Commit graph

1440 commits

Author SHA1 Message Date
Shay
022154ff71 Neutralize tool authority demo package wording 2026-06-11 09:19:19 -07:00
Shay
26a5e9721f Neutralize tool authority demo public wording 2026-06-11 09:18:50 -07:00
Shay
5de774ea63 Harden tool authority demo output clearing 2026-06-11 09:17:55 -07:00
Shay
1f41935f5f fix(demo): refuse normalized note path traversal 2026-06-11 08:18:00 -07:00
Shay
a3d945ed93 chore(demo): drop generated tool-authority outputs 2026-06-11 08:07:50 -07:00
Shay
8fe63c4032 feat(demo): add Claude-to-CORE tool authority demo 2026-06-11 08:07:07 -07:00
Shay
dda4cddfda docs(planning): expand authority substrate outreach plan and checklists with full content 2026-06-11 06:20:41 -07:00
Shay
518e9ebd1c docs(planning): add xAI Tesla embodied authority checklist 2026-06-11 05:44:04 -07:00
Shay
61d1467592 docs(planning): add Anthropic authority substrate checklist 2026-06-11 05:40:46 -07:00
Shay
a78e67a0be docs(planning): expand authority substrate outreach plan 2026-06-11 05:37:22 -07:00
Shay
2ccd0d005c docs(planning): add authority substrate outreach plan 2026-06-11 05:33:16 -07:00
Shay
3ba65d5176
Merge pull request #687 from AssetOverflow/feat/hybrid-verification-demo
feat(demo): add Claude-to-CORE hybrid verification demo
2026-06-10 21:10:54 -07:00
Shay
57a0e38f0b feat(demo): add Claude-to-CORE hybrid verification demo
A narrow, auditable proof path for the hybrid-mode boundary: a
Claude/Fable-style System 1 proposer submits an MCP-shaped tool call
(core.semantic_derivation.verify); CORE re-derives via the ADR-0184
derivation lane, keeps sole acceptance authority, refuses or asks when
it cannot honestly answer, and emits a deterministic replay/provenance
trace for every decision.

Boundary properties (each pinned by a failing-if-removed test):
- the proposer has no commit path: additionalProperties:false schema,
  and the demo modules import nothing from generate.* (AST-scanned with
  a planted-bypass self-test) — the lane is consumed only through the
  ADR-0184 S4b audited trace facade;
- 'verified' requires pool commit AND clean commit-law/faithfulness
  audits AND a gold-audited envelope.json entry AND byte-match to the
  pinned derivation trace (measured: 118 of the off-serving pool's 231
  corpus commits disagree with lane gold, so a bare pool commit is
  never served — scenario s4 shows the refusal on a commit that even
  matches gold);
- the ask leg is the real Q1 stack (router -> limitation -> Q1-D
  producer -> carried handle -> gated serving), dark by default,
  tamper-fail-closed on the content hash;
- authority_path names only consulted authorities; responses are
  deterministic (double-run byte-identical) and pinned under expected/.

No serving/runtime change; no CLAIMS/metrics/telemetry/lane-pin
movement; no network or Anthropic API dependency (System 1 payloads are
clearly-labeled static fixtures).
2026-06-10 20:41:50 -07:00
Shay
b93b4bd513 memo: tighten for Karpathy + Anthropic exec audience
- Explicit System 1/2 framing in thesis and §2 (Claude proposes; CORE decides)
- Named Bounded Transition Guarantee (v2.1) callout box in §2
- Conditioned false-positive claim on correctly specified Anchor (§1)
- Named Type-Safe Local Closure security model in Lens layer and §5 Signal 1
- §7 renamed 'The Ask — Hybrid Mode Wedge' with MCP-shaped experiment framing
- §5 stats (716/716, 0 wrong) explicitly tied to BTG, not tuning/sampling
- §6 Honest Limits: explicit Hybrid vs Native Mode distinction added
- Harmful variant table row: 'licensed scope is a ratified human policy decision'
2026-06-10 16:10:47 -07:00
Shay
d39189e9e6
test(derivation): add ADR-0184 semantic replay equivalence harness
test(derivation): add ADR-0184 semantic replay equivalence harness
2026-06-10 15:05:53 -07:00
Shay
ad75a2c79a test(derivation): add ADR-0184 semantic replay equivalence harness
ADR-0184 S4b — the replay/provenance equivalence boundary, the
precondition for any semantic-primary path. After #685 the in-repo
legacy path delegates to the semantic boundary, so old-vs-new is
vacuous; the durable reference is a pinned canonical trace artifact
(evals/gsm8k_math/equivalence/v1/, 937 problems) whose authority is
the #684/#685 cross-tree differentials (documented provenance chain).

- state/provenance.py: replay_is_faithful — the replay bridge's law as
  a checkable structural property (no verify/pool import; covered by
  the #685 authority scan).
- equivalence/trace.py: canonical traces (worlds, candidates, order,
  multiplicity, classifications, resolutions) + authority_violations
  re-deriving the pool commit law from trace content.
- scripts/verify_semantic_equivalence.py: check / --update gate
  mirroring verify_lane_shas.py.
- tests/test_adr_0184_s4b_replay_equivalence.py: full-corpus live-vs-
  pinned equality, corpus-wide authority + faithfulness, and 17
  single-mutation non-vacuity proofs.

Pure additions; verify.py/pool.py untouched; no serving, CLAIMS,
metrics, or lane pins moved.
2026-06-10 14:35:22 -07:00
Shay
a6e846ebdb
Merge pull request #685 from AssetOverflow/feat/adr-0184-s3-candidate-source-boundary
feat(derivation): define semantic-ledger candidate source boundary
2026-06-10 13:53:45 -07:00
Shay
951bcc0252 feat(derivation): define semantic-ledger candidate source boundary
ADR-0184 §7 S4: add generate/derivation/state/source.py — the single
boundary through which semantic-ledger worlds become pool candidates —
and swap pool.py's accumulation source to semantic_state_candidates().
accumulate.py keeps its public surfaces as thin compatibility wrappers
(ADR-0184 §10). Byte-identical over the 937-problem differential;
verify.py / pool.py remain the sole commit authority (structural
no-authority-import scan over state/, non-vacuous).

Also: docs/analysis design note for the S3–S5 boundary stack, and a
drive-by ruff F541 fix in r1_reconstruction.py (rf->r, zero behavior).
2026-06-10 13:17:53 -07:00
Shay
130344d373
Merge pull request #683 from AssetOverflow/feat/ask-carried-handle-seam
feat(ask): add carried-handle acquisition seam for served ASK
2026-06-10 12:54:38 -07:00
Shay
c0d6493219 fix(ask): canonicalize question/proposal path collision check
Compare resolved canonical Path values, not raw string spellings, when
detecting a question_path / proposal_path collision. A relative
proposal_path and an absolute question_path that name the same file now
fail closed with reason "path_collision" instead of resolving.

Adds a regression test for the absolute-vs-relative same-file collision
and keeps the existing exact-string collision test. The new test is
non-vacuous: it fails under the prior raw-string comparison.

Scope: ask_handle.py seam + its test only. No runtime.py, CLAIMS,
metrics, telemetry, schema, or lane-pin changes.
2026-06-10 12:44:46 -07:00
Shay
953d183d9d
Merge pull request #684 from AssetOverflow/feat/adr-0184-s2-semantic-ledger-reland
feat(derivation): introduce ADR-0184 S2 semantic-state ledger (behavior-equivalent)
2026-06-10 12:14:07 -07:00
Shay
9dcb00248c feat(derivation): route accumulation through ADR-0184 S2 semantic ledger
ADR-0184 S1 (state/bind.py, state/change.py) landed the reusable referent and
change-cue helpers. S2 adds the first explicit state-transition substrate and
routes both accumulation readings through it:

- state/model.py   frozen SET/GAIN/LOSS transition model over one entity/unit
                   StateKey, with structural validation (closed op set; unit is a
                   str with "" = unitless, mirroring the extractor's Quantity.unit
                   contract; entity optional, mirroring leading_subject_token).
- state/ledger.py  build_accumulation_ledger() — the proven single-referent
                   gain/loss reading, expressed as a SemanticLedger.
- state/replay.py  replay_accumulation_ledger() — the only bridge to
                   GroundedDerivation; refuses any non-accumulation ledger shape
                   (non-SET start, cross-key mutation).

accumulate.py's _build_accumulation / _build_accumulation_anchor_skip now build a
ledger and replay it instead of constructing the arithmetic chain inline; the
public compose_accumulation()/accumulation_candidates() surfaces are unchanged.

Behavior-equivalent: a byte-for-byte differential over 937 real GSM8K problems
(accumulation_candidates, compose_accumulation, pooled_candidates, resolve_pooled)
shows 0 differences vs main. Semantic worlds never commit directly — replay emits
GroundedDerivation and verify.py / pool.py remain the sole authority. Sealed: no
serving/runtime/chat import; no CLAIMS or eval-lane-SHA movement.

Refs ADR-0184 section 7 (S2).
2026-06-10 12:00:23 -07:00
Shay
05a25dd61f Add technical memo for external review (GitHub Pages) 2026-06-10 11:59:17 -07:00
Shay
41664ce60d feat(ask): add carried-handle acquisition seam for served ASK
The missing-boundary doc (#682) established that chat/runtime.py has no
lawful in-turn provider for a QUESTION_NEEDED ContemplationResult: the
only producer is the off-serving contemplation pass, and scanning
teaching/questions/ would be new, unspecified acquisition logic. This
slice builds the recommended unblocking seam instead of the forbidden
runtime shortcut: carried-handle acquisition.

core/epistemic_disclosure/ask_handle.py:
- AskArtifactHandle — an explicit, caller-carried reference to one
  already-produced Q1-D DeliveredQuestion artifact. Provenance is the
  producer's own content address (sha256 of blocking_reason:slot_name:
  text, also the artifact filename stem) — the only identity field the
  Q1-D artifact carries today. No turn/case provenance exists yet; that
  boundary is documented, not invented.
- resolve_served_ask_handle — gate-first (zero filesystem access while
  ask_serving_enabled is dark), structural handle validation, single
  explicit-path artifact read (no glob/iterdir/scan), and content-hash
  re-derivation so a stale/replaced/tampered artifact fails closed.
  Emits a ResolvedAskCandidate duck-typed to what evaluate_served_ask
  reads (terminal/question_path/proposal_path) — no question prose is
  ever constructed or carried.
- acquire_served_ask_from_handle — composes resolution into the
  existing acquire_served_ask_candidate / evaluate_served_ask stack.
  All Q1-D artifact policy (status/review/served/answer-binding/text/
  slot/collision) stays delegated; the seam owns identity only.

Not changed: chat/runtime.py, chat(...) signature, ChatResponse,
TurnEvent, telemetry schema, Q1B_ASK_CARVE_OUT, proposal_allowed,
VERIFIED serving, CLAIMS/metrics/lane pins. The seam imports neither
generate.contemplation (pass_manager) nor core.epistemic_questions
render/delivery — enforced by AST tests.

Tests (tests/test_ask_handle.py, 18 cases): gate-dark no-I/O proof,
fallback preservation, valid resolution served end-to-end through the
existing stack, proposal-artifact / missing / malformed / invalid-Q1-D
/ path-collision / stale-hash / non-addressed-filename / structurally-
invalid-handle fail-closed paths, no-discovery-without-exact-handle,
and AST guards for scan primitives, forbidden imports, and prose.

Verification: focused ASK+governance suites 396 passed; architectural
invariants 56 passed; smoke-equivalent suite 90 passed; lane SHAs 8/9
content-match (the 9th is the documented local public_demo wall-clock
flake, 48.3s vs the 30s ADR-0099 budget — no content drift, no re-pin).
2026-06-10 10:53:54 -07:00
Shay
7d6b7918aa
Merge pull request #682 from AssetOverflow/feat/ask-runtime-wire
docs(ask): document missing runtime ASK provider boundary
2026-06-10 09:41:42 -07:00
Shay
d2a4deffa9 docs(ask): document missing runtime ASK provider boundary
Stop-and-document outcome for issue #680's final runtime wiring. The
serving turn has no lawful in-turn ContemplationResult or provider: the
sole QUESTION_NEEDED producer (generate.contemplation.contemplate) is an
off-serving growth organ that runtime is forbidden to call, and no
plumbing carries its artifact into the turn. Wiring is deferred to a
lawful acquisition slice; chat/runtime.py is left untouched.
2026-06-10 09:23:04 -07:00
Shay
32f8c2ff9a
feat(ask): add runtime-facing ASK helper module
feat(ask): add runtime-facing ASK helper module
2026-06-10 08:29:46 -07:00
Shay
97ba7a3a17 feat(ask): add runtime-facing ASK helper module
Adds a small chat.ask_runtime helper that consumes the ASK acquisition seam without editing chat/runtime.py.

- Uses honest contemplation_result keyword forwarding
- Preserves fallback behavior when ASK serving is disabled
- Does not call pass_manager or render_question
- Does not change public chat/runtime schema
2026-06-10 03:34:02 -07:00
Shay
d3e13bbf19
Merge pull request #679 from AssetOverflow/fix-ask-acquisition-guard
test(ask): make acquisition runtime guard structural
2026-06-09 13:43:21 -07:00
Shay
0e24f8cb0b test(ask): make runtime schema guard structural 2026-06-09 13:34:10 -07:00
Shay
c0b00587f6 revert(ask): remove unsafe runtime hook bypass
Backs out the direct main push that added _maybe_apply_served_ask using a string-concatenation workaround to evade an over-broad text guard.

Restores chat/runtime.py to the #678 merge state and removes tests/test_ask_runtime_hook.py so the next runtime hook can land through a reviewed PR with structural tests instead of guard bypasses.
2026-06-09 13:29:18 -07:00
Shay
2bafceea46 feat(ask): wire default-dark ASK candidate into runtime fallback path
- This is the smallest runtime consumption hook for the ASK acquisition seam.

- It is default-dark.

- It preserves normal runtime behavior when disabled.

- It does not change public `chat(...)` signature.

- It does not change `ChatResponse`, `TurnEvent`, or telemetry schema.

- It does not call/render question prose.

- It does not serve from `proposal_path`.

- It does not retire Q1B carve-out or flip `proposal_allowed`.

- It does not serve VERIFIED.

- It does not move CLAIMS or metrics.
2026-06-09 13:26:13 -07:00
Shay
55402001e3
Merge pull request #678 from AssetOverflow/add-ask-acquisition-seam
feat(ask): add serving-safe ASK acquisition seam
2026-06-09 13:09:45 -07:00
Shay
14285b5f21 test(ask): cover served ASK acquisition seam 2026-06-09 13:00:11 -07:00
Shay
4403a21044 feat(ask): export served ASK acquisition seam 2026-06-09 12:59:15 -07:00
Shay
16979f48d0 feat(ask): add served ASK acquisition seam 2026-06-09 12:58:31 -07:00
Shay
4308519ca9
feat(ask): add served ASK artifact adapter
Adds the Stage 2 served ASK artifact adapter and adapter-only tests.

- Validates Q1-D DeliveredQuestion artifacts before ASK eligibility
- Uses ask_serving_enabled as a default-dark gate
- Uses the disclosure bus disposition mapping
- Fails closed to fallback surface/disposition on invalid artifacts
- Does not wire chat/runtime, telemetry, TurnEvent, ChatResponse, CLAIMS, or metrics
- Does not retire Q1B_ASK_CARVE_OUT or flip proposal_allowed
2026-06-09 12:49:52 -07:00
Shay
426adbd197 docs(stage2): map disclosure-bus implementation state and next slices 2026-06-09 11:32:00 -07:00
Shay
9cff9755cd
feat(ask): split question artifact path from proposal path
Adds dedicated ContemplationResult.question_path for off-serving ASK artifacts and stops storing QUESTION_NEEDED question paths in proposal_path. Proposal artifacts remain under proposal_path. No chat/runtime wiring, served ASK surface, Q1B carve-out retirement, registry flip, or CLAIMS/metric movement.
2026-06-09 11:28:52 -07:00
Shay
b687f62cf0
feat(ask): integrate off-serving ASK delivery in pass manager
Adds off-serving pass_manager integration for ASK delivery through deliver_ask behind explicit exercise_ask. Preserves boundary-first ordering, writes question artifacts to the question sink via question_root, avoids double delivery, and keeps chat/runtime, served ASK, Q1B carve-out, registry, CLAIMS, and metrics untouched.
2026-06-09 10:50:36 -07:00
Shay
3cfaaf9153
feat(config): add explicit default-dark serving gate fields
Adds explicit default-false RuntimeConfig ask_serving_enabled and verified_serving_enabled fields while preserving default-dark helper behavior. Includes focused ASK/VERIFIED gate tests and cross-gate independence coverage. No pass_manager wiring, runtime wiring, verify.py wiring, served behavior, or CLAIMS/metric movement.
2026-06-09 10:24:28 -07:00
Shay
45835987b9
feat(verified): add default-dark VERIFIED serving gate helper
Adds a default-dark verified_serving_enabled helper with focused tests. The helper is unwired: no runtime integration, no verify.py wiring, no eval producer imports, no served VERIFIED behavior, and no CLAIMS/metric movement.
2026-06-09 10:06:36 -07:00
Shay
1fff7dad59
Merge pull request #672 from AssetOverflow/docs/verified-serving-wiring-scoping
docs(verified): scope serving-time VERIFIED wiring and gold-free independence gate
2026-06-09 09:51:52 -07:00
Shay
ec9102a8d6 docs(verified): scope serving-time verification gate 2026-06-09 09:41:34 -07:00
Shay
ffbaf0f27c
Merge pull request #671 from AssetOverflow/docs/ask-serving-integration-scoping
docs(epistemic): scope ASK serving integration and carve-out retirement
2026-06-09 09:38:04 -07:00
Shay
4a6153d53e docs(epistemic): tighten pass_manager scoping wording and use relative links 2026-06-09 09:26:49 -07:00
Shay
17e36acdc0 docs(epistemic): scope ASK serving integration gate 2026-06-09 09:22:35 -07:00
Shay
297349fd8d
feat(ask): add default-dark ASK serving gate helper
Adds a default-dark ask_serving_enabled helper with focused tests. The helper is unwired: no pass_manager integration, no runtime surface, no carve-out retirement, and no served question text.
2026-06-09 09:17:14 -07:00
Shay
9a54374048
docs(epistemic): record accepted Q1-D delivery decisions
Rewrites the Q1-D ASK bus delivery scoping document into the durable decision record for decisions implemented in #668. No code or runtime behavior changes.
2026-06-09 09:16:24 -07:00
Shay
28cb42d0dd
docs(epistemic): scope ASK and VERIFIED serving gates
Accepts the ASK + VERIFIED serving-integration scoping briefs.

No served-surface code is introduced. ASK is identified as the next gated serving slice; VERIFIED remains blocked on a gold-free second reader and explicit eval-gold serving ban.
2026-06-08 22:22:35 -07:00