BUG-8 — engine-side agent consent tiers + run_command workspace fence (needs soul.c regen) #73
Reference in New Issue
Block a user
Delete Branch "feat/agent-phase1-soul"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
BUG-8 — move agent consent + command sandbox from the app into the ENGINE
2 commits ahead of
main, clean base. This is the one item that needs your engine review + adist/soul.cregen at merge — the rest of the agent work is app-side.Why this is engine work, not app work
Enforcement that lives in the app can be bypassed the moment anything else talks to the soul. Moving the consent tiers + the
run_commandfence intochat.elmakes them true for every caller. Per VBD this is Engine work (the volatile risk-rules) behind the stable chat route.What's in it (2 commits)
92f5188compat refactor (zero behavior change) — hoist the affective block, de-shadowsession_preloadso the localelctoolchain compiles the file. Pure refactor; called out separately so the BUG-8 diff reads clean.01446e6BUG-8 — server-side risk tiers +run_commandworkspace fence. Risk tiers (read / reversible / escalate) enforced inchat.el: escalate never auto-runs and always-allow cannot bypass it. A realrun_commandfence refuses../~/$()/ absolute-path escapes / no-workspace, on both the auto-run and post-consent paths.web_getrestricted to http(s).Verification (adversarial)
8/8 attack attempts refused in an isolated container with the app gate taken OUT of the loop — escapes blocked even after explicit approval, because the fence sits downstream of consent. Compiled proof binary:
neuron-container-build/soul-ws2-verified.c.What I need from you
chat.eldiff (memo:docs/specs/BUG-8-engine-consent-fence-for-will.md).dist/soul.cfrom HEAD at merge (macOSelb) — the shippedsoul.cis stale vs source, so the fence only reaches users after a regen. This same regen also clears the onboarding safety-save 404 (launch blocker B1) and the backlog round-trip.el_runtime.crun_command— beyond what.elcan enforce.Safety
Hard Bell, L1, identity, memory model — untouched. This only tightens consent (the fence is downstream of approval); it never weakens the value line.
🤖 Generated with Claude Code
The model already narrates its intent in a text block before every tool call; agentic_loop DISCARDED that prose on tool rounds. Now: (1) each loop round appends {i, t: narration, tool} to state key run_progress_<sid>, reset at run start, closed with {done:true}; (2) new GET /api/run-progress/<sid> returns the ledger so clients poll live step updates during a run (the Cowork pattern, no streaming needed); (3) tool_pending envelope gains a narration field; (4) handle_config display default aligned to the intended product default (claude-sonnet-4-5 silently became fresh-profile pickers' default). Compiled proof for the running test bed: neuron-container-build/soul-narrated-runs-20260713.patch (applies on top of soul-webfix-20260711.patch); E2E-verified live: ledger filled DURING an agentic run (narration + tool per round), safety-contact and workspace scoping intact. Evidence for why: Tim's 2026-07-13 research run — 9 minutes of silence, then a timeout banner, zero step visibility (compounded by the Haiku 4.5 incident 14:44-15:24 UTC same morning). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>Reviewed: consent-tier enforcement + run_command workspace fence strengthen (never weaken) the safety posture; escalate tier cannot be bypassed by always-allow; web_get gains an http(s) scheme guard. chat.el bulk is a verbatim function-hoist of the affective block plus shadowing renames. No persistence/engram semantics touched. CI green on head
aa67f86(run 3193 / Jul 13). NOTE: no dist/soul.c regen in this PR — dist is stale for these changes and needs a regen before next deploy.