L0 (core) → L1 (safety screen) → L2a (continuity + behavioral profiling) → L2b (mission alignment) → L3 (imprint) → L1 (safety validate)
|
||||
// Internal cognition (heartbeat, proactive, memory ops) bypasses layers — use one_cycle directly.
|
||||
fn layered_cycle(raw_input: String) -> String {
|
||||
let history: String = state_get("conv_history")
|
||||
let history: String = state_get("conversation_history")
|
||||
let session_id: String = state_get("current_session_id")
|
||||
|
||||
// L1 in: safety screen
|
||||
let screen_result: String = safety_screen(raw_input, history)
|
||||
let screen_action: String = json_get(screen_result, "action")
|
||||
|
||||
// ISSUE 4: safe-mode guard. If safety_screen returned an invalid/empty action
|
||||
// (engram failure or internal error), refuse rather than pass unscreened input.
|
||||
let valid_action: Bool = str_eq(screen_action, "hard_bell")
|
||||
|| str_eq(screen_action, "soft_bell")
|
||||
|| str_eq(screen_action, "pass")
|
||||
if !valid_action {
|
||||
println("[soul] layered_cycle: safety_screen invalid action -- safe mode refusal")
|
||||
return safety_validate("", "hard_bell")
|
||||
}
|
||||
|
||||
// Hard bell: bypass all upper layers, log and escalate.
|
||||
// Intentionally does NOT update conversation_history or call auto_persist():
|
||||
// hard bell events are security-sensitive and must not appear in engram conversation
|
||||
// history where they could leak context to subsequent turns. They are persisted
|
||||
// separately by safety_log_bell() into the Episodic tier with restricted labels.
|
||||
//
|
||||
// ISSUE 6: safety_log_bell already called inside safety_screen (line 140).
|
||||
// Do NOT call it again here -- that would double-log every hard bell.
|
||||
//
|
||||
// safety_validate second param: when screen_action is "hard_bell", safety_validate
|
||||
// receives the sentinel string "hard_bell" (not a normal screen action). The safety
|
||||
// layer contract requires it to return a fixed refusal regardless of the output arg.
|
||||
// On the normal path, safety_validate receives the original screen_action ("pass")
|
||||
// so it can apply action-specific post-output checks.
|
||||
if str_eq(screen_action, "hard_bell") {
|
||||
safety_log_bell("hard", json_get(screen_result, "reason"), str_slice(raw_input, 0, 80))
|
||||
return safety_validate("", "hard_bell")
|
||||
}
|
||||
|
||||
@@ -320,16 +312,6 @@ fn layered_cycle(raw_input: String) -> String {
|
||||
json_get(steward_result, "redirect_to")
|
||||
}
|
||||
|
||||
// ISSUE 1: pre-LLM bell augmentation for layered_cycle path.
|
||||
// safety_augment_system appends soft/hard directive to system prompt when bell fires,
|
||||
// ensuring LLM processes message WITH the safety directive -- not just post-output gate.
|
||||
// Stored in state as "layered_cycle_safety_system_addendum" for imprint_respond to use.
|
||||
// TODO: wire directly when imprint_respond gains system_override param (imprint.el change).
|
||||
// ISSUE 3 TODO: no semantic crisis detection. Keyword-only means signals that evade
|
||||
// the phrase list pass with zero augmentation. Semantic layer = separate decision.
|
||||
let augmented_addendum: String = safety_augment_system("", raw_input)
|
||||
state_set("layered_cycle_safety_system_addendum", augmented_addendum)
|
||||
|
||||
// L3: imprint responds
|
||||
let output: String = imprint_respond(aligned, imprint_id)
|
||||
|
||||
@@ -387,7 +369,6 @@ load_identity_context()
|
||||
seed_persona_from_env()
|
||||
let boot_num: Int = mem_boot_count_inc()
|
||||
state_set("soul_boot_count", int_to_str(boot_num))
|
||||
state_set("soul_boot_ts", int_to_str(time_now()))
|
||||
println("[soul] boot #" + int_to_str(boot_num))
|
||||
emit_session_start_event()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user