Skip to content

autobahn: close a shared-filesystem isolation gap + ledger-write timing + bright-line appeal path#11

Open
AlexZio00 wants to merge 1 commit into
LilMGenius:mainfrom
AlexZio00:autobahn-isolation-and-ledger-timing
Open

autobahn: close a shared-filesystem isolation gap + ledger-write timing + bright-line appeal path#11
AlexZio00 wants to merge 1 commit into
LilMGenius:mainfrom
AlexZio00:autobahn-isolation-and-ledger-timing

Conversation

@AlexZio00

Copy link
Copy Markdown

Context

I adapted autobahn into my own harness and ran it through an adversarial 3-lens design critique (adversarial-user / isolation-integrity / systemic-integration-gap). My harness gives subagents shared Read/Grep access to project files and a decision-log/session-transcript search tool, which the original design (reasonably) doesn't assume — most Task runtimes are fully sandboxed. Under that assumption, three things surfaced:

  1. Shared-filesystem isolation gap — the carved prompt keeps the RUN subagent's prompt clean, but if the run has filesystem/memory access alongside the main session, it can still stumble onto the risky original by reading a decision log, a notes file, or transcript search over shared state. A clean prompt isn't a clean room if the surrounding filesystem isn't clean too.
  2. Ledger-write timing — nothing in the original ordered the archive write relative to RUN. If the descope ledger's archive entry (which necessarily describes the risky material, per negatives-as-corpus) gets written before or during RUN, it can sit on disk exactly where the run could read it back out.
  3. No appeal path for disputed bright-line calls — if a user pushes back on a bright-line verdict, the only mechanism was the same (now pressured) session reconsidering itself, which is attrition, not review.

What this PR changes

  • GUARD / RUN: the scope-guard block also forbids the run from consulting decision logs, notes, or transcript search over shared state, where that access exists.
  • LEDGER: the archive write happens after the run's window has closed, not before or during.
  • FRAME: a bright-line dispute routes to a fresh context holding only the item's abstract description (not the negotiation), rather than the same session re-litigating under pressure.
  • VERIFY: added a fifth check — an independent re-sweep of the original task from a fresh context, diffed against the ledger, to catch what the initial CARVE missed or over-excluded.

All four are additive — the workflow shape (FRAME/CARVE/GUARD/RUN/VERIFY/LEDGER) is unchanged, and none of it applies when the run genuinely has no access to anything outside the carved prompt (I tried to phrase each addition as conditional on that access existing, so it doesn't add dead instructions for harnesses where subagents are fully isolated already).

Happy to adjust phrasing/scope if any of this doesn't fit the repo's conventions — flag whatever needs changing.

…ht-line appeal path

Three gaps surfaced by running autobahn in a harness where the RUN
subagent shares filesystem/memory access with the main session
(unlike a fully isolated Task runtime):

- The carved prompt didn't forbid the run from reading decision logs
  or transcript search over that shared state, so a prompt-level-only
  clean room wasn't actually clean if the run went looking nearby.
- The descope ledger's archive write wasn't ordered relative to RUN,
  so a risky-material description could sit on disk while the run's
  window was still open.
- A user disputing a bright-line call had no path other than the same
  (now pressured) session reconsidering itself.

Also adds a fifth VERIFY check: an independent re-sweep of the
original task, diffed against the ledger, to catch what the initial
CARVE missed or over-excluded.

None of this changes the workflow shape (still FRAME/CARVE/GUARD/
RUN/VERIFY/LEDGER) — it closes gaps specific to harnesses where the
executing subagent isn't fully sandboxed from the calling session's
state.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant