Owlibou/gnoma
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Owlibou/gnoma:v0.2.1
Branches Tags
Owlibou/gnoma:main Owlibou/gnoma:dev
Owlibou/gnoma:v0.3.4 Owlibou/gnoma:v0.3.3 Owlibou/gnoma:v0.3.2 Owlibou/gnoma:v0.3.1 Owlibou/gnoma:v0.3.1-rc2 Owlibou/gnoma:v0.3.1-rc1 Owlibou/gnoma:v0.3.0 Owlibou/gnoma:v0.2.1 Owlibou/gnoma:v0.2.0 Owlibou/gnoma:v0.1.0
...
compare: Owlibou/gnoma:v0.3.3
Branches Tags
Owlibou/gnoma:dev Owlibou/gnoma:main
Owlibou/gnoma:v0.3.4 Owlibou/gnoma:v0.3.3 Owlibou/gnoma:v0.3.2 Owlibou/gnoma:v0.3.1 Owlibou/gnoma:v0.3.1-rc2 Owlibou/gnoma:v0.3.1-rc1 Owlibou/gnoma:v0.3.0 Owlibou/gnoma:v0.2.1 Owlibou/gnoma:v0.2.0 Owlibou/gnoma:v0.1.0

37 Commits
v0.2.1 ... v0.3.3

Author SHA1 Message Date
vikingowl fa65a68728 docs(plans): config-migration and sensitive-content-policy
Release / release (push) Has been cancelled
Details 
Promotes two TODO entries into phased plan docs and links them
from the TODO bullets.

config-migration plan covers the silent layered-config corruption
chain (encoder zero-spam -> reader overwrite -> wrong effective
values) and its remediation across five phases: encoder fix
(omitempty + pointer-numeric hybrid), project registry, gnoma
doctor, gnoma upgrade-config, and auto-migration on startup with
banner notice.

sensitive-content-policy plan unifies three input paths (pasted
text, pasted images, tool-read files) behind one decision API
with consistent UI surface and audit-log integration. Phases A-E
sequence the work from highest-leverage (text paste) to most
complex (image OCR with local vision arm).

Neither plan starts implementation in this commit — they exist to
make the design decisions explicit so the eventual code can be
reviewed against a written intent rather than a TODO bullet.
 2026-05-24 22:51:33 +02:00
vikingowl 8b9bdc2978 feat(security): per-session firewall audit log 
New AuditLogger writes one JSON line per firewall action to
<projectRoot>/.gnoma/sessions/<sessionID>/audit.jsonl so a user can
grep 'what did the firewall do this session?' after the fact.

Records 'block', 'redact', 'warn', and 'unicode_sanitize' events with
the matcher name, source (tool_result / message_text / etc.), and
token length. Discipline: never the bytes themselves — only the
matcher name and the length, matching the README's scope-note
promise about audit data.

Plumbing:
- Firewall gains an audit *AuditLogger field plus SetAudit setter.
  The firewall is constructed before the session ID exists, so the
  audit logger is wired post-hoc once main.go has the sessionID.
- Honours incognito: Record is a silent no-op when the firewall's
  IncognitoMode is active, preserving the no-persistence contract.
- Tolerant of fs errors: mkdir / open / encode failures log a Warn
  but never propagate; the scan pipeline must not depend on audit
  succeeding.
- Nil receiver is a valid no-op so callers don't need nil-guards
  around every Record.

Tracks 'Security boundary — per-session audit log' from the
v0.3.0 r/SideProject launch thread (u/Secret_Theme3192,
2026-05-24). Per-host egress allowlist remains separately tracked
pending the commenter's reply on host-level vs per-tool semantics.
 2026-05-24 22:47:28 +02:00
vikingowl eea26a262e feat(router): surface bandit knobs as [router.bandit] config 
Four hardcoded constants in the selector and feedback tracker are now
user-tunable via [router.bandit]:

- quality_alpha    (EMA smoothing, default 0.3)
- min_observations (samples before observed overrides heuristic, default 3)
- observed_weight  (observed/heuristic blend ratio, default 0.7)
- strength_bonus   (quality bonus for Strengths-tagged arms, default 0.15)

Each field treats 0 as 'use default', so an empty TOML block is
byte-identical to pre-config behaviour. BanditParams is plumbed via
router.Config{Bandit: ...} and resolveBanditParams() centralises the
fallback so every call site shares the same defaults.

QualityTracker, scoreArm, bestScored, and selectBest signatures now
take the configured values directly rather than reaching for package-
level constants. Tests updated to pass BanditParams{} (defaults) or
explicit overrides where they validate the new tuning paths.

Tracks item #3 from the 'Bandit selector — design decisions deferred'
TODO entry — ships independently of the EMA vs SLM strategic decision.
 2026-05-24 22:42:34 +02:00
vikingowl 352cab4a94 docs(todo): extend config-migration plan with project registry
Release / release (push) Has been cancelled
Details 
Adds item #5 to the config write/merge corruption entry:
~/.config/gnoma/projects.json tracking which directories gnoma has
been launched in. Enables doctor --all-projects, cross-project
session listing, and one-shot upgrade-config across all known
projects.

Documents the design constraints: must use the same omitempty /
atomic-write discipline as the encoder fix to avoid recreating the
class of bug it exists to help solve. Privacy footprint flagged
(local-only directory log; opt-out toggle). Stale-entry handling
gated through doctor, not auto-prune.
 2026-05-24 22:29:56 +02:00
vikingowl 58f4001917 docs(todo): track config write/merge corruption + doctor/upgrade design 
setConfig() serializes the entire Config struct on every key change,
which writes zero-valued fields into the file. On the next load those
explicit zeros override higher-priority layers via toml.Decode's
present-beats-absent semantics. Concrete symptom today: a global
prefer = 'cloud' was silently shadowed by a project prefer = ''.

Captures the multi-part fix surface so it doesn't get half-done:
- Stop generating zero-spam (omitempty hybrid or pelletier swap).
- gnoma doctor: read-only diagnostic (zero-spam, invalid enums,
  removed keys, effective-merged values).
- gnoma upgrade-config: active migration with .bak backup + diff.
- Auto-migrate project-level on startup with TUI banner notice;
  global stays explicit.
 2026-05-24 22:24:59 +02:00
vikingowl 6c5e969217 feat(tui): add /router command for runtime routing-preference switch 
Mirrors the pattern of /permission: bare command shows the current
value plus a help line; with an argument (auto/local/cloud) it calls
Router.SetPreferPolicy and emits a system message. Session-only — does
not write back to config.toml, matching /permission and Ctrl+X
incognito-toggle conventions.

Tab completion on the value via routerPreferModes alongside the
existing permissionModes pattern. Help text updated. Status-bar
indicator deferred (separate concern if it turns out to be wanted).
 2026-05-24 22:13:27 +02:00
vikingowl 74bd570438 fix(tui): de-dupe /init in command picker; skill names shadow builtins 
/init appeared twice in the completion picker — once from the static
builtinCommands list and once from the bundled init skill at
internal/skill/skills/init.md (registered via skills.All()).

Two changes:

- Remove /init from builtinCommands. The skill provides the canonical
  entry, and its description ('Generate or update AGENTS.md project
  documentation') is more accurate than the static one ('initialize
  project — create AGENTS.md') because the skill handles both create
  and update.
- Refactor completionSource() so a skill name silently shadows any
  builtin with the same name. Prevents this from recurring if a
  future builtin migrates to a skill, and lets users override a
  builtin's description by dropping a skill of the same name into
  .gnoma/skills/.
 2026-05-24 22:08:46 +02:00
vikingowl d38d7daf25 fix(subprocess/agy): disable ToolUse until stream-json lands 
agy is registered with FormatAgyText and the agyParser emits every
stdout line as a plain EventTextDelta. There is no path for a
structured ToolCall event to come back. With ToolUse=true the router
would dispatch tool-needing tasks (security_review, spawn_elfs, file
edit) to agy; the underlying Gemini model would describe calling the
tool in prose — invented UUIDs and 'I will pause now'-style stubs —
the engine would receive only text, and the turn would hang waiting
for a tool call that never arrives.

Surfaced when /init routed to agy for a security_review task and
elf spawning visibly hallucinated in the TUI. Capability flag
flipped to false; agy stays usable for tool-free prompts (explain,
summarize, simple chat). TODO entry for native stream-json updated
to flag that the capability flip is part of that same change.
 2026-05-24 21:58:22 +02:00
vikingowl 06d4069076 ci: pin GoReleaser to the triggering tag, fix tag-collision regression
Release / release (push) Has been cancelled
Details 
When v0.3.1 was tagged on the same commit as v0.3.1-rc2, the release
workflow built and tried to publish rc2 artifacts instead of v0.3.1,
failing with 'already_exists' on every asset upload.

Root cause: goreleaser-action@v6 + 'version: latest' (locked to v2.x)
falls back to 'git describe --tags' for the current tag, which picked
v0.3.1-rc2 over v0.3.1 when both refs pointed at HEAD. Explicitly
setting GORELEASER_CURRENT_TAG = github.ref_name forces the workflow
to use the tag that triggered it, regardless of other refs at the same
commit.
 2026-05-24 17:36:01 +02:00
vikingowl f641bd4971 docs(todo): track bandit selector design questions 
Two related items surfaced from the r/coolgithubprojects v0.3.1
launch thread. Bundled because they share the selector code:

1. Whether to keep numeric EMA at all post-SLM dispatcher (open
   strategic question from the 2026-05-07 roadmap — not a
   must-implement).
2. Surfacing hardcoded selector knobs (qualityAlpha, blend ratio,
   strength bonus, quality floor) as [router.bandit] config keys —
   ships independently of #1.
 2026-05-24 17:34:13 +02:00
vikingowl 798f2ab3c3 fix(release): prerelease auto-detect; changelog excludes scoped conventional commits
Release / release (push) Has been cancelled
Details 
Two polish issues surfaced by the v0.3.1-rc1 pipeline test:

- The release was tagged v0.3.1-rc1 but published without the
  prerelease flag, so it appeared alongside stable releases. Add
  'prerelease: auto' to release.github so GoReleaser marks any tag
  with a semver prerelease suffix (-rc, -beta, -alpha, -pre)
  appropriately.

- The changelog filters used '^docs:' patterns that only match bare
  conventional commits. Scoped variants like 'docs(readme):' and
  'chore(make):' slipped through into the published changelog.
  Switch to '^docs[:(]' style patterns to match both forms, and add
  '^style[:(]' so gofmt-drift commits are excluded too.
 2026-05-24 17:05:49 +02:00
vikingowl 9814795b3c ci: migrate release pipeline from Woodpecker to GitHub Actions
Release / release (push) Has been cancelled
Details 
Drop the broken .woodpecker/release.yml (top-level when: triggered an
'error' status on every dev push instead of skipping non-tag events)
and replace with .github/workflows/release.yml driving the same
GoReleaser flow.

Rationale:
- Release artifacts already land on GitHub (releases + ghcr.io), so
  running the pipeline on GitHub eliminates a build hop.
- GH Actions auto-provides GITHUB_TOKEN with packages:write via the
  workflow permissions block — no PAT plumbing or login secrets.
- docker/setup-qemu-action and docker/setup-buildx-action handle the
  multi-arch cross-build setup that Woodpecker would require manual
  host configuration for.

Trigger: any tag matching refs/tags/v*. Mirror sync from somegit.dev
propagates tags to GitHub, so 'git push origin v0.3.1' on the canonical
remote still drives the GitHub-side release.
 2026-05-24 16:45:17 +02:00
vikingowl 047924da2b ci(woodpecker): release pipeline on vX.Y.Z tag 
Runs 'go test ./...' then 'goreleaser release --clean' inside the
official goreleaser image when a tag matching refs/tags/v* is pushed.
GITHUB_TOKEN comes from the 'github_token' repo secret (needs repo +
write:packages scopes) and is reused for ghcr.io docker login so the
multi-arch image build can push.

Runner requirements documented inline: docker socket access plus QEMU
registered on the host (tonistiigi/binfmt --install all) for arm64
cross-builds. Directory form chosen so a non-release CI pipeline can
land later under .woodpecker/ci.yml without restructuring.
 2026-05-24 16:38:24 +02:00
vikingowl a23eb6b92c style: gofmt drift from prior commits 
Pure whitespace cleanup surfaced when 'make check' ran gofmt over the
tree. Mostly struct-field column alignment in internal/safety/banner.go
(SessionInfo) and the var(...) flag block in cmd/gnoma/main.go after
--dangerously-allow-anywhere was added without realignment. Verified
zero substantive changes via 'git diff --ignore-all-space
--ignore-blank-lines'.
 2026-05-24 16:33:17 +02:00
vikingowl 0981fb82d6 chore(make): add govulncheck and semgrep to 'make check' 
Both checks already passed locally on the current dev tip; wiring them
into the canonical pre-commit gate so security regressions fail fast
instead of leaking into a release.

- 'make vuln' runs govulncheck with reachability analysis against the
  Go vuln DB.
- 'make sec' runs semgrep with p/golang + p/security-audit, metrics
  off, --error so findings exit non-zero.

Tools must be installed locally (commands in Makefile comments). If
upstream Woodpecker CI runs 'make check', it will need both binaries
on the runner image.
 2026-05-24 16:30:54 +02:00
vikingowl 3888966e68 fix(deps): bump golang.org/x/net to v0.55.0 to clear reachable CVEs 
govulncheck flagged two reachable vulnerabilities in
golang.org/x/net@v0.52.0:

- GO-2026-5026 (idna fails to reject ASCII-only Punycode labels),
  reached via router.DiscoverOllama -> http.Client.Do -> idna.ToASCII.
- GO-2026-4918 (HTTP/2 transport infinite loop on bad
  SETTINGS_MAX_FRAME_SIZE), same call path -> http2.Transport.*.

Bumping to v0.55.0 covers both. Transitive bumps to x/crypto v0.51.0,
x/sys v0.45.0, x/text v0.37.0. Post-bump govulncheck reports 0
reachable vulnerabilities and 0 in directly imported packages.
 2026-05-24 16:27:28 +02:00
vikingowl 847cd5fe0c fix(security): use crypto/rand for session-ID suffix 
Semgrep flagged math/rand for the /tmp artifact-directory session-ID
generation. Modern Go (1.20+) auto-seeds the global math/rand source
so this wasn't exploitable in practice, but crypto/rand is the
idiomatic choice for any security-adjacent identifier and removes the
finding from future security audits.

Drops the mrand alias entirely; reads 8 random bytes once and masks
to 24 bits to preserve the existing %06x suffix format.
 2026-05-24 16:22:50 +02:00
vikingowl 001865f069 fix(env): correct ANTHROPIC_API_KEY typo, add missing vars 
The placeholder ANTHROPICS_API_KEY (with trailing S) silently failed:
the auth layer reads ANTHROPIC_API_KEY, so anyone copying .env.example
to .env and pasting their key would see gnoma never pick it up, with
no clear error.

Also surfaces vars that already work but weren't templated:
GOOGLE_API_KEY (alternative to GEMINI_API_KEY), GNOMA_PROVIDER and
GNOMA_MODEL (config overrides), and the two subprocess sandbox bypass
footguns (GNOMA_AGY_BYPASS_PERMISSIONS, GNOMA_CODEX_BYPASS_SANDBOX),
left commented out so they don't accidentally turn on.
 2026-05-24 16:16:39 +02:00
vikingowl c1c52f139d docs(readme): add 'no phone-home' bullet and data-flow scope note 
Clarify that gnoma itself emits no telemetry to external services
while being explicit that cloud-provider arms send data to those
providers by design. Adds:
- 'No phone-home' bullet to the differentiator list, naming the
  on-device path (Ollama/llama.cpp + --incognito).
- 'Data flow' paragraph to the Security scope-note blockquote so
  the framing is consistent between the hero bullets and the
  Security section.
 2026-05-24 16:00:40 +02:00
vikingowl 7040041f13 docs(readme): correct firewall scope; track egress controls in TODO 
The 'What makes gnoma different' bullet and Security section both
implied a network-egress firewall. Today the Firewall only enforces a
content boundary (secret scan, Unicode sanitize, redact/block). Reword
both spots and add a Scope note. Surface the gap as a top-of-TODO
entry covering per-session audit log and per-host egress allowlist,
with the open design question (host-level vs per-tool) called out.
Raised via r/SideProject v0.3.0 launch thread.
 2026-05-24 15:50:35 +02:00
vikingowl 1828151162 docs(claude): big-picture architecture and expanded test commands 
Add a 'Big picture' section summarising the request flow (cmd →
session → engine → router → security/permission → extensibility) so
future Claude Code instances can orient without reading INDEX.md plus
five package directories first. Note that internal/safety and
internal/slm aren't in INDEX.md yet. Document the somegit.dev /
GitHub mirror split and the ruleset that blocks force-push and
deletion on main/dev. Expand build/test section with make check, make
test-integration, single-test, and benchmark commands.
 2026-05-24 15:39:23 +02:00
vikingowl b5062d59e9 docs(readme): hero screenshot, differentiators, status, TOC 
Add docs/img/gnoma-tui.png as a hero image so visitors see the TUI
above the fold instead of a wall of text. Pull the bandit router,
prefer-policy, SLM, and built-in firewall out of buried sections into
a 'What makes gnoma different' bullet list. Add a Status block flagging
pre-1.0 and a table of contents. Move the pygmy-owl naming note and
upstream/mirror URLs into a footer About section.
 2026-05-24 15:39:14 +02:00
vikingowl b13a6a2801 docs(plans): mark v0.3.0 plans shipped 
Three plans shipped end-to-end in v0.3.0; removing them from
TODO.md In-flight and adding a Status: shipped header to each
plan doc with the commit references.

Shipped:
- 2026-05-23-routing-defaults-refresh.md
- 2026-05-23-prefer-routing-policy.md
- 2026-05-23-startup-safety-banner.md

Still in flight (telemetry-gated, fires only if measurements
support it):
- 2026-05-23-tool-router-specialization.md
 2026-05-23 22:45:05 +02:00
vikingowl 8ba77c1685 fix(safety): env-template precision, label alignment, banner on bypass 
Three polish items surfaced during the maintainer's manual smoke
of the previous safety commit.

env-template precision (false-positive fix):
  The "env file" rule matched .env.* universally, which flagged
  conventional templates like .env.example / .env.sample /
  .env.template / .env.dist / .env.default — these hold variable
  NAMES, no values, and are commonly committed. Now skipped.
  Real env files (.env, .env.local, .env.production) still match.
  New envTemplateSuffixes table + isEnvTemplate helper; check runs
  only inside the env-file rule so the suffix denylist is scoped.
  Tests added for both directions: 6 templates that must NOT flag,
  6 real env files that must.

Banner label alignment:
  Field labels were padded to 8 chars except "sensitive" at 9,
  producing visible misalignment in the rendered banner:
      cwd      : /...
      provider : ollama / ...
      sensitive : 0 matches in cwd     <- one extra space
  Padded all labels to 9 chars so the ":" separators line up.

Context banner on bypass:
  --dangerously-allow-anywhere previously suppressed the entire
  safety block, including the informational context banner.
  Bypassing the GATE is not the same as opting out of the info —
  the user still wants to see cwd / git state / sensitive files
  nearby. Restructured the safety block so classification + banner
  always run; the bypass only skips the refuse/warn FLOW. The
  bypass warning log now also includes the classified tier and
  cwd path for diagnostics.
 2026-05-23 22:32:26 +02:00
vikingowl c483656681 docs(plans): fix gnoma one-shot invocation in safety-banner plan 
gnoma takes the prompt as a positional argument, not via -p (that's
Claude Code's syntax). Surfaced when the maintainer tried the
manual smoke from the plan's "Definition of done" section and hit
the "flag provided but not defined: -p" error.

  before: gnoma -p "test"
  after:  gnoma "test"

The same wrong syntax appears in the f9094f6 / 3eeb5b4 commit
messages but those are immutable. This commit also serves as the
public record of the typo so future readers don't repeat it.
 2026-05-23 22:26:56 +02:00
vikingowl d206b3cf09 docs: routing-prefer + startup-safety user docs, plan tier-shift note 
README:
- New "Preferring local vs cloud" subsection under "Routing
  defaults" — table of the three [router].prefer values, priority
  order against forced arm / incognito / Strengths, and the
  CLI-agent-counts-as-local clarification.
- New "Startup safety check" subsection under "Security" — tier
  table, [safety] config block, --dangerously-allow-anywhere flag,
  container detection note, link to the plan doc.

Plan doc (prefer-routing-policy):
- Approach section updated to describe the tier-shift mechanism
  that actually shipped, with a clear "Implementation note"
  explaining why the original score-multiplier approach was
  abandoned (cost-floor math gives local arms a ~280x raw-score
  advantage that any reasonable multiplier can't overcome).
- CLI-agent placement flipped from "non-local" to "local" with
  rationale — implementation chose user-facing behavior axis over
  the privacy axis the original draft used.
- Tier-shift rationale table replacing the multiplier rationale.
- P-3 task rewritten to reflect the actual implementation (checked
  off and pointing at the right code), with the policyMultiplier
  helper noted as a within-tier nudge of limited present effect.

The implementation-vs-plan deviation is now documented in both the
plan doc and the original feature commit message (f9094f6). Future
readers reach the same understanding via either path.
 2026-05-23 22:23:57 +02:00
vikingowl 3eeb5b46d7 feat(safety): pre-launch cwd classifier + context banner 
Implements S-1 through S-7 of the startup-safety-banner plan.

Adds a pre-launch safety check that classifies the current working
directory into three tiers and gates the launch:

  TierRefuse  /, /etc, /sys, /proc, /usr, /var, /bin, /sbin, /boot,
              /root, /dev (Linux) and /System, /Library, /private,
              /Applications (macOS). Refuses with exit 2 unless
              --dangerously-allow-anywhere is passed.

  TierWarn    $HOME, ~/Desktop, ~/Downloads, ~/Documents, ~/.config,
              ~/.local, ~/.cache, /tmp, and similar dumping grounds.
              Prints a banner and reads a single y/Y from stdin to
              confirm; any other input (or EOF, including piped/
              scripted invocation) aborts with exit 1.

  TierOK      Anywhere with a recognized project marker (.gnoma/,
              go.mod, package.json, pyproject.toml, Cargo.toml,
              Makefile, Dockerfile, build.gradle*, pom.xml) or
              inside a git repo. No prompt; banner only.

Project markers and git-repo presence override the TierWarn check —
a project dir inside $HOME stays TierOK. The require_project_marker
config knob can flip that for strict users.

Container detection: when /.dockerenv or /run/.containerenv exists,
TierRefuse downgrades to TierWarn (devcontainers often chroot to /
or similar). Best-effort; false positives only soften the gate.

The context banner is always rendered (TierOK, TierWarn, TierRefuse
alike) and summarizes: cwd, git branch + dirty state, project type,
provider/model, modes (permission, incognito, prefer), and a
top-level sensitive-file inventory. Inventory matches .env,
.env.*, env.local; private-key extensions (.pem, .key, .crt, .p12,
.pfx); SSH key names (id_rsa, id_ed25519, ...); credentials files;
.netrc / .pgpass; KeePass vaults; and .ssh/ .aws/ .kube/ .gcloud/
.azure/ .docker/ directories. Precision-tested: .envrc and
secret_handler.go do NOT match. Bounded at 1000 entries.

Architecture:
- internal/safety/cwd.go — Classification + symlink-resolving tier
  classifier with platform-specific roots and container detection.
- internal/safety/sensitive.go — pattern-based top-level scanner,
  deterministic ordering, scanLimit guard against pathological dirs.
- internal/safety/banner.go — pure render functions for the warn
  prefix, refuse message, and context banner. Safe for golden-string
  testing.
- internal/config/config.go — new [safety] section with three
  config keys, defaults applied via ResolvedSafety() helper. Pointer
  fields distinguish "user omitted" from "user set to false."
- cmd/gnoma/main.go — gate runs after subcommand dispatch (so
  `gnoma providers / profile / slm / router` skip the prompt) and
  before provider creation. --dangerously-allow-anywhere bypasses
  the gate with an explicit log warning.

The runtime keypress reads up to 8 bytes from os.Stdin and accepts
only "y" / "Y" trimmed; EOF returns false (piped invocations
without the flag will abort). Documented in the readYesConfirmation
helper. Manual smoke (per plan):
  - `cd / && gnoma -p test` → refuses
  - `cd ~ && gnoma` → warns + keypress
  - `cd ~/git/some-repo && gnoma` → banner only
  - subcommands skip the gate entirely

Linux + macOS classification; Windows path handling deferred per
plan (treated as TierOK there until follow-up).

Refs: docs/superpowers/plans/2026-05-23-startup-safety-banner.md
 2026-05-23 22:19:39 +02:00
vikingowl f9094f68f3 feat(router): [router].prefer = local | cloud | auto 
Implements P-1 through P-6 of the prefer-routing-policy plan.

Adds a config knob that biases routing toward local arms, cloud
arms, or leaves selection unchanged. Default "auto" is
byte-identical to pre-change behavior (the new armTier path with
PreferAuto returns the same value as the old single-arg function).

Mechanism diverged from the plan after empirical testing:

The plan called for a score multiplier applied in bestScored.
Tests revealed the existing cost-floor math (scoreArm divides by
weighted cost which collapses to ~0.001 for free local arms) gives
local arms a ~280x raw-score advantage that a 0.3-0.5 multiplier
can't overcome. A tier-shift in armTier turned out cleaner:

  PreferLocal: cloud arms (true API, IsLocal=false && !IsCLIAgent)
               get +2 tier shift, landing behind locals.
  PreferCloud: IsLocal arms get +2 tier shift, landing behind
               cloud. SLM tier-0 arms shift to tier 2 — still
               below cloud's tier 3 — so the SLM-protection
               semantic (small stuff stays on the small model)
               survives PreferCloud. This matches the open
               question in the plan, now resolved as: yes, SLMs
               keep winning under PreferCloud by design.

The policyMultiplier was kept in bestScored as a within-tier
nudge (mostly cosmetic in practice given the cost-floor dynamics
described above; could matter when costs are calibrated). Worth
revisiting once router-wide cost calibration lands.

Strengths cross-tier promotion is unaffected: the promoted-set
path in selectBest bypasses armTier entirely, so a strongly-tagged
cloud arm still wins SecurityReview tasks under PreferLocal
(validated by TestPreferPolicy_StrengthsBeatsMultiplier).

CLI-agent subprocess arms count as "local" for PreferLocal
purposes — they proxy to cloud but the user-visible behavior is
local. Users who want to exclude them can use --provider X.

Forced arms (--provider X) and incognito take priority over the
policy: forced arm test pins this, incognito-still-wins test pins
the LocalOnly hard filter dominating PreferCloud.

Test coverage (prefer_test.go): ParsePreferPolicy / String round
trips; policyMultiplier table; acceptance scenarios across all
three policies with adjacent-tier arms; SLM-still-wins under
PreferCloud; Strengths beats multiplier; forced-arm bypass;
incognito beats prefer; lone cloud arm wins when no local feasible.

Refs: docs/superpowers/plans/2026-05-23-prefer-routing-policy.md
 2026-05-23 22:13:26 +02:00
vikingowl 162c8b1017 docs(plans): prefer-routing-policy and startup-safety-banner 
Two parallel pre-flight plans surfaced in the 2026-05-23 session,
both deferred while the routing-defaults-refresh implementation
landed. Drafted as separate plans because they're independent:
the prefer-policy is a router scoring change; the safety banner is
a launch-time check that never touches the router.

prefer-routing-policy
  [router].prefer = "local" | "cloud" | "auto" — soft score
  multiplier (0.3 / 0.5 / 1.0) biasing toward local or cloud arms
  while preserving Strengths cross-tier promotion and bandit
  learning. Default "auto" is byte-identical to current behavior.
  Forced arms and incognito retain priority. CLI-agent subprocess
  arms count as non-local for this knob (they proxy to cloud).

startup-safety-banner
  Three-tier cwd classification at launch — refuse in /etc /sys
  and other system roots; warn+keypress in $HOME, /tmp, ~/Desktop,
  ~/Downloads; OK inside any git repo or directory with a project
  marker (.gnoma/, go.mod, package.json, etc.). Always shows a
  context banner with cwd, git state, model, modes, and a
  top-level sensitive-file inventory (.env, id_rsa, *.pem, .ssh/,
  etc. — informational only, no recursion, capped at 1000 entries).
  Bypass via --dangerously-allow-anywhere. Complements the in-flight
  sensitive-content unified-policy TODO item: this is the pre-flight
  layer, that is the runtime input-path layer.

Both plans default-on with safe defaults; both have explicit
out-of-scope sections to prevent scope creep during implementation.
Linux + macOS first; Windows path classification deferred.

TODO.md surfaces both as in-flight.
 2026-05-23 22:00:21 +02:00
vikingowl c99b2c64ad docs(readme): document routing defaults table and [[arms]] overrides 
Closes R-8 of the routing-defaults plan. Adds a new "Routing
defaults" section between Config and SLM that documents what arms
ship with out-of-the-box — the family-keyed Strengths /
MaxComplexity / CostWeight matrix plus the non-chat exclude list.

Also introduces the [[arms]] override block in the README for the
first time (previously undocumented), showing how users keep
priority over the defaults.

Links back to the plan doc for the benchmark sources and per-entry
rationale.
 2026-05-23 21:42:05 +02:00
vikingowl 2f8d4c412f feat(router): cloud-arm defaults, gpt-5.3-codex registration 
Closes R-4 and R-5 of the routing-defaults plan.

R-4: Strengths + CostWeight defaults for closed frontier models.
Cloud entries land in the same knownFamilyDefaults table as local
ones, with MaxComplexity intentionally left zero (cloud arms get
no complexity ceiling). CostWeight tuned per the plan's rationale:

  claude-opus-4-7    → Planning/SecurityReview/Debug/Refactor, 0.3
  claude-sonnet-4-6  → Generation/Refactor/Review,             0.7
  gpt-5.5            → Planning/SecurityReview/Generation,     0.3
  gpt-5.3-codex      → Generation/Refactor/Debug/UnitTest,     0.6
  gpt-5.2            → Orchestration/Review,                   0.8
  gemini-3.1-pro     → Planning/Review/Orchestration,          0.5
  gemini-3.5-flash   → Boilerplate/Explain/Orchestration,      1.2

The 0.3 weight on frontier arms keeps them competitive on
SecurityReview / Planning despite $4+/Mtok; 1.2 on Gemini Flash
penalizes cost more so it only wins when cost is genuinely
decisive (boilerplate, explain).

Mechanism: extracted applyFamilyDefaults into defaults.go and call
it from Router.RegisterArm. Single source of truth — both local
discovery and the primary-provider path in cmd/gnoma/main.go now
flow through the same defaults application. Removed the duplicate
apply block from RegisterDiscoveredModels.

Legacy model IDs (claude-opus-4-20250514, gpt-4o, o3, gemini-2.5-pro,
etc.) intentionally do not match any table entry — keeps users on
pinned older models safe from imposed 2026 Strengths.

R-5: gpt-5.3-codex registration.

  - internal/provider/openai/provider.go: added to fallbackModels
    and inferOpenAIModelCapabilities (400K context, 32K output).
  - internal/provider/ratelimits.go: gpt-5.3-codex and its dated
    alias gpt-5.3-codex-2026-02-15 added with the same Tier 1
    quotas as gpt-5.2.

Gemini 3.x (3.1-pro-preview, 3.5-flash, 3.1-flash-lite) was already
registered in both google/provider.go and ratelimits.go — no change
needed for that part of R-5.

Test coverage:
- ResolveFamilyDefaults table-driven across all 7 cloud entries
  including prefix-sharing (gpt-5.5-pro → gpt-5.5 defaults,
  gemini-3.1-pro-preview → gemini-3.1-pro defaults).
- Legacy IDs return !ok.
- RegisterArm applies cloud defaults end-to-end.
- User-supplied Strengths and CostWeight are not overridden.
- ID.Model() fallback works when ModelName is empty (test code
  often constructs arms this way).

Refs: docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md
 2026-05-23 21:39:48 +02:00
vikingowl 9bb775a4aa feat(router): full local family defaults table with size-keyed ceilings 
Expands the family-defaults scaffold to 23 entries covering the local
models that currently appear in real Ollama fleets: coder specialists
(qwen3-coder, devstral, qwen2.5-coder, yi-coder, deepseek-coder,
starcoder), reasoners (phi-4, phi-4-mini), Gemma 2/3/4 (including the
"edge" e2b/e4b variants under both Ollama and GGUF naming), Qwen
2.5/3/3.5 with a catch-all qwen entry, Mistral/Ministral (incl. the
24B mistral-small-3), Llama 3.2/4, tiny3.5 (reec's distill family),
Granite, GLM (incl. glm-ocr specialist), and MiniCPM-V.

Five families that span wide parameter ranges (qwen3.5, qwen3,
qwen2.5, ministral-3, tiny3.5) now use SizeCap ladders instead of a
flat MaxComplexity. A new parseSizeFromModelID helper splits the
model ID on :/-_/ and matches pure <N>b/<N>m tokens, correctly
ignoring qwen3.5 version strings, e2b edge tags, a3b MoE active
params, and v0.3 version suffixes.

ResolveMaxComplexity wraps ResolveFamilyDefaults plus the SizeCap
traversal, falling back to the smallest cap when size parsing fails
(conservative). Discovery's apply path now goes through it so
SizeCap entries actually take effect.

Test coverage:
- parseSizeFromModelID (11 cases)
- ResolveFamilyDefaults longest-prefix discipline (19 cases)
- Unknown-family fallback returns !ok
- ResolveMaxComplexity size-keyed ladder (13 cases)
- Size-parse-failure fallback
- knownFamilyDefaults invariants: SizeCaps ordered largest-first,
  SizeCaps and MaxComplexity mutually exclusive per entry
- Routing-payoff integration: 3 arms (tiny3.5:1.5b, phi-4:14b,
  qwen3-coder:30b) get picked for TaskGeneration / TaskPlanning /
  TaskBoilerplate respectively, without any [[arms]] config
- Local fleet visibility: the maintainer's actual `ollama ls`
  inventory registers correctly with expected MaxComplexity and
  Strengths; embeddinggemma stays filtered out

The Planning sub-case surfaced a separate issue worth flagging:
heuristicQuality floors out at 0.55 for a generic 14B local model
without ThinkingModes, below TaskPlanning's 0.60 threshold. The test
mutates phi-4's capabilities post-registration to reflect reality
(phi-4 is reasoning-tuned). A discovery-side thinking-capability
detection is out of scope for this plan but flagged in the test
comment for follow-up.

Refs: docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md
 2026-05-23 21:34:09 +02:00
vikingowl a79e99199d feat(router): non-chat exclude, vision prefixes, family-defaults scaffold 
Discovery previously registered every model returned by Ollama as a
chat arm, including embeddings, ASR, TTS, audio realtime, and
rerankers — which then failed at inference time when the router
selected them. Local arms also shipped with all-zero defaults, so
selection between e.g. tiny3.5:1.5b, phi-4:14b, and qwen3-coder:30b
was effectively random.

This change covers tasks R-1, R-2, R-6 from the routing-defaults plan.

- nonChatModelPatterns + isNonChatModel substring matcher; matched
  IDs are skipped during RegisterDiscoveredModels. Covers whisper,
  moonshine, kokoros, vibevoice, -asr, -tts, -audio, -embedding,
  embeddinggemma, -reranker, lfm2.
- knownVisionModelPrefixes gains gemma4, gemma-4, glm-ocr. gemma3
  and minicpm-v entries stay for regression coverage.
- New internal/router/defaults.go with FamilyDefaults struct,
  knownFamilyDefaults map, and ResolveFamilyDefaults longest-prefix
  lookup (with org/-namespace stripping so reecdev/tiny3.5:1.5b
  resolves to "tiny3.5"). Single entry for now: functiongemma is
  registered with Disabled=true and MaxComplexity=0.40, reserved for
  the future ArmRoleToolRouter path. Table will grow in R-3.
- RegisterDiscoveredModels consults ResolveFamilyDefaults and only
  populates fields that are still zero on the arm, so user [[arms]]
  overrides keep priority.

Plans:
- docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md
- docs/superpowers/plans/2026-05-23-tool-router-specialization.md

TODO.md surfaces both as in-flight items.
 2026-05-23 21:24:59 +02:00
vikingowl 1606d19366 feat(subprocess/codex): account for cached and reasoning tokens 
codex 0.133.0 emits two token-accounting fields at top level that
we previously dropped:

  cached_input_tokens   — subset of input_tokens that hit the prompt
                          cache (cheaper, but still counted in
                          input_tokens per OpenAI Responses API
                          semantics)
  reasoning_output_tokens — separately reported billable thinking
                          tokens on reasoning-capable models

Map cached_input_tokens to message.Usage.CacheReadTokens and subtract
it from InputTokens. message.Usage.Add() sums InputTokens and
CacheReadTokens as peers, so the uncached residual goes in
InputTokens — matches the anthropic provider's convention and keeps
cumulative usage tracking arithmetically correct.

Fold reasoning_output_tokens into OutputTokens for accurate cost
tracking. The top-level peer positioning (vs nested in
output_tokens_details) implies a separately counted billable
quantity, not a subset of output_tokens.

Defensive clamp at zero in case a future codex build reports
cached > input due to schema drift. Includes a verbatim regression
guard against the live 2026-05-22 codex 0.133.0 output to catch
schema changes early.
 2026-05-22 13:35:57 +02:00
vikingowl fe24907ce5 docs(readme): refresh post-v0.2.1 with badges and v0.2.x features 
- Add for-the-badge style shields (release, license, Go 1.26+, GHCR)
- Drop the "until the first tag is cut" line that's been stale since
  v0.1.0 shipped on 2026-05-20
- Add a Vision / image input section covering Ctrl+V paste, literal
  [Image: /path] markers, the 10 MiB cap, the incognito carve-out,
  and the router's Vision capability gating
- Add a Subprocess sandbox bypass subsection under Providers
  documenting GNOMA_AGY_BYPASS_PERMISSIONS and
  GNOMA_CODEX_BYPASS_SANDBOX as deliberate footguns
- Add an Entropy false-positive reduction subsection under Security
  showing the [security].entropy_safelist opt-in (Phase F-1) and
  noting the per-pattern Debug telemetry that feeds F-2 gating
 2026-05-22 13:21:31 +02:00
vikingowl 847ec159d7 chore(deps): promote cloud.google.com/go/auth and atotto/clipboard to direct 
go mod tidy (triggered by GoReleaser's before hook) correctly
promoted both modules from indirect to direct: cloud.google.com/go/auth
is imported by internal/provider/google for the ADC credential
walk, and github.com/atotto/clipboard is imported by internal/tui
for image-paste handling. Listing them as direct reflects actual
usage and prevents tooling from suggesting their removal.
 2026-05-22 13:06:36 +02:00
vikingowl 9ceddd39c1 chore(todo): track dockers_v2 migration under distribution follow-ups 
GoReleaser is phasing out the dockers + docker_manifests pair in
favour of dockers_v2, which collapses our four-block setup into
one. The migration also touches Dockerfile (per-platform binary
layout in the build context), so it's worth scheduling as its own
commit rather than a release-time rush.
 2026-05-22 13:06:24 +02:00
48 changed files with 5904 additions and 132 deletions
Expand all files Collapse all files
.env.example
+13 -2
View File
@@ -1,4 +1,15 @@
MISTRAL_API_KEY="asd**"
ANTHROPICS_API_KEY="sk-ant-**"
# --- LLM provider keys (set at least one) ---
ANTHROPIC_API_KEY="sk-ant-**"
OPENAI_API_KEY="sk-proj-**"
GEMINI_API_KEY="AIza**"
# Alternative to GEMINI_API_KEY (either is accepted)
# GOOGLE_API_KEY="AIza**"
MISTRAL_API_KEY="**"
# --- Optional overrides (config can also set these) ---
# GNOMA_PROVIDER="anthropic"
# GNOMA_MODEL="claude-sonnet-4-6"
# --- Subprocess sandbox bypass (footguns — set deliberately) ---
# GNOMA_AGY_BYPASS_PERMISSIONS=1
# GNOMA_CODEX_BYPASS_SANDBOX=1
.github/workflows/release.yml
+68
View File
@@ -0,0 +1,68 @@
# Release workflow — runs when a vX.Y.Z tag is pushed (including mirror
# pushes from somegit.dev). Drives GoReleaser to publish:
# - static binaries (linux/darwin/windows × amd64/arm64) + checksums
# + autogenerated changelog to the GitHub releases page
# - multi-arch container images to ghcr.io/vikingowl91/gnoma
#
# GITHUB_TOKEN is provided automatically by GitHub Actions and already
# carries packages:write thanks to the permissions block, so no PAT is
# needed for either the release upload or the ghcr.io push.
#
# Security note: this workflow does not interpolate any untrusted
# context (commit messages, PR titles, issue bodies) into shell commands.
# All ${{ ... }} references live in with: / env: blocks, which are
# safely passed as strings rather than evaluated as shell.
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
packages: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: "1.26"
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Test
run: go test ./...
- name: GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Force GoReleaser to use the triggering tag rather than fall
# back to `git describe` — which can resolve to an older tag
# (e.g., a vX.Y.Z-rc tag) when multiple tags point at the same
# commit. Surfaced as the v0.3.1 release failure on 2026-05-24.
GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
.goreleaser.yml
+9 -3
View File
@@ -37,9 +37,12 @@ changelog:
sort: asc
filters:
exclude:
- "^docs:"
- "^test:"
- "^chore:"
# Match both bare and scoped conventional commits, e.g. both
# "docs:" and "docs(readme):" should be excluded.
- "^docs[:(]"
- "^test[:(]"
- "^chore[:(]"
- "^style[:(]"
# Multi-arch Docker images published to GitHub Container Registry.
# Build host needs Docker buildx and a `docker login ghcr.io` for the
@@ -98,3 +101,6 @@ release:
github:
owner: VikingOwl91
name: gnoma
# Auto-detect prereleases from semver: tags with -rc, -beta, -alpha,
# -pre, etc. suffix get marked as prerelease on GitHub.
prerelease: auto
CLAUDE.md
+50 -10
View File
@@ -5,20 +5,60 @@ Provider-agnostic agentic coding assistant in Go 1.26.
Named after the northern pygmy-owl (Glaucidium gnoma).
Agents are called "elfs" (elf owl).
## Module
`somegit.dev/Owlibou/gnoma`
## Module & repo layout
- Module: `somegit.dev/Owlibou/gnoma`
- Upstream (primary, accepts PRs): <https://somegit.dev/Owlibou/gnoma>
- GitHub mirror (read-only): <https://github.com/VikingOwl91/gnoma>
PRs go to the upstream Gitea instance, not GitHub. The GitHub side is a
push mirror — direct pushes to `main`/`dev` there will be rejected by the
ruleset.
## Big picture (read this before diving in)
Single static Go binary. Request flow:
1. `cmd/gnoma` parses flags, picks TUI vs pipe mode, builds the session.
2. `internal/session` owns one chat lifecycle; `internal/engine` runs the
agentic loop (stream → tool calls → re-query → until done).
3. `internal/router` picks the arm per prompt: multi-armed bandit over
provider adapters in `internal/provider/{anthropic,openai,google,mistral,openaicompat}`,
tiered SLM (`internal/slm`) → CLI-agent subprocess → local → cloud,
with `Strengths` + `MaxComplexity` + `CostWeight` shaping selection.
4. `internal/security` is the safety boundary: SafeProvider wrapping,
firewall (network egress), secret scanner, redaction, incognito mode.
`internal/safety` is separate — it's the pre-launch CWD classifier.
5. `internal/tool` is the local-action boundary; `internal/permission`
gates every tool call.
6. Extensibility surfaces: `internal/hook`, `internal/skill`,
`internal/mcp` (JSON-RPC over stdio), `internal/plugin` (TOFU-pinned).
Discriminated unions (struct + type discriminant) are the project's
chosen way to model variants — see `internal/message` and
`internal/stream`. Don't reach for interfaces when a discriminant fits.
Full essentials (vision, domain model, ADRs, process flows):
`docs/essentials/INDEX.md`. **Read INDEX.md before changing
architectural boundaries or adding new packages.** Note: INDEX
predates `internal/safety` and `internal/slm` — cross-check the actual
tree.
## Build & Test
```sh
make build # build binary to ./bin/gnoma
make test # run all tests
make lint # run golangci-lint
make cover # test with coverage report
```
make build # ./bin/gnoma
make test # unit tests
make test-integration # //go:build integration — needs real API keys
make lint # golangci-lint run ./...
make check # fmt + vet + lint + test — canonical pre-commit gate
make cover # coverage.html
## Project Essentials
Project architecture, domain model, and design decisions: `docs/essentials/INDEX.md`
Read INDEX.md before making architectural changes or adding new system boundaries.
# Run a single test / package
go test -run TestRouterSelect ./internal/router/
go test -v ./internal/router/
# Benchmarks
go test -bench=. ./internal/router/
```
## Conventions
Makefile
+12 -2
View File
@@ -1,4 +1,4 @@
.PHONY: build run check install test lint cover clean fmt vet
.PHONY: build run check install test lint cover clean fmt vet vuln sec
BINARY := gnoma
BINDIR := ./bin
@@ -10,7 +10,7 @@ build:
run: build
$(BINDIR)/$(BINARY)
check: fmt vet lint test
check: fmt vet lint test vuln sec
@echo "All checks passed!"
install:
@@ -43,3 +43,13 @@ clean:
tidy:
go mod tidy
# Reachability-checked dependency vuln scan against the Go vuln DB.
# Install: go install golang.org/x/vuln/cmd/govulncheck@latest
vuln:
govulncheck ./...
# Static security analysis via Semgrep (Go ruleset + security-audit).
# Install: pip install semgrep (or: brew install semgrep)
sec:
semgrep --config=p/golang --config=p/security-audit --metrics=off --error .
README.md
+270 -10
View File
@@ -1,15 +1,74 @@
# gnoma
[![Release](https://img.shields.io/github/v/release/VikingOwl91/gnoma?style=for-the-badge&logo=go&logoColor=white&color=00ADD8)](https://github.com/VikingOwl91/gnoma/releases)
[![License](https://img.shields.io/badge/license-Apache%202.0-blue?style=for-the-badge)](LICENSE)
[![Go](https://img.shields.io/badge/go-1.26%2B-00ADD8?style=for-the-badge&logo=go&logoColor=white)](go.mod)
[![Container](https://img.shields.io/badge/ghcr.io-vikingowl91%2Fgnoma-2496ED?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/VikingOwl91/gnoma/pkgs/container/gnoma)
**A provider-agnostic agentic coding assistant in Go.** gnoma routes each prompt
to the best available model — cloud or local — through a multi-armed bandit
router, executes tools on your behalf, and stays extensible through hooks,
skills, MCP servers, and plugins.
Named after the northern pygmy-owl (*Glaucidium gnoma*); agents are called
**elfs** (elf owl).
![gnoma TUI showing a routed turn](docs/img/gnoma-tui.png)
- **Upstream:** <https://somegit.dev/Owlibou/gnoma>
- **GitHub mirror:** <https://github.com/VikingOwl91/gnoma>
*Every turn shows which arm the router picked and why — here a local
`qwen3:14b` was selected for a `generation` task.*
## What makes gnoma different
- **Multi-armed bandit router.** Per-prompt arm selection based on
capability gates, declared `Strengths`, latency, and cost. Visible in
the TUI on every turn — no black box.
- **`[router].prefer = local | cloud | auto`.** Pin routing toward local
models, cloud, or let the bandit decide. Offline-first workflows still
reach for Claude when the local model would obviously flail.
- **Tier-0 SLM routing.** A tiny local model classifies each prompt and
handles trivial tasks itself, keeping the heavy provider for real work.
- **Content boundary + secret scanner.** Every outgoing LLM message
and incoming tool result is scanned for secrets (regex + Shannon
entropy on long tokens), redacted or blocked at the content level.
Paths are canonicalised (TOCTOU-safe), Unicode is sanitized
(homoglyphs, BiDi tricks), and a `SafeProvider` boundary keeps
incognito-mode data out of long-lived stores. *(Per-host network
egress allowlist is on the roadmap, not in place today.)*
- **No phone-home.** gnoma itself sends nothing off-machine — zero
analytics endpoint, zero metrics service, no remote logging.
Prompts of course go to whatever provider you route them to:
cloud arms ship data to that provider by design; pair
Ollama/llama.cpp with `--incognito` if you want everything
on-device.
- **Provider-agnostic from day one.** Anthropic, OpenAI, Google, Mistral,
Ollama, llama.cpp, plus subprocess CLIs (`claude`, `codex`, `agy`,
`vibe`). Mix cloud and local in the same session.
- **Vision end-to-end.** `[Image: /path]` markers in prompts, `Ctrl+V`
paste in the TUI, capability-gated per arm.
- **Single static binary.** `CGO_ENABLED=0`, multi-arch container on
ghcr.io. No daemon, no runtime deps.
## Status
Pre-1.0 (current: **v0.3.0**). Single maintainer, breaking changes
possible. The provider, router, and engine surfaces are settling;
config schema and TUI bindings may still shift between minor versions.
Apache 2.0.
## Table of contents
- [Install](#install)
- [Quickstart](#quickstart)
- [Vision / image input](#vision--image-input)
- [Providers](#providers)
- [Config](#config)
- [Routing defaults](#routing-defaults)
- [SLM routing](#slm-small-language-model-routing)
- [Session persistence](#session-persistence)
- [Extensibility](#extensibility)
- [Subcommands](#subcommands)
- [Security](#security)
- [Development](#development)
- [About](#about)
- [License](#license)
---
@@ -19,9 +78,7 @@ Named after the northern pygmy-owl (*Glaucidium gnoma*); agents are called
Releases are built by [GoReleaser](.goreleaser.yml) for
`linux`, `darwin`, and `windows` × `amd64`/`arm64` as static (`CGO_ENABLED=0`)
archives. Until the first tag is cut, see "Build from source" below.
Once releases are published, grab the archive matching your OS/arch from
archives. Grab the one matching your OS/arch from
<https://github.com/VikingOwl91/gnoma/releases>:
```sh
@@ -85,6 +142,27 @@ learning); `/help` lists slash commands; `Esc` cancels an in-flight turn.
---
## Vision / image input
`Ctrl+V` in the TUI pastes a screenshot from the system clipboard:
gnoma writes the bytes to your user cache and inserts a
`[Pasted image #imgN]` placeholder, which expands to `[Image: /path]`
when the turn is sent. You can also type a literal `[Image: /path]`
marker anywhere in a prompt to reference an existing file:
```
explain this error [Image: /tmp/screen.png] — what's the root cause?
```
Image markers are parsed by the engine, files larger than 10 MiB are
skipped (the marker stays as plain text), and the router only routes
vision-tagged turns to arms that declare the `Vision` capability
(Anthropic, OpenAI, Google, and Ollama models that advertise
multimodal support). Image paste is disabled under `--incognito` to
honour the no-persistence contract.
---
## Providers
| Provider | Env var | Default model | Also available |
@@ -109,6 +187,19 @@ gnoma --provider llamacpp # model picked from server
`gnoma providers` prints every discovered provider, model, and CLI agent.
**Subprocess sandbox bypass.** The `agy` and `codex` CLIs each run with
their respective sandboxes enabled by default. Two env vars exist for the
rare case where a sandbox blocks legitimate work (e.g., reading files
outside the project root):
| Env var | Effect |
|---|---|
| `GNOMA_AGY_BYPASS_PERMISSIONS=1` | Skip agy's permission prompts |
| `GNOMA_CODEX_BYPASS_SANDBOX=1` | Disable codex's filesystem sandbox |
These are footguns — set them deliberately, per-invocation. They do not
disable gnoma's own permission system, hooks, or firewall.
### Local models
Start your local server, then point gnoma at it:
@@ -172,6 +263,96 @@ quality data and session history. Full details: [docs/profiles.md](docs/profiles
---
## Routing defaults
Discovered arms ship with opinionated defaults — `Strengths` (per-task
preference) and `MaxComplexity` (ceiling above which the arm won't be
picked) — so a freshly-pulled fleet routes sensibly without any
`[[arms]]` config. Defaults match against the model ID with
longest-prefix-wins; size-keyed families (Qwen 3, Ministral 3, tiny3.5,
etc.) scale `MaxComplexity` down for smaller variants automatically.
Non-chat models (`embeddinggemma`, `whisper-base`, `kokoros`,
`vibevoice`, `*-asr`, `*-tts`, `*-audio`, `*-reranker`,
`*-embedding`) are skipped during discovery so they never register
as broken chat arms.
| Local family | Strengths | MaxComplexity |
|---|---|---|
| `qwen3-coder` / `devstral` | Generation, Refactor, Debug | 0.85 |
| `qwen2.5-coder` | Generation, Refactor, UnitTest | 0.70 |
| `phi-4` | Planning, Debug, Review | 0.65 |
| `gemma4` (base ~9B) | Explain, Review, Generation | 0.70 |
| `gemma4-e` / `gemma-4-e` (edge 2B4B) | Explain, Boilerplate | 0.45 |
| `mistral-small-3` | Orchestration, Review | 0.65 |
| `qwen3` | Generation, Refactor, Debug | 0.500.75 (size-keyed) |
| `qwen3.5` | Boilerplate, Explain, Orchestration | 0.400.65 |
| `ministral-3` | Orchestration, Planning | 0.350.70 |
| `tiny3.5` | Boilerplate, Explain | 0.200.30 |
| `phi-4-mini` / `llama3.2` / `granite` | Boilerplate, Explain | 0.300.35 |
| `functiongemma` | (Disabled — reserved for tool-router role) | 0.40 |
| Cloud model | Strengths | CostWeight |
|---|---|---|
| `claude-opus-4-7` | Planning, SecurityReview, Debug, Refactor | 0.3 |
| `claude-sonnet-4-6` | Generation, Refactor, Review | 0.7 |
| `gpt-5.5` | Planning, SecurityReview, Generation | 0.3 |
| `gpt-5.3-codex` | Generation, Refactor, Debug, UnitTest | 0.6 |
| `gpt-5.2` | Orchestration, Review | 0.8 |
| `gemini-3.1-pro` | Planning, Review, Orchestration | 0.5 |
| `gemini-3.5-flash` | Boilerplate, Explain, Orchestration | 1.2 |
`CostWeight` scales how much $/Mtok matters in scoring: values below
1.0 keep expensive frontier arms competitive on high-stakes tasks
(Planning, SecurityReview); values above 1.0 penalize cost more so
cheap fast arms only win when cost is genuinely decisive.
### Overriding the defaults
Drop an `[[arms]]` block in `config.toml` to override per-arm
`Strengths` or `CostWeight`. User values win — defaults only fill
zero fields:
```toml
[[arms]]
id = "anthropic/claude-opus-4-7"
strengths = ["security_review", "planning", "debug"]
cost_weight = 0.2 # weight cost even less than the default 0.3
[[arms]]
id = "ollama/qwen3-coder:30b"
strengths = ["generation", "refactor"]
```
Full rationale and benchmark sources behind these defaults:
[`docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md`](docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md).
### Preferring local vs cloud
`[router].prefer` biases routing toward one camp without hard-filtering
the other:
```toml
[router]
prefer = "auto" # auto (default) | local | cloud
```
| Value | Effect |
|---|---|
| `"auto"` | No bias. Tier order (SLM → CLI-agent → local → cloud) decides, with Strengths and quality scores breaking ties. Default. |
| `"local"` | Cloud arms are demoted by 2 tiers. Local + CLI-agent arms always win unless no local option is feasible. |
| `"cloud"` | Local arms are demoted by 2 tiers. Cloud arms win, **except** for tier-0 SLMs — a small specialist arm whose `MaxComplexity` ceiling fits the task still wins, by design (the SLM is for small stuff). |
Three things still take priority over `prefer`:
- `--provider X` pins the forced arm.
- Incognito (`Ctrl+X` or `--incognito`) hard-filters cloud arms — `prefer = "cloud"` under incognito still picks a local arm.
- A `Strengths`-tagged arm always wins its tagged task type, regardless of `prefer`. Tag Opus with `[security_review]` under `prefer = "local"` and Opus still wins SecurityReview tasks.
CLI-agent subprocess arms (`claude`, `gemini`, `vibe`) count as **local** for this knob — they proxy to cloud but run as local processes. Use `--provider <name>` if you need to pin a specific subprocess.
---
## SLM (small-language-model) routing
gnoma can run a tiny local model alongside the main provider to:
@@ -291,9 +472,79 @@ built-in batching skill.
gnoma runs tools and shell commands on your behalf. The
[`internal/security`](internal/security) package canonicalises every path
(TOCTOU-safe), gates network access through a configurable firewall, and
scans tool output for secrets before it ever reaches the model. The
`SafeProvider` boundary keeps incognito-mode data out of long-lived stores.
(TOCTOU-safe), scans every outgoing LLM message and incoming tool result
for secrets (regex + Shannon entropy) before it reaches the model, and
sanitizes Unicode (homoglyphs, BiDi tricks). The `SafeProvider` boundary
keeps incognito-mode data out of long-lived stores.
> **Scope note.** The current "firewall" is a content boundary — it
> redacts/blocks secrets in inputs and outputs. It is **not** a
> network-egress firewall: outgoing HTTP from tools and providers goes
> through stock `http.Client`, with no per-host allowlist or
> dial-layer enforcement. Per-host egress rules and a per-session
> audit log of blocked/redacted events are tracked in
> [TODO.md](TODO.md).
>
> **Data flow.** gnoma itself emits no telemetry to external services
> — no analytics, no metrics endpoint, no remote logging. When you
> route to a cloud provider (Anthropic, OpenAI, Google, Mistral),
> prompts and tool data are sent to that provider as required to
> fulfill the request — by design. For fully on-device operation,
> use Ollama or llama.cpp and `--incognito`.
### Entropy false-positive reduction
The secret scanner also computes Shannon entropy on long unstructured
tokens to catch unknown-format secrets. Under a lowered threshold or
`redact_high_entropy = true`, this can fire on shapes that are never
secrets (UUIDs, SHA digests, ISO-8601 timestamps, URLs). Opt into the
format-aware safelist to skip them:
```toml
[security]
entropy_threshold = 3.5
redact_high_entropy = true
entropy_safelist = ["uuid", "sha_hex", "iso8601", "url"]
```
Default is an empty list — pre-safelist behaviour. Skips are logged
(`Debug`-level, per pattern, token length only — never the bytes) so the
real false-positive rate is measurable on real workloads.
### Startup safety check
gnoma classifies the current working directory before launch and
refuses, warns, or allows based on tier:
| Tier | What | Behavior |
|---|---|---|
| **Refuse** | `/`, `/etc`, `/sys`, `/proc`, `/usr`, `/var`, `/bin`, `/sbin`, `/boot`, `/root`, `/dev` (and macOS equivalents `/System`, `/Library`, `/private`, `/Applications`) | Refuses to start. Exit code 2. |
| **Warn** | `$HOME`, `~/Desktop`, `~/Downloads`, `~/Documents`, `~/.config`, `~/.local`, `~/.cache`, `/tmp` | Prints a warning banner and waits for `y` keypress to continue. Anything else (including piped EOF) aborts with exit 1. |
| **OK** | Anywhere with a project marker (`.gnoma/`, `go.mod`, `package.json`, `pyproject.toml`, `Cargo.toml`, `Makefile`, `Dockerfile`, `build.gradle`, `pom.xml`) or inside a git repo | No prompt. |
A project marker anywhere — including inside `$HOME` — promotes the
directory to OK. The banner is shown for every tier and summarizes
cwd, git branch, project type, provider, model, modes, and a
top-level sensitive-file inventory (`.env`, SSH keys, `*.pem`,
`.ssh/`, `.aws/`, etc.).
```toml
[safety]
refuse_in_system_dirs = true # default
warn_in_home = true # default
require_project_marker = false # default — being inside a git repo is enough
```
Bypass all safety checks with `--dangerously-allow-anywhere`. Required
for non-interactive invocations (piped stdin, CI) in warn-tier dirs,
since there's no human present to consent.
Containers (`/.dockerenv` or `/run/.containerenv` present) automatically
downgrade refuse-tier paths to warn-tier — devcontainers commonly run
from `/` or `/workspace`.
Full design:
[`docs/superpowers/plans/2026-05-23-startup-safety-banner.md`](docs/superpowers/plans/2026-05-23-startup-safety-banner.md).
Architecture references:
@@ -317,6 +568,15 @@ Architecture, conventions, and TDD workflow: [CONTRIBUTING.md](CONTRIBUTING.md).
---
## About
Named after the northern pygmy-owl (*Glaucidium gnoma*); agents are called
**elfs** (elf owl).
- **Upstream:** <https://somegit.dev/Owlibou/gnoma>
- **GitHub mirror:** <https://github.com/VikingOwl91/gnoma> (read-only;
PRs go to upstream Gitea)
## License
Apache License 2.0. See [LICENSE](LICENSE) and [NOTICE](NOTICE).
TODO.md
+188 -3
View File
@@ -4,6 +4,180 @@ Active work, newest first.
## In flight
- **Config write/merge — silent corruption of layered configs.**
`internal/config/write.go:setConfig` reads the existing TOML into a
zero-valued `Config` struct, sets one field, and writes the entire
struct back out — so every untouched field gets serialized at its
Go zero value (empty strings, zero ints, `false` bools). On the
next load, those explicit zeros overwrite higher-priority layers
via `toml.Decode`'s "present field beats absent field" semantics.
Concrete symptom (2026-05-24): user's `~/.config/gnoma/config.toml`
had `[router].prefer = "cloud"` but the project-level
`.gnoma/config.toml` had `prefer = ""` (generated by an earlier
`gnoma config set ...` call), which silently downgraded the
effective policy to `auto` — visible only via the new `/router`
TUI command, with no warning.
Same root cause is responsible for the zero-spammed global config
the same user has (`max_tokens = 0`, `permission.mode = ""`,
`bash_timeout = 0`, etc.) — all overwriting sensible defaults.
**Fix surface (multi-part, plan-worthy):**
1. **Stop generating zero-spam.** Two options:
- Tag struct fields with `,omitempty` so the BurntSushi encoder
skips zero values. Caveat: conflates "unset" with "explicitly
zero" for primitive types (a user who wants `max_keep = 0`
loses it). Safe for strings/maps/slices where empty is never
user-intent; lossy for numeric fields.
- Switch to `pelletier/go-toml/v2` and use its document model
to edit only the targeted key, preserving everything else
byte-for-byte. Cleaner semantics, bigger refactor.
- Hybrid: omitempty on string/map/slice fields, document-level
edit for numerics. Fastest path that doesn't lose intent.
2. **`gnoma doctor` — read-only diagnostic.** Scans both global
and project configs and reports:
- Zero-spam fields that would silently shadow defaults or
upstream layers.
- Invalid enum values (e.g. `permission.mode = ""`).
- Unknown / removed keys from older schema versions.
- Effective-merged values (so the user sees what gnoma will
actually use after layering). No writes. Exits non-zero on
findings so it's CI-friendly.
3. **`gnoma upgrade-config` — active migration.** For each config
file (global, profiles, project):
- Compute the cleaned form (only fields the user actually set,
dropping zeros that match defaults).
- Write the original to `<path>.bak` with timestamp suffix.
- Write the cleaned form to the original path.
- Print a diff of what changed so the user can verify.
4. **Project-level auto-migration on startup.** If gnoma detects
a zero-spammed project `.gnoma/config.toml` at launch:
- Auto-run the upgrade (project-only, never auto-touch the
global config).
- Write `.gnoma/config.toml.bak-YYYY-MM-DD-HHMMSS`.
- Surface a one-line notice in the startup safety banner:
`config: migrated .gnoma/config.toml (see .bak)`.
- The auto-migration is non-destructive (`.bak` preserves
original) but still gated behind a `[config].auto_migrate`
toggle, defaulting to `true`. Global configs require
explicit `gnoma upgrade-config`.
5. **Project registry** (`~/.config/gnoma/projects.json`). Today
there is no record of which directories gnoma has been launched
in — items #2 and #3 can work with a filesystem scan
(`find ~ -type d -name .gnoma`), but a registry makes them
significantly faster and unlocks cross-project features.
Sketch:
```json
{
"projects": [
{
"path": "/home/.../my-repo",
"first_seen": "2026-04-15T10:30:00Z",
"last_seen": "2026-05-24T19:23:00Z",
"session_count": 47
}
]
}
```
Update on every successful startup (record project root,
bump `last_seen` + increment `session_count`). Enables:
- Fast `gnoma doctor --all-projects` without a filesystem walk.
- Cross-project session listing (`gnoma sessions --all`
picker; surface most-recent sessions across the registry).
- `gnoma upgrade-config` that can migrate every known project
in one invocation.
- Future local-only aggregate stats (`gnoma stats`) — still
no-phone-home, just a sum across the registry.
**Caveats and design constraints:**
- The registry file becomes another silent-corruption surface
— must use the same `omitempty` / atomic-write discipline
as the encoder fix in #1, or it'll exhibit the same class
of bug.
- Stale entries (deleted projects). `gnoma doctor` should
detect and offer to prune; do not auto-delete.
- Privacy: this is literally a log of directories the user
has worked in. Local-only, never sent off-machine (per the
no-phone-home positioning), but worth a one-line note in
the Security section of the README so users know it exists.
- Opt-out: `[config].project_registry = false` for users who
don't want this tracked. Default `true`.
- Atomic writes (temp file + rename) so a crash mid-write
doesn't corrupt the file.
Surfaced from the v0.3.1 launch wave (2026-05-24).
Plan:
[`docs/superpowers/plans/2026-05-24-config-migration.md`](docs/superpowers/plans/2026-05-24-config-migration.md).
- **Bandit selector — design decisions deferred.** The current
selector (`internal/router/selector.go:scoreArm`) is greedy
quality-weighted: per-(arm × task-type) EMA scores blended 70/30
with heuristic defaults, divided by CostWeight-adjusted cost. It
is **not** a true multi-armed bandit — no UCB-style exploration
bonus, no Thompson sampling. Tracked as a design question rather
than a must-implement item because of two open dependencies:
1. **Whether to keep numeric EMA at all.** The 2026-05-07 roadmap
(Phase 4) puts re-evaluating bandit learning on hold until the
SLM-driven dispatcher is in production. Three options on the
table: keep bandit as feedback for the SLM, retire EMA in
favour of qualitative outcome summaries fed to the SLM, or
split responsibilities (SLM = intent routing, bandit =
cost/quality within a tier). See
[`docs/superpowers/plans/2026-05-07-gnoma-roadmap.md`](docs/superpowers/plans/2026-05-07-gnoma-roadmap.md)
§Phase 4.
2. **User-tunable selector knobs.** Several constants are
hardcoded today: `qualityAlpha` (EMA smoothing, ~3-sample
memory), the 70/30 observed/heuristic blend,
`strengthScoreBonus` for tagged task types, and the
`DefaultThresholds.Minimum` quality floor. Surfacing these as
`[router.bandit]` config keys would let users tune for their
workloads (faster alpha for shifting model performance, longer
memory for stable fleets) without waiting for the strategic
decision in #1.
Surfaced from the r/coolgithubprojects v0.3.1 launch thread
(2026-05-24, `u/Ha_Deal_5079`).
- **Security boundary — egress controls + session audit log.** The
current `Firewall` is a content boundary only (scans messages and
tool results for secrets via regex + Shannon entropy, redacts or
blocks, logs via `log/slog`). It does not enforce network egress —
outgoing HTTP from tools and providers uses stock `http.Client`
with no per-host allowlist or dial-layer interception. Two follow-
ups surfaced from the r/SideProject v0.3.0 launch thread
(2026-05-24, `u/Secret_Theme3192`):
1. **Per-session audit log of blocked/redacted events** —
grep-able file at `.gnoma/sessions/<id>/audit.jsonl` so the
user can answer "what did the firewall do this session?" in
one command. Today the `slog` output goes to whatever sink is
configured, with no per-session grouping.
2. **Per-host egress allowlist (HTTP transport layer)** — open
design question: host-level (`allow api.openai.com, deny *`)
vs per-tool (`bash can only hit these hosts`). Reply asked
the commenter for their mental model; revisit when feedback
lands. The README and v0.3.0 Reddit post phrasing oversold
"network egress gated"; corrected in the same commit as this
TODO entry.
- **Tool-router specialization (functiongemma)** — gated on telemetry,
not committed. Phase A.2 adds did-switch-rate measurement to the
two-stage `select_category` path; Phase A.3 (LoRA fine-tune of
`functiongemma-270m-it` as a dedicated `ArmRoleToolRouter`) only
fires if did-switch rate exceeds 20 %. Three independent external
reviews consulted 2026-05-23; consensus is "fits as tool-call
router, not chat; fine-tuning mandatory; prove the need first."
See
[`docs/superpowers/plans/2026-05-23-tool-router-specialization.md`](docs/superpowers/plans/2026-05-23-tool-router-specialization.md).
- **Entropy FP reduction (post-SLM Phase F)** — F-1 (format-aware
pre-extractor) shipped 2026-05-22: `[security].entropy_safelist`
with `uuid`, `sha_hex`, `iso8601`, `url`; default empty so
@@ -27,14 +201,19 @@ Active work, newest first.
warning when the content matches sensitive heuristics, a
consent-gated review step, and consistent treatment across the
three paths. Cross-cuts with Phase F entropy work and the
outgoing-scan firewall.
outgoing-scan firewall. Plan:
[`docs/superpowers/plans/2026-05-24-sensitive-content-policy.md`](docs/superpowers/plans/2026-05-24-sensitive-content-policy.md).
- **Distribution — follow-ups.** v0.1.0 shipped (archives on
github.com/VikingOwl91/gnoma/releases, multi-arch images on
ghcr.io/vikingowl91/gnoma). Still optional: Homebrew tap,
`curl | sh` installer script, signed checksums (cosign/sigstore),
release note automation, Windows process-tree kill via
golang.org/x/sys/windows job objects (currently `os.Process.Kill`
only — see `internal/mcp/transport_windows.go`).
only — see `internal/mcp/transport_windows.go`), and migration
from `dockers` + `docker_manifests` to `dockers_v2` in
`.goreleaser.yml` (collapses ~45 lines into one block but
requires Dockerfile changes for the per-platform binary layout
— deferred to its own commit before v0.3.0).
## Stable backlog (not in active phases)
@@ -42,7 +221,13 @@ Active work, newest first.
- **Structured output** with JSON schema validation — M12.
- **Native agy JSON output** — switch the subprocess provider to
`--output-format stream-json` once the agy CLI supports it,
replacing the current prompt-augmentation fallback.
replacing the current prompt-augmentation fallback. Until then,
agy's `ToolUse` capability is set to `false` (see
`internal/provider/subprocess/agent.go` agy entry) — without
structured tool-call output, the router would otherwise dispatch
tool-needing tasks to agy and the turn would hang on prose
hallucinations of tool calls. Flip the capability back to `true`
in the same change that lands stream-json parsing.
- **SQLite session persistence** + serve mode — M10.
- **Task learning** (pattern recognition, persistent tasks) — M11.
- **Web UI** (`gnoma web`) — M15.
cmd/gnoma/main.go
+116 -14
View File
@@ -2,13 +2,14 @@ package main
import (
"context"
"crypto/rand"
"encoding/binary"
"encoding/json"
"errors"
"flag"
"fmt"
"io"
"log/slog"
mrand "math/rand"
"os"
"os/signal"
"path/filepath"
@@ -30,6 +31,7 @@ import (
"somegit.dev/Owlibou/gnoma/internal/provider/openaicompat"
subprocprov "somegit.dev/Owlibou/gnoma/internal/provider/subprocess"
"somegit.dev/Owlibou/gnoma/internal/router"
"somegit.dev/Owlibou/gnoma/internal/safety"
"somegit.dev/Owlibou/gnoma/internal/security"
"somegit.dev/Owlibou/gnoma/internal/session"
"somegit.dev/Owlibou/gnoma/internal/skill"
@@ -60,16 +62,17 @@ var (
func main() {
var resumeFlag string
var (
providerName = flag.String("provider", "", "LLM provider (mistral, anthropic, openai, google, ollama, llamacpp)")
model = flag.String("model", "", "model name (empty = provider default)")
system = flag.String("system", "", "system prompt override (empty = built-in default)")
apiKey = flag.String("api-key", "", "API key (or set MISTRAL_API_KEY env)")
maxTurns = flag.Int("max-turns", 50, "max tool-calling rounds per turn")
permMode = flag.String("permission", "auto", "permission mode (default, accept_edits, bypass, deny, plan, auto)")
incognito = flag.Bool("incognito", false, "incognito mode — no persistence, no learning")
profileFlag = flag.String("profile", "", "config profile to load (empty = default_profile from base config)")
verbose = flag.Bool("verbose", false, "enable debug logging")
version = flag.Bool("version", false, "print version and exit")
providerName = flag.String("provider", "", "LLM provider (mistral, anthropic, openai, google, ollama, llamacpp)")
model = flag.String("model", "", "model name (empty = provider default)")
system = flag.String("system", "", "system prompt override (empty = built-in default)")
apiKey = flag.String("api-key", "", "API key (or set MISTRAL_API_KEY env)")
maxTurns = flag.Int("max-turns", 50, "max tool-calling rounds per turn")
permMode = flag.String("permission", "auto", "permission mode (default, accept_edits, bypass, deny, plan, auto)")
incognito = flag.Bool("incognito", false, "incognito mode — no persistence, no learning")
profileFlag = flag.String("profile", "", "config profile to load (empty = default_profile from base config)")
allowAnywhere = flag.Bool("dangerously-allow-anywhere", false, "bypass the cwd safety classifier — only use if you know what you're doing")
verbose = flag.Bool("verbose", false, "enable debug logging")
version = flag.Bool("version", false, "print version and exit")
)
flag.StringVar(&resumeFlag, "resume", "", "resume session by ID (omit ID to list sessions)")
flag.StringVar(&resumeFlag, "r", "", "resume session (shorthand)")
@@ -183,6 +186,50 @@ func main() {
}
}
// Pre-launch safety check (cwd classification + context banner).
// Runs after subcommand dispatch so `gnoma providers / profile /
// slm / router` don't trigger the prompt.
//
// --dangerously-allow-anywhere skips the refuse/warn FLOW but
// still classifies the cwd and renders the context banner —
// bypassing the gate doesn't mean the user doesn't want the
// information. See
// docs/superpowers/plans/2026-05-23-startup-safety-banner.md.
cwdAbs, _ := os.Getwd()
safetyCfg := cfg.Safety.ResolvedSafety()
classification := safety.ClassifyCWD(cwdAbs, safetyCfg)
if *allowAnywhere {
logger.Warn("cwd safety check bypassed via --dangerously-allow-anywhere",
"tier", classification.Tier.String(),
"cwd", classification.Path,
)
} else {
switch classification.Tier {
case safety.TierRefuse:
fmt.Fprint(os.Stderr, safety.RenderRefuse(classification))
os.Exit(2)
case safety.TierWarn:
fmt.Fprint(os.Stderr, safety.RenderWarnPrefix(classification))
if !readYesConfirmation(os.Stdin) {
fmt.Fprintln(os.Stderr, "aborted.")
os.Exit(1)
}
}
}
// Always render the context banner (informational, regardless of
// tier or bypass).
banner := safety.RenderContextBanner(classification, safety.SessionInfo{
Version: buildVersion,
Provider: cfg.Provider.Default,
Model: cfg.Provider.Model,
Permission: cfg.Permission.Mode,
Incognito: *incognito,
Prefer: cfg.Router.Prefer,
}, safety.ScanCWDForSensitive(cwdAbs))
fmt.Fprint(os.Stderr, banner)
knownProviders := map[string]bool{
"mistral": true, "anthropic": true, "openai": true,
"google": true, "ollama": true, "llamacpp": true,
@@ -350,7 +397,30 @@ func main() {
// Create router and register the provider as a single arm
// (M4 foundation: one provider from CLI. Multi-provider routing comes with config.)
rtr := router.New(router.Config{Logger: logger})
// BanditParams come from [router.bandit] config keys; zero values
// resolve to built-in defaults inside the router package.
rtr := router.New(router.Config{
Logger: logger,
Bandit: router.BanditParams{
QualityAlpha: cfg.Router.Bandit.QualityAlpha,
MinObservations: cfg.Router.Bandit.MinObservations,
ObservedWeight: cfg.Router.Bandit.ObservedWeight,
StrengthBonus: cfg.Router.Bandit.StrengthBonus,
},
})
// Apply the prefer-routing-policy from config (default: auto).
// Invalid values are rejected here with an actionable error rather
// than silently falling back to auto.
if preferPolicy, err := router.ParsePreferPolicy(cfg.Router.Prefer); err != nil {
fmt.Fprintf(os.Stderr, "config error: %v\n", err)
os.Exit(2)
} else {
rtr.SetPreferPolicy(preferPolicy)
if preferPolicy != router.PreferAuto {
logger.Info("routing preference applied", "prefer", preferPolicy.String())
}
}
// Restore QualityTracker data from disk (best-effort). Per-profile
// path avoids bandit cross-contamination between work/private/etc.
@@ -597,10 +667,14 @@ func main() {
}
permChecker := permission.NewChecker(permission.Mode(*permMode), permRules, pipePromptFn)
// Generate session-scoped ID for /tmp artifact directory
// Generate session-scoped ID for /tmp artifact directory.
// Use crypto/rand so the suffix isn't predictable even if a future
// caller seeds math/rand deterministically (e.g., in tests).
var randBuf [8]byte
_, _ = rand.Read(randBuf[:])
sessionID := fmt.Sprintf("%s-%06x",
time.Now().Format("20060102-150405"),
mrand.Int63()&0xffffff,
binary.BigEndian.Uint64(randBuf[:])&0xffffff,
)
// Pass the firewall's incognito mode so Save no-ops while incognito
// is active. Mode is consulted on every Save (dynamic), so TUI
@@ -608,6 +682,17 @@ func main() {
store := persist.New(sessionID, fw.Incognito())
logger.Debug("session store initialized", "dir", store.Dir())
// Per-session firewall audit log: append-only JSONL at
// <projectRoot>/.gnoma/sessions/<sessionID>/audit.jsonl. Honours
// incognito (writes skipped when active) and tolerates fs errors —
// scan pipeline never depends on the audit succeeding.
auditPath := filepath.Join(gnomacfg.ProjectRoot(), ".gnoma", "sessions", sessionID, "audit.jsonl")
fw.SetAudit(security.NewAuditLogger(security.AuditLoggerConfig{
Path: auditPath,
Incognito: fw.Incognito(),
Logger: logger,
}))
// Create elf manager and register agent tools.
// Must be created after fw and permChecker so elfs inherit security layers.
elfMgr := elf.NewManager(elf.ManagerConfig{
@@ -1580,6 +1665,23 @@ func runSLMCommand(args []string, cfg *gnomacfg.Config, logger *slog.Logger) int
}
// humanBytes formats a byte count as a human-readable string.
// readYesConfirmation reads a single line from r and returns true only
// if the trimmed input is "y" or "Y" (any other input, including EOF
// and empty line, returns false). Used by the cwd safety check to gate
// TierWarn launches behind explicit consent. When stdin isn't a TTY
// (piped / scripted invocation), io.ReadString hits EOF immediately
// and returns false — non-interactive callers must pass
// --dangerously-allow-anywhere.
func readYesConfirmation(r io.Reader) bool {
buf := make([]byte, 8)
n, _ := r.Read(buf)
if n == 0 {
return false
}
s := strings.TrimSpace(string(buf[:n]))
return s == "y" || s == "Y"
}
func humanBytes(n int64) string {
const unit = 1024
if n < unit {
docs/img/gnoma-tui.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

docs/superpowers/plans/2026-05-23-prefer-routing-policy.md
+277
View File
@@ -0,0 +1,277 @@
# Routing-Preference Policy — 2026-05-23
> **Status: shipped in v0.3.0.** Commit `f9094f6`. Implementation
> diverged from the original plan (tier-shift instead of pure score
> multiplier) — see "Implementation note" in the Approach section.
> All P-1 through P-7 tasks complete.
Adds a config knob that biases routing toward local arms, toward
cloud arms, or leaves the current tier+score behavior unchanged.
Originally surfaced as item B in the 2026-05-23 routing redesign
discussion and deferred while the defaults-refresh work landed; this
plan picks it back up.
Sibling plans from the same session:
[`2026-05-23-routing-defaults-refresh.md`](2026-05-23-routing-defaults-refresh.md)
(now in flight),
[`2026-05-23-tool-router-specialization.md`](2026-05-23-tool-router-specialization.md)
(gated on telemetry), and
[`2026-05-23-startup-safety-banner.md`](2026-05-23-startup-safety-banner.md)
(parallel to this one).
---
## Problem
Today's `selector.go:armTier` orders arms as
**SLM → CLI-agent → local → cloud**. That's an opinionated default,
but the user has no way to express "I'd rather use my local fleet,
even if a cloud arm scores marginally higher" or vice versa. The
intent comes up in three real situations:
1. **Privacy-first sessions.** User wants the local fleet by default
but isn't ready for full incognito (e.g. allows persistence,
allows the bandit to learn). Today the only knob is the
nuclear `--incognito` flag.
2. **API-tier-paid sessions.** User has a $200/mo Anthropic
subscription and wants Claude on serious tasks unless explicitly
constrained — but local arms still win tier-0/tier-1 picks today.
3. **Cost-conscious sessions.** User wants local for everything that
the local fleet can plausibly handle, falling back to cloud only
when the task genuinely exceeds local MaxComplexity.
Today all three users get the same router. A single config switch
covers all three.
---
## Non-goals
- Replacing incognito. Incognito is a hard filter (cloud arms drop
out of selection entirely); this plan is a *soft bias* (cloud arms
remain selectable but score lower). Both coexist.
- Changing tier ordering. The default `prefer = "auto"` behavior is
byte-identical to current selection.
- Changing how `--provider X` works. A forced arm bypasses the
policy, same as today.
- Per-task-type policy. A future plan could let users say "local for
Boilerplate, cloud for SecurityReview" via Strengths-style config;
out of scope here.
---
## Approach
New config key `[router].prefer` with three values:
| Value | Behavior |
|---|---|
| `"local"` | Cloud arms (`!IsLocal && !IsCLIAgent`) get a +2 tier shift, landing behind local + CLI-agent arms in the tier walk. |
| `"cloud"` | Local arms (`IsLocal`) get a +2 tier shift. Tier-0 SLMs survive (0+2=2, still below cloud's tier 3). |
| `"auto"` (default) | No tier shift. Byte-identical to pre-change behavior. |
**Implementation note — divergence from the original design.** This
plan originally called for a score multiplier inside `scoreArm`.
Empirical testing during implementation showed that approach
doesn't work: the existing cost-floor math (`scoreArm` divides by a
weighted-cost that collapses to ~0.001 for free local arms) gives
local arms a ~280× raw-score advantage that a 0.3-0.5 multiplier
cannot overcome. The tier-shift approach is cleaner — it operates
on the tier walk (the dominant selection mechanism) instead of
within-tier scoring (where the cost math currently dominates).
The `policyMultiplier` helper is still present in `bestScored` as a
within-tier nudge, but in practice it has little effect today
because of the cost-floor amplification. Worth revisiting once
router-wide cost calibration lands as a separate effort.
**Why soft (tier shift, not hard filter):**
- A hard filter for local-only is incognito. Duplicating that as a
policy invites the same bugs Wave 2 closed (forced cloud arm
bypassing the filter, learning still happening, etc.).
- Tier-shift preserves the bandit's ability to learn and the
Strengths cross-tier promotion — strongly-tagged arms still win
their tagged tasks regardless of prefer (Strengths-promoted set
bypasses the tier walk entirely in `selectBest`).
**Why subprocess (CLI-agent) arms count as "local" for this knob:**
CLI-agent arms (`claude`, `gemini`, `vibe`) run locally but proxy to
cloud. The originally-drafted plan placed them with cloud (privacy
axis); the implementation places them with local (user-facing
behavior axis — they look local in the TUI, no API key setup, faster
startup). Either choice is defensible; the implementation chose
"local" because users who want to exclude CLI agents already have
`--provider X` to pin a specific arm. Document this so the next
person doesn't surprise themselves.
---
## Tier-shift rationale
The +2 shift is the smallest value that guarantees the dispreferred
camp lands behind the preferred one across the realistic tier
distribution (base tier 0..3, max possible shifted tier 5):
| Base tier (preferred) | Dispreferred shifted | Walk order |
|---|---|---|
| 0 SLM (local) | cloud at 3 | SLM wins (PreferLocal preserves SLM) |
| 0 SLM (local), with `PreferCloud` | SLM shifts to 2; cloud at 3 | SLM still wins — "small stuff stays small" |
| 2 general local | cloud at 3 | local wins (PreferLocal) |
| 2 general local, with `PreferCloud` | local shifts to 4; cloud at 3 | cloud wins |
| 3 cloud | local at 2 | local wins (PreferLocal demotes cloud to 5) |
The SLM-still-wins case under `PreferCloud` is intentional: the
small specialist arm is the right call for trivial tasks regardless
of any "I'd rather use cloud" preference. The user can always
override with `--provider X`.
---
## Tasks
### P-1 — Config wiring
- [ ] `internal/config/config.go` — add `Prefer string` to the
`Router` struct, accepting `"local" | "cloud" | "auto"`.
Default: `"auto"`. Parse at load time, reject anything else with
an actionable error.
- [ ] `cmd/gnoma/main.go` — pass `cfg.Router.Prefer` to a new
`Router.SetPreferPolicy(string)` method.
### P-2 — Router state and method
- [ ] `internal/router/router.go` — add
```go
type PreferPolicy int
const (
PreferAuto PreferPolicy = iota
PreferLocal
PreferCloud
)
```
Plus `Router.preferPolicy PreferPolicy` (guarded by existing mutex)
and `SetPreferPolicy(p PreferPolicy)`.
- [ ] String parser `ParsePreferPolicy(string) (PreferPolicy, error)`
for the config layer.
### P-3 — Selector integration (revised during implementation)
The originally-planned score multiplier didn't have enough leverage
to flip selection (see "Implementation note" above). The actual
mechanism is a tier shift inside `armTier`:
- [x] `internal/router/selector.go:armTier` — accept a
`PreferPolicy` parameter. When `PreferLocal`, demote
`!IsLocal && !IsCLIAgent` arms by +2 tiers. When `PreferCloud`,
demote `IsLocal` arms by +2 tiers.
- [x] `armBaseTier` extracted as the unshifted base for clarity.
- [x] Plumb `preferPolicy` from `Router.Select` through `selectBest`
to `armTier`. `bestScored`'s `policyMultiplier` is retained as a
within-tier nudge but has limited effect today (documented
inline).
- [x] Strengths-promoted set still bypasses the tier walk entirely
— strongly-tagged arms remain unaffected by prefer (validated by
`TestPreferPolicy_StrengthsBeatsMultiplier`).
- [x] `selectBest` tier-walk upper bound raised from 3 to 5 to
accommodate the +2 shift.
### P-4 — Force-arm and incognito interactions
- [ ] **Forced arm:** `Router.Select` already short-circuits when
`r.forcedArm != ""`. The policy multiplier is bypassed by design —
pin wins. Add a regression test.
- [ ] **Incognito:** `r.localOnly` filter runs before scoring. Under
incognito, only local arms reach scoring, so the multiplier is a
no-op. Add a test that exercises both knobs together — incognito
on + `prefer = "cloud"` should still pick a local arm
(incognito wins; multiplier irrelevant).
- [ ] **`prefer = "local"` with no local arms registered:** soft
bias means cloud arms still win when they're the only option
(multiplier 0.3 still beats nothing). Test this; don't accidentally
return "no arms available."
### P-5 — TUI surface (lightweight)
- [ ] When `prefer != "auto"`, surface the active policy in the
status bar — e.g. `🔒 prefer: local` or `☁️ prefer: cloud` next
to the incognito badge. No emoji if it conflicts with the existing
bar style; pick a discreet textual marker.
- [ ] Slash command `/prefer <local|cloud|auto>` for runtime
switching, mirroring `Ctrl+X` for incognito. Optional — the
config-only path is fine for v1.
### P-6 — Tests
- [ ] `internal/router/selector_test.go` (or `prefer_test.go`):
- Mixed fleet (one local + one cloud, both feasible for the task).
`prefer = "local"` → local wins. `prefer = "cloud"` → cloud
wins. `prefer = "auto"` → existing tier-based winner.
- Strengths cross-tier promotion still works: Opus tagged
`[SecurityReview]` + local arm without that strength + a
SecurityReview task + `prefer = "local"` → Opus still wins
(Strengths beats multiplier).
- Cost effects compose correctly: cheap local + expensive cloud,
`prefer = "cloud"` doesn't make the cloud arm absurdly more
attractive than `CostWeight` would normally allow.
- [ ] `internal/router/router_test.go`: forced arm bypasses policy.
- [ ] `internal/router/router_test.go`: incognito + `prefer = "cloud"`
combination.
- [ ] Config-layer test: invalid value rejected, valid values
parse to the right enum.
### P-7 — Docs
- [ ] README "Routing defaults" section — add a "Preferring local
vs cloud" subsection showing the `[router].prefer` knob and how
it interacts with `[[arms]]` overrides, `--provider`, and
incognito.
- [ ] CHANGELOG entry for the next release: "Added
`[router].prefer` for biasing selection toward local or cloud
arms."
---
## Open questions
- **Should `prefer = "cloud"` weaken the SLM's tier-0 promotion?**
Currently a tier-0 SLM (small specialist arm with low
MaxComplexity) wins trivial tasks regardless of score, because
the tier walk in `selectBest` checks tier 0 first. Under
`prefer = "cloud"`, should an SLM still win a Boilerplate task?
Probably yes — that's exactly what the SLM is for. The multiplier
only kicks in within a tier, not across them. Document this.
- **Default multiplier values.** 0.3 / 0.5 are calibrated guesses;
worth revisiting after a week of real use. Surface as
`[router].prefer_strength` (0.01.0) if tuning becomes a
recurring ask, but don't pre-emptively add the knob.
- **Per-task overrides.** If a user wants "local for chat, cloud
for SecurityReview," the right answer is to tag the cloud arm
with the relevant Strengths and let cross-tier promotion handle
it. Don't add per-task `prefer` until evidence shows Strengths
isn't enough.
---
## Out of scope
- Anything that changes `armTier` ordering. Tier order is opinionated
but stable; we add a multiplier, we don't reorder.
- New TaskTypes or arm roles.
- Cross-cutting refactor of the scoring math. Targeted multiplier
injection only.
---
## Definition of done
- All P-1 through P-7 tasks checked.
- `make test` green; `make lint` green.
- Manual smoke: launch with `prefer = "local"` on the maintainer's
fleet; cloud arms register but never get picked unless the local
fleet can't handle the task or Strengths promotes them.
- Launch with `prefer = "cloud"`; local SLM still wins trivial tasks
(tier-0); other tasks go cloud unless local has a strong tag.
- `prefer = "auto"` produces byte-identical selection to pre-change
behavior (regression test pinned).
docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md
+373
View File
@@ -0,0 +1,373 @@
# Routing Defaults Refresh — 2026-05-23
> **Status: shipped in v0.3.0.** Commits `a79e991` (scaffold) →
> `9bb775a` (full local family table) → `2f8d4c4` (cloud defaults
> + gpt-5.3-codex) → `c99b2c6` (README). All R-1 through R-8
> tasks complete.
Refreshes gnoma's per-arm routing defaults so that out-of-the-box
selection produces sensible choices without requiring users to write
a `[[arms]]` block in TOML. Surfaced during the 2026-05-23 session
that began with "incognito should always prefer local" and expanded
into a benchmark-data review (artificialanalysis.ai v4.0,
llm-stats.com, kilo.ai) and an inventory check against the
maintainer's actual local fleet.
Related plan:
[`2026-05-23-tool-router-specialization.md`](2026-05-23-tool-router-specialization.md)
handles functiongemma specifically; this plan registers it but keeps
it `Disabled: true` until that plan's Phase A.3 ships.
---
## Problem
Three concrete gaps in the current router setup:
### 1. Local-arm defaults are all zero
Every model discovered via `internal/router/discovery.go:RegisterDiscoveredModels`
gets `Strengths: nil` and `MaxComplexity: 0`. With nothing to
differentiate them, `selector.go`'s `heuristicQuality()` scores
arms within the same tier almost identically — a user with
`phi-4:14b`, `qwen3-coder:30b`, and `tiny3.5:1.5b` pulled gets
effectively-random selection among them for any given task.
The tier system (`armTier()`) was designed to be augmented by
per-arm `Strengths`; without populated defaults, that augmentation
never happens unless the user writes config by hand.
### 2. Non-chat models register as broken chat arms
Discovery has no exclude list. On a realistic fleet (`embeddinggemma`,
`kokoros`, `whisper-base`, `moonshine-tiny`, `qwen3-asr-1.7b`,
`qwen3-tts-1.7b-custom-voice`, `vibevoice`, `lfm2.5-audio-1.5b-realtime`,
`qwen3-vl-embedding-2b`, `qwen3-vl-reranker-2b`), all of these get
registered with `IsLocal: true` and become candidates for chat
routing. They will fail at inference time with confusing errors.
### 3. Cloud-side model registry is stale
- `internal/provider/google/ratelimits.go` only knows Gemini 2.0 /
2.5 — leaderboard is on 3.x (Gemini 3.1 Pro, 3.5 Flash, 3 Flash).
- `internal/provider/openai/provider.go` defaults to `gpt-5.5` and
the ratelimits table covers `gpt-5.5*` / `gpt-5.2*` but not
`gpt-5.3-codex`, which the artificialanalysis Coding Agent Index
positions as the coding specialist (index 54, $1.87/Mtok).
- No default `Strengths` / `CostWeight` matrix in the Anthropic /
OpenAI / Google provider modules — same problem as (1) but on the
closed-model side.
### 4. Vision prefix list is missing modern families
`internal/router/discovery.go:209` enumerates `knownVisionModelPrefixes`
for fallback vision detection. Missing entries: `gemma4`, `gemma-4`
(Gemma 4 is multimodal), `glm-ocr`. `minicpm-v` already present.
---
## Benchmark snapshot used for this plan
Captured 2026-05-23 from artificialanalysis.ai (Intelligence Index
v4.0), llm-stats.com, kilo.ai, ollama.com, and Hugging Face. Full
data lives in the session transcript; key inputs to the defaults
table:
**Closed frontier (cloud arms):**
| Model | II v4.0 | SWE-bench Verified | $/Mtok |
|---|---|---|---|
| GPT-5.5 (xhigh) | 60 | 88.7 % | $4.35 |
| Claude Opus 4.7 (max) | 57 | 87.6 % | $4.10 |
| Gemini 3.1 Pro Preview | 57 | — | $1.74 |
| Claude Sonnet 4.6 (max) | 52 | — | $2.46 |
| Gemini 3.5 Flash | 55 | — | $1.31 |
| GPT-5.3 Codex (xhigh) | 54 | 85 % | $1.87 |
**Local sub-30B (open-weight, deployable):**
| Family | Size | RAM (Q4) | Strongest at |
|---|---|---|---|
| qwen3-coder | 30B MoE / 3.3B active | ~19 GB | Codegen, agentic SWE (44.3 % SWE-Bench Pro) |
| devstral-small-2 | 24B | ~24 GB | Codegen + Vision (68 % SWE-bench Verified) |
| gemma 4 | ~9B base, 2B/4B edge | 310 GB | RAG, Vision, multilingual |
| ministral-3 | 3B / 8B / 14B | 310 GB | Planning, Orchestration |
| qwen3 / qwen3.5 | 4B14B | 310 GB | General, codegen |
| qwen2.5-coder | 14B | ~9 GB | Codegen (Aider 73.7) |
| phi-4 | 14B | ~10 GB | Reasoning, math (MMLU 84.8) |
| tiny3.5 | 0.5B / 1.5B | <3 GB | Trivial routing, draft |
---
## Approach
Three additions to `internal/router/discovery.go`:
1. **`nonChatModelPatterns`** — substrings on the model ID that
force the arm to be skipped during registration entirely.
2. **`knownFamilyDefaults`** — keyed by family prefix, returns
`Strengths` + `MaxComplexity`. Discovery looks up the longest
matching prefix when registering an Ollama / llama.cpp arm.
3. Extension to `knownVisionModelPrefixes`.
Same shape (`knownFamilyDefaults` minus `MaxComplexity`) in
`internal/provider/{anthropic,openai,google}/provider.go` so closed
models also ship with sensible `Strengths` and `CostWeight`.
User-supplied `[[arms]]` config keeps priority — defaults only fill
zero fields.
---
## Tasks
### R-1 — Non-chat exclude list
- [ ] `internal/router/discovery.go` — add
`nonChatModelPatterns []string` and a `isNonChatModel(id string) bool`
helper. Patterns (substring match, lowercase):
```
"whisper", "moonshine", "kokoros", "vibevoice",
"-asr", "-tts", "-audio", "-embedding", "embedding-",
"embeddinggemma", "-reranker", "lfm2", "qwen3-vl-embedding",
"qwen3-vl-reranker"
```
- [ ] `RegisterDiscoveredModels` (line ~436) skips entries that match
the non-chat list before calling `r.RegisterArm`. Log at debug
level: `"skipping non-chat model %s during discovery"`.
- [ ] Test: discovery seeded with a list including `embeddinggemma`,
`kokoros`, `whisper-base` → none registered. Seeded with
`qwen3:14b`, `gemma4:latest` → both registered.
### R-2 — Vision prefix updates
- [ ] Append `"gemma4"`, `"gemma-4"`, `"glm-ocr"` to
`knownVisionModelPrefixes` (discovery.go:209).
- [ ] Test: `isKnownVisionModelName("gemma4:latest")` returns true,
`isKnownVisionModelName("gemma-4-e2b-it")` returns true,
`isKnownVisionModelName("glm-ocr")` returns true.
- [ ] Existing `gemma3` entry stays — Gemma 3 multimodal variants
shipped earlier and are still in circulation.
### R-3 — Local family defaults table
- [ ] New file `internal/router/defaults.go` with:
```go
type FamilyDefaults struct {
Strengths []TaskType
MaxComplexity float64
CostWeight float64 // optional; zero means router default
Disabled bool // true for functiongemma, embedding-only, etc.
}
var knownFamilyDefaults = map[string]FamilyDefaults{ /* see table */ }
func ResolveFamilyDefaults(modelID string) (FamilyDefaults, bool)
```
- [ ] Match against the longest-prefix-wins so
`qwen3-coder:30b` resolves to `qwen3-coder` defaults rather than
the generic `qwen3` ones.
- [ ] **Family table** (see "Defaults matrix" section below for full
list). Each entry justified by either a benchmark hit or a
documented family role.
- [ ] `RegisterDiscoveredModels` calls `ResolveFamilyDefaults` and
populates the arm's `Strengths` / `MaxComplexity` / `CostWeight`
/ `Disabled` fields if the family is known and the existing field
is zero.
- [ ] Size-keyed override for families that span a wide range
(ministral-3 from 3B to 14B, gemma 4 from 2B to 9B): a small helper
`complexityFromSizeTag(modelID, baseCap float64) float64` parses
the `:Nb` tag and scales MaxComplexity down for sub-7B variants.
### R-4 — Closed-model defaults in provider modules
- [ ] `internal/provider/anthropic/provider.go` — when constructing
the arm list around `Models()`, attach `Strengths` and
`CostWeight` defaults per model ID. Sketch:
```
claude-opus-4-7 → Strengths {Planning, SecurityReview, Debug, Refactor}, CostWeight 0.3
claude-sonnet-4-6 → Strengths {Generation, Refactor, Review}, CostWeight 0.7
```
- [ ] `internal/provider/openai/provider.go` — equivalent:
```
gpt-5.5 → Strengths {Planning, SecurityReview, Generation}, CostWeight 0.3
gpt-5.3-codex → Strengths {Generation, Refactor, Debug, UnitTest}, CostWeight 0.6
gpt-5.2 → Strengths {Orchestration, Review}, CostWeight 0.8
```
- [ ] `internal/provider/google/provider.go` — equivalent:
```
gemini-3.1-pro → Strengths {Planning, Review, Orchestration}, CostWeight 0.5
gemini-3.5-flash → Strengths {Boilerplate, Explain, Orchestration}, CostWeight 1.2
```
- [ ] These attach via a new lookup function alongside `Models()`,
not by mutating `Capabilities`. Keep the data table close to the
provider's model list so model adds stay co-located.
### R-5 — Register missing modern cloud models
- [ ] `internal/provider/google/ratelimits.go` — add `gemini-3.1-pro`,
`gemini-3.5-flash`, `gemini-3-pro`, `gemini-3-flash` entries.
Drop deprecated `gemini-2.0-flash`? — leave for now, harmless.
- [ ] `internal/provider/google/provider.go` — extend `Models()` to
surface the 3.x family.
- [ ] `internal/provider/openai/ratelimits.go` — add `gpt-5.3-codex`
and `gpt-5.3-codex-*` aliases.
- [ ] `internal/provider/openai/provider.go` — extend `Models()` to
include `gpt-5.3-codex`. Default model stays `gpt-5.5` (still the
intelligence-index leader).
- [ ] Cost data for `RegisterProvider`'s `costs` map — caller in
`cmd/gnoma/main.go` builds these per provider. Source numbers from
the benchmark snapshot above.
### R-6 — functiongemma registration
- [ ] In `knownFamilyDefaults`:
```go
"functiongemma": {
Strengths: []TaskType{TaskOrchestration},
MaxComplexity: 0.40,
Disabled: true, // see plans/2026-05-23-tool-router-specialization.md
},
```
- [ ] Comment in `defaults.go` explaining why: functiongemma is not
a chat model; reserved for the future `ArmRoleToolRouter` role.
- [ ] Test: registering `functiongemma:latest` produces an arm with
`Disabled: true`.
### R-7 — Tests
- [ ] `internal/router/defaults_test.go` — table-driven test
covering every entry in `knownFamilyDefaults`. Asserts that
`ResolveFamilyDefaults` returns the expected struct for the
canonical model IDs and falls back gracefully (`ok=false`) for
unknown families.
- [ ] `internal/router/discovery_test.go` — extended to cover the
non-chat skip path and the family-defaults attach path.
- [ ] `internal/router/router_test.go` — add a scenario:
three arms (`tiny3.5:1.5b`, `phi-4:14b`, `qwen3-coder:30b`) all
registered with defaults; assert `TaskGeneration` picks
`qwen3-coder`, `TaskPlanning` picks `phi-4`, `TaskBoilerplate`
picks `tiny3.5`. This is the user-facing payoff — incognito
selection stops feeling random.
### R-8 — Docs
- [ ] README — add a "Default routing matrix" section linking to
this plan and showing the table at-a-glance.
- [ ] Mention in the changelog draft for the next release that
out-of-the-box routing is now opinionated; the `[[arms]]` block
in TOML still overrides everything.
---
## Defaults matrix
### Local families (`knownFamilyDefaults`)
| Family prefix | Strengths | MaxComplexity | Disabled | Notes |
|---|---|---|---|---|
| `qwen3-coder` | Generation, Refactor, Debug | 0.85 | — | Standout local coder; 44.3 % SWE-Bench Pro |
| `qwen2.5-coder` | Generation, Refactor, UnitTest | 0.70 | — | Aider 73.7 |
| `devstral` | Generation, Refactor, Debug | 0.85 | — | 68 % SWE-bench Verified, vision-capable |
| `yi-coder` | Generation, Refactor | 0.55 | — | 9B; HumanEval 85.4 |
| `deepseek-coder` | Generation, Refactor | 0.65 | — | MoE coder family |
| `starcoder` | Generation | 0.45 | — | Fill-in-middle specialist |
| `phi-4` | Planning, Debug, Review | 0.65 | — | Reasoning-strong 14B |
| `phi-4-mini` | Boilerplate, Explain | 0.35 | — | 3.8B compact |
| `gemma4` | Explain, Review, Generation | 0.70 | — | ~9B multimodal base |
| `gemma4-e` / `gemma-4-e` | Explain, Boilerplate | 0.45 | — | "Edge" 2B/4B multimodal |
| `gemma3` | Explain, Review | 0.55 | — | Existing multimodal |
| `gemma2` | Explain | 0.40 | — | Multilingual general |
| `qwen3.5` | Boilerplate, Explain, Orchestration | size-keyed (0.400.65) | — | Includes community distills |
| `qwen3` | Generation, Refactor, Debug | size-keyed (0.500.75) | — | Solid mid-tier coder |
| `qwen2.5` | Explain, Refactor | size-keyed (0.400.65) | — | General Qwen 2.5 (non-coder) |
| `qwen` (catch-all) | Explain | 0.40 | — | Fallback for unmatched Qwen variants |
| `ministral-3` | Orchestration, Planning | size-keyed (0.350.70) | — | Mistral edge family |
| `mistral-small-3` | Orchestration, Review | 0.65 | — | 24B; MMLU 81 |
| `mistral` (catch-all) | Generation, Refactor | 0.50 | — | Mistral 7B / Nemo etc. |
| `llama3.2` | Explain, Boilerplate | 0.35 | — | Tool-call friendly small |
| `llama4` | Explain, Review | 0.50 | — | Scout / Maverick |
| `tiny3.5` | Boilerplate, Explain | size-keyed (0.200.30) | — | Draft / trivial-only |
| `granite` | Explain, Boilerplate | 0.30 | — | IBM 8B and similar |
| `minicpm-v` | Planning, Review | 0.55 | — | Vision-thinking, set `Capabilities.Vision` via prefix list |
| `glm-ocr` | (none) | 0.30 | — | OCR-only specialist |
| `glm` (catch-all) | Explain | 0.45 | — | GLM family fallback |
| `functiongemma` | Orchestration | 0.40 | **true** | Reserved for ToolRouter role |
### Cloud closed models (provider modules)
| Model | Strengths | CostWeight | Provider module |
|---|---|---|---|
| `claude-opus-4-7` | Planning, SecurityReview, Debug, Refactor | 0.3 | anthropic |
| `claude-sonnet-4-6` | Generation, Refactor, Review | 0.7 | anthropic |
| `gpt-5.5` | Planning, SecurityReview, Generation | 0.3 | openai |
| `gpt-5.3-codex` | Generation, Refactor, Debug, UnitTest | 0.6 | openai |
| `gpt-5.2` | Orchestration, Review | 0.8 | openai |
| `gemini-3.1-pro` | Planning, Review, Orchestration | 0.5 | google |
| `gemini-3.5-flash` | Boilerplate, Explain, Orchestration | 1.2 | google |
Rationale for `CostWeight` values:
- **0.3** on frontier arms (Opus 4.7, GPT-5.5) keeps them in
contention for high-stakes tasks (SecurityReview, Planning) even
at $4+/Mtok. The current formula
`weighted = 1.0 + CostWeight * (cost - 1.0)` collapses cost
influence to ~30 % at that weight.
- **0.60.7** on mid-tier coding specialists (gpt-5.3-codex,
Sonnet 4.6) — cheaper than flagship, still good; standard cost
influence.
- **1.2** on cheap fast arms (Gemini 3.5 Flash) — *penalize* cost
more than default so the cheap arm doesn't crowd out better choices
on serious tasks; it should win only when cost is genuinely
decisive (boilerplate, explain).
- Zero (router default 1.0) on everything not listed — the
bandit/heuristic mix handles it.
---
## Open questions
- **Catch-all family entries vs. only specific ones?** Tradeoff:
catch-alls (e.g. `qwen`, `mistral`, `glm`) reduce surprise on
unknown variants but mask future renames. Leaning toward catch-alls
with conservative defaults — if a user pulls `qwen-something-new`,
better to get a generic "Explain, MaxComplexity 0.40" than nothing.
- **Should `Disabled: true` arms still show in `gnoma providers`?**
Yes — visibility is the point; user should see functiongemma is
registered but parked. Test will assert this.
- **Catch-all matches across families** — `qwen3-coder` must win
over `qwen3` which must win over `qwen`. Longest-prefix-wins is
the discipline; the test in R-7 will pin this behaviour.
- **`reecdev/tiny3.5` namespace** — the `tiny3.5` family entry needs
to match both `tiny3.5:Xb` and `reecdev/tiny3.5:Xb`. Either match
on the suffix after `/` or list both prefixes. Suffix match is
cleaner.
---
## Out of scope
- New TaskType values (TaskTrivial, TaskRAG, TaskMultilingual, etc.).
The existing 10 TaskTypes are sufficient and stay.
- Anything that changes tier ordering between local / CLI-agent /
cloud arms. Original session item B ("reorder tiers: local before
subprocess") is deferred to a separate plan if needed at all —
defaults alone may close the gap.
- Anything that touches the bandit's quality EMA. `Strengths` adds
a fixed bonus in scoring (`strengthScoreBonus = 0.15`,
`selector.go:115`); that mechanism is unchanged.
- functiongemma integration — covered by the sibling plan.
---
## Definition of done
- All R-1 through R-8 tasks checked.
- `make test` green, `make lint` green.
- Manual smoke: launch gnoma with the maintainer's actual Ollama
fleet pulled; `gnoma providers` shows the right `Strengths` and
`MaxComplexity` on each arm without any TOML config.
- A `TaskGeneration` task with the same fleet picks `qwen3-coder`
or `devstral`, not `qwen3.5:4b` or `tiny3.5`.
- A `TaskBoilerplate` task picks one of `tiny3.5`, `gemma-4-e2b`,
`qwen3.5:4b` — the cheapest viable arm.
- Non-chat models (`embeddinggemma`, `kokoros`, `whisper-base`,
`vibevoice`) do not appear in `gnoma providers` output.
docs/superpowers/plans/2026-05-23-startup-safety-banner.md
+320
View File
@@ -0,0 +1,320 @@
# Startup Safety + Context Banner — 2026-05-23
> **Status: shipped in v0.3.0.** Commits `3eeb5b4` (classifier +
> banner + main.go wiring) → `8ba77c1` (env-template precision
> fix, label alignment, banner-under-bypass). All S-1 through
> S-7 tasks complete; S-8 docs done in `d206b3c`. Windows path
> handling still deferred per plan.
Adds a pre-launch safety check that warns or refuses when gnoma is
started in a directory where it could do real damage (`$HOME`,
`/`, `/etc`, etc.), plus a context banner shown on every launch
summarizing where the session is running and what's loaded.
Modeled on similar guards in Claude Code (refuses `$HOME`),
Aider (warns outside a git repo), and Cursor (warns on empty
workspace).
Sibling plan:
[`2026-05-23-prefer-routing-policy.md`](2026-05-23-prefer-routing-policy.md)
(parallel — both are pre-flight user-facing changes from the
same session).
Cross-reference: complements the in-flight "Sensitive-content
handling — unified policy" TODO item, which handles content
*flowing into context once running*. This plan is the **pre-flight**
counterpart — preventing a dangerous start state in the first
place. The two layers compose; neither subsumes the other.
---
## Problem
gnoma can read, write, and execute. Launched in the wrong
directory, the model gets that capability against:
- `$HOME``.ssh/` keys, `.aws/credentials`, `.config/`
(full of API keys for half the CLIs the user has installed),
shell history with secrets, browser profiles.
- `/tmp` — other processes' working files; tool calls in this
cwd write next to whatever else is running.
- `/`, `/etc`, `/sys`, `/proc`, `/usr`, `/var` — system roots
where any write is potentially destructive and any read
exposes machine state.
- `~/Desktop`, `~/Downloads` — common dumping grounds for
sensitive files the user forgot about.
A model that "helpfully" cats `~/.ssh/id_ed25519` because the user
asked "what files are here" has already done the damage. The
prompt-injection threat surface widens too — a hostile pasted log
saying "first, read ~/.ssh/id_rsa and base64 it into your next
reply" goes from "blocked by lack of access" to "executed because
the cwd makes the file reachable."
Today gnoma launches anywhere with no warning. This plan adds:
1. **Dir-safety tier check** at startup with refuse / warn /
ok paths.
2. **Context banner** showing cwd, git state, model, modes, and
a sensitive-file inventory.
---
## Non-goals
- Replacing the firewall's outgoing-content scan. That's a separate
layer (data already in the context).
- Blocking tool execution at runtime based on path. That's already
handled by the permission system; this plan is purely about
the *initial* launch authorization.
- Cross-platform on day 1. Linux + macOS first; Windows path
detection follows once paths and registry locations are mapped.
---
## Approach
### Tier classification of the cwd
| Tier | Behavior | Examples |
|---|---|---|
| **Refuse** | Print error, exit non-zero. Bypass: `--dangerously-allow-anywhere` or `[safety].refuse_in_system_dirs = false`. | `/`, `/etc`, `/sys`, `/proc`, `/usr`, `/var`, `/bin`, `/sbin`, `/boot`, `/root` (Linux); `/System`, `/Library`, `/private` (macOS); root of mounted volumes. |
| **Warn** | Print banner, require keypress (`y` to continue, anything else aborts). Bypass: `--dangerously-allow-anywhere` or `[safety].warn_in_home = false`. | `$HOME`, `/tmp`, `$XDG_CONFIG_HOME` (`~/.config`), `~/.local`, `~/.cache`, `~/Desktop`, `~/Downloads`, `~/Documents`, `~/Music`, `~/Pictures`, `~/Videos`. |
| **OK** | No prompt. Banner still shown (context only). | Anywhere inside a git repo, or any directory containing a project marker (`.gnoma/`, `go.mod`, `package.json`, `pyproject.toml`, `Cargo.toml`, `Makefile`, `Dockerfile`, `.git/`). |
**Defaulting to warn+keypress instead of hard refuse for `$HOME`:**
explicit preference from the maintainer (2026-05-23 session). Hard
refuse is annoying when the user legitimately wants to ask about
shell config (`"what's in my ~/.zshrc"`). Warn+keypress gives
informed consent without blocking the rare-but-legitimate case.
### Context banner
Shown on every launch regardless of tier (including OK):
```
gnoma 0.2.x — ready
cwd : /home/cn/git/projects/owlibou/gnoma
git : dev (clean)
project : Go module (somegit.dev/Owlibou/gnoma)
provider : ollama / qwen3-coder:30b
mode : permission=auto incognito=off prefer=auto
sensitive: 0 matches in cwd
---
```
Under "warn" tier, prepend:
```
⚠ Warning: cwd is $HOME.
Any file the model reads / writes / executes is in your home dir
— including .ssh/, .aws/, shell history, browser profiles.
Continue? [y/N]
```
Under "refuse" tier, replace the whole flow:
```
✖ gnoma will not start in /etc. This directory contains
system-critical files that should never be edited by a model.
To override (you almost certainly should not), pass
--dangerously-allow-anywhere.
```
### Sensitive-file inventory
Conservative pattern-match against the cwd's *top level* (no
recursion — recursion would itself be a slow privacy-leak risk
the first time it runs in `$HOME`). Patterns:
```
.env, .env.*, env.local
*.pem, *.key, *.crt, *.p12, *.pfx
id_rsa, id_ed25519, id_ecdsa, id_dsa
*credentials*, *secret*, *.secrets
.ssh/, .aws/, .kube/, .gcloud/, .azure/
*.kdbx, *.kbdx (KeePass)
.netrc, .pgpass
```
The banner reports a count and the matched filenames (truncated to
3 with "+N more" if longer). Informational only — does not block
launch even under "refuse" tier. The point is awareness: "you've
launched in a dir with `.env` in it; the model can see it."
---
## Tasks
### S-1 — Config layer
- [ ] `internal/config/config.go` — add `Safety` struct:
```go
type Safety struct {
RefuseInSystemDirs bool `toml:"refuse_in_system_dirs"`
WarnInHome bool `toml:"warn_in_home"`
RequireProjectMarker bool `toml:"require_project_marker"`
}
```
Defaults: `refuse_in_system_dirs=true`, `warn_in_home=true`,
`require_project_marker=false`.
- [ ] CLI flag `--dangerously-allow-anywhere` (bool). Wired into
the same gate as the config keys.
### S-2 — Tier classifier
- [ ] New file `internal/safety/cwd.go` with:
```go
type Tier int
const (
TierOK Tier = iota
TierWarn
TierRefuse
)
func ClassifyCWD(cwd string, cfg Safety) (Tier, string) // tier + human-readable reason
```
- [ ] Linux + macOS path tables baked in. Windows: panic with
"windows safety classification not yet implemented" and warn the
user — opt-out via `--dangerously-allow-anywhere` for now. Follow-up
plan for Windows.
- [ ] `$HOME` resolution via `os.UserHomeDir()`. Reject if it
returns empty (treat as `TierWarn`).
- [ ] Project-marker detection (`.git/`, `.gnoma/`, `go.mod`,
`package.json`, `pyproject.toml`, `Cargo.toml`, `Makefile`,
`Dockerfile`). Any one present → forces `TierOK` regardless of
parent dir (so a git repo inside `$HOME` doesn't trigger a warn).
### S-3 — Sensitive-file scanner
- [ ] `internal/safety/sensitive.go` with:
```go
type Match struct{ Path string; Reason string }
func ScanCWDForSensitive(cwd string) []Match
```
- [ ] Top-level only (no recursion). Bounded read of dir entries
(cap at 1000 entries to avoid `/` taking forever if someone
hands the function a giant dir).
- [ ] Patterns from the "Sensitive-file inventory" section above.
- [ ] Test against a `t.TempDir()` populated with sample files
including some that should NOT match (`.envrc` doesn't, but
`.env` does — be precise).
### S-4 — Banner renderer
- [ ] `internal/safety/banner.go` — pure functions taking the
classified tier, scan results, and a struct of session info
(provider, model, modes), returning a string.
- [ ] Color codes via the existing TUI color helpers if available,
else plain ANSI. Disable when stdout isn't a TTY.
- [ ] Banner rendering is deterministic so it can be golden-tested.
### S-5 — Launch integration
- [ ] `cmd/gnoma/main.go` early in startup (before any provider is
constructed, before any file is read other than the config):
1. Resolve cwd via `os.Getwd()`.
2. Call `safety.ClassifyCWD(cwd, cfg.Safety)`.
3. If `--dangerously-allow-anywhere`: log a warning to stderr
("safety checks bypassed"), skip steps 45.
4. If `TierRefuse`: print refuse banner to stderr, exit code 2.
5. If `TierWarn`: print warn banner to stderr, read a line from
stdin, exit cleanly if input is anything other than `y`/`Y`.
6. Always: print the context banner to stderr.
- [ ] Non-TTY stdout (piped, scripted use): refuse and warn tiers
still gate on stdin, but stdin not being a TTY means there's no
human to consent. Treat that as auto-`N` (abort). Override via
`--dangerously-allow-anywhere`.
- [ ] One-shot mode (`gnoma "prompt"`, prompt as positional arg):
same gating, same override flag. Non-interactive callers must
pass the flag.
### S-6 — TUI integration (banner display)
- [ ] The TUI is initialized after the safety check, so the banner
goes to stderr (visible above the TUI render). No change to TUI
itself for this plan.
- [ ] Optional follow-up: surface the safety state in the TUI status
bar (next to incognito / prefer indicators) — a small icon when
the user is in a warn-tier dir. Defer to a separate plan unless
it's trivial.
### S-7 — Tests
- [ ] `internal/safety/cwd_test.go` — table-driven:
- `/etc` → TierRefuse
- `/tmp` → TierWarn
- `$HOME` → TierWarn
- `$HOME/Documents/notes` → TierWarn
- `$HOME/git/some-repo` (with `.git/` present) → TierOK (project marker overrides home)
- `/var/log` → TierRefuse
- Random project dir with `go.mod` → TierOK
- [ ] `internal/safety/sensitive_test.go` — scanner cases:
- `t.TempDir()` with `.env`, `id_rsa`, `notes.txt` → 2 matches
- `t.TempDir()` with `.envrc` only → 0 matches (precision check)
- Empty dir → 0 matches
- Dir with 1500 entries (only first 1000 scanned, no panic)
- [ ] `internal/safety/banner_test.go` — golden-string render for
each tier with mocked session info.
- [ ] `cmd/gnoma/main_test.go` (or new integration test) — launching
with the `--dangerously-allow-anywhere` flag skips the gate.
### S-8 — Docs
- [ ] README — new "Safety" subsection under "Security":
- The three tiers and their meanings.
- `[safety]` config block reference.
- `--dangerously-allow-anywhere` flag.
- Cross-reference to the incognito flag and the firewall (they're
related but distinct layers).
- [ ] Update the existing CLAUDE.md / AGENTS.md if applicable.
---
## Open questions
- **What about `/workspace`, `/app`, or other container-typical
paths?** Containers often run gnoma from `/workspace` (devcontainer
default) or `/app`. These should be TierOK *because* they're
containerized. Detect via `/.dockerenv` or
`/run/.containerenv` and downgrade refuse-tier roots to warn
inside containers. Add to S-2.
- **Symlinks pointing into system dirs.** A symlink at
`~/etc-mirror -> /etc` shouldn't fool the classifier. Resolve cwd
with `filepath.EvalSymlinks` before classification.
- **Project-marker false positives.** A user with a stray `go.mod`
in `$HOME` (e.g. one-off experiments) would auto-promote to
TierOK. Acceptable — that user has signaled "this is a project
dir." Document the behavior so it doesn't surprise.
- **Banner verbosity for power users.** Show only when changed?
Compact mode? Defer until someone complains. The banner is short
enough that always-show is fine for v1.
---
## Out of scope
- Runtime path restrictions on tools. The permission system already
handles "should this tool run this command"; we don't duplicate it.
- Encrypted sensitive-file detection (encrypted `.env.gpg` files
etc.). Pattern-match only.
- Network sniffing for cwd-leaked content. Different layer.
- Auto-redaction of sensitive files from tool reads. The
outgoing-scan firewall is the right place for that, tracked
separately.
---
## Definition of done
- All S-1 through S-8 tasks checked.
- `make test` green; `make lint` green.
- Manual smoke: `cd / && gnoma` refuses with the expected message.
- `cd ~ && gnoma` warns with keypress prompt.
- `cd ~/git/some-repo && gnoma` enters cleanly with the context
banner only.
- `cd /etc && gnoma --dangerously-allow-anywhere` starts but logs
the bypass.
- `cd ~ && gnoma "test"` (one-shot prompt as positional arg, no
TTY) aborts unless the flag is passed.
- Sensitive-file scan correctly identifies `.env` and `id_rsa` in a
test dir; does not flag `.envrc`.
docs/superpowers/plans/2026-05-23-tool-router-specialization.md
+189
View File
@@ -0,0 +1,189 @@
# Tool-Router Specialization (functiongemma) — 2026-05-23
Follow-up to
[`2026-05-19-post-slm-unlock.md`](2026-05-19-post-slm-unlock.md)
Phase A, which shipped two-stage tool routing: round 1 sends a single
synthetic `select_category` tool with enum
`[read, write, search, exec, meta]`; round 2 sends only the chosen
category's real schemas. Today the same generalist SLM arm
(qwen3.5:4b / ministral-3:3b / tiny3.5 in typical local fleets) does
both jobs — trivial-prompt answering AND the category selection.
This plan tracks whether to specialize the round-1 selector by
plugging in Google's `functiongemma-270m-it` (288 MB, ~0.3 s TTFT)
as a dedicated **ToolRouter** arm role. **Decision is gated on
real telemetry.** No code commits to fine-tuning until the data says
it's worth it.
External advice considered (three independent reviewers, see session
2026-05-23): all three converge on "functiongemma fits as a tool-call
router, not as a chat model" and "fine-tuning is mandatory." The
sharpest critique: "prove you need this before building it." This
plan honors that — Phase A.2 is pure measurement; Phase A.3 fires
only if measurement shows a real gap.
---
## Why this is worth considering
gnoma's `select_category` task is a clean fit for functiongemma's
training shape:
- Single user turn → one structured call with one enum argument.
Matches **BFCL Multiple** territory (base 63.5 %, fine-tuned 85 %
on Mobile Actions per Google's card).
- The model's known weakness — parallel calls (BFCL Parallel 39) —
does not apply: round 1 is intentionally single-call.
- 0.3 s TTFT vs. ~1 s for a 1B+ generalist SLM is user-visible on
every turn that enters two-stage mode.
- 288 MB at int8 keeps it cheap to ship as a sidecar alongside
whatever real SLM the user runs.
## Why we shouldn't ship it as a default tomorrow
- Base BFCL Live Simple is 36 % and Live Multiple is 26 %. Without
fine-tuning on gnoma's 5-category taxonomy, accuracy is
unacceptable for a routing primitive.
- gnoma's user input is bilingual (DE / EN); functiongemma evals are
English-only. Bilingual fine-tuning data is required.
- We have no evidence that the *current* generalist-SLM router is
actually wrong often enough to justify replacing it. A 90 %-accurate
qwen3.5:4b makes functiongemma a solution looking for a problem.
- The fine-tuning pipeline (data collection → LoRA training → model
publication via Ollama / HF) lives outside gnoma's Go code. That
is weeks of side-project work, not a PR.
---
## Phase A.2 — Measurement (this plan's core)
**Goal:** answer "is the current select_category routing wrong often
enough to fix?" with logged evidence rather than vibes.
### Tasks
- [ ] Extend two-stage telemetry in `internal/engine/twostage.go` to
record per-turn:
- `user_turn` (redacted via existing firewall path if incognito).
- `available_tool_schemas` (tool names per registered category).
- `chosen_category` from round 1.
- `did_switch_category` flag in round 2+ (the model invoking a tool
from a category it did not pre-select).
- `arm_id` of the router (today: whichever SLM was active).
- [ ] Persist tuples to a new append-only JSONL file alongside
`quality_json.go`'s arm-quality store, e.g.
`~/.local/state/gnoma/twostage-traces.jsonl`. Same
incognito-suppression gate as quality.
- [ ] File mode 0o600 (matches Wave 2 security guidance).
- [ ] `gnoma router stats` gains a `--twostage` subcommand that
prints:
- Total round-1 selections.
- Did-switch rate (proxy for "wrong category in round 1").
- Distribution across the 5 categories.
- [ ] No behaviour change — this is observe-only.
### Exit criteria for Phase A.2
A user has run with telemetry for either **≥ 500 turns** *or* **two
weeks of normal use**, whichever comes first. The router-stats output
shows did-switch rate and category distribution.
### Go / no-go to Phase A.3
| did-switch rate | Action |
|---|---|
| **< 10 %** | **No-go.** Current generalist SLM is fine. Close this plan. Document the result. |
| **1020 %** | **Hold.** Try cheaper interventions first — better classifier prompts, category enum re-design (maybe 5 categories is wrong split), or a smarter Strengths matrix for the SLM arm. Re-measure. |
| **> 20 %** | **Go** to Phase A.3. There is a real accuracy problem and functiongemma is a plausible fix. |
---
## Phase A.3 — Specialization (conditional on A.2)
Only execute if Phase A.2 exits "Go." Otherwise this plan ends at
A.2's measurement output.
### A.3.1 — Dataset construction
- [ ] From the JSONL traces, build `(user_turn, available_tools,
expected_category)` pairs. `expected_category` is the
category that round 2 actually invoked (the model's revealed
preference), not the round-1 guess.
- [ ] Augment with synthetic German translations of the English
examples — bilingual coverage is non-negotiable for vikingowl's
workflow.
- [ ] Target dataset size: ≥ 2 000 pairs after augmentation.
- [ ] Split 80 / 10 / 10 train / val / test.
### A.3.2 — LoRA training pipeline
- [ ] Separate repo `gnoma-toolrouter-lora` (not in main gnoma tree
— Python tooling does not belong in the Go module).
- [ ] Unsloth or HF PEFT, rank-16 LoRA, single 4090 should suffice.
- [ ] Eval gate: ≥ 85 % top-1 category accuracy on held-out test set
before publishing weights.
- [ ] Publish merged GGUF to the maintainer's Ollama org or HF repo
so users can `ollama pull`.
### A.3.3 — Wire the ToolRouter arm role into gnoma
- [ ] New optional arm role distinct from `Strengths` — structural,
not task-type bias. Sketch:
```go
// internal/router/arm.go
type ArmRole int
const (
ArmRoleDefault ArmRole = iota
ArmRoleToolRouter // round-1 select_category specialist
ArmRoleChat // trivial-prompt SLM
)
type Arm struct {
// existing fields ...
Role ArmRole
}
```
- [ ] `internal/engine/twostage.go` queries the router for an arm
with `Role == ArmRoleToolRouter` for round 1. Falls back to the
active arm if none registered (today's behaviour preserved).
- [ ] Discovery (`internal/router/discovery.go`) auto-tags any model
whose name starts with `functiongemma` as `ArmRoleToolRouter`.
- [ ] Config (`[[arms]]` block) gains optional `role = "tool_router"`
override for users who fine-tuned their own router.
- [ ] Tests cover: ToolRouter arm registered → round 1 uses it;
no ToolRouter arm → round 1 uses active arm (no regression).
### A.3.4 — Safety and incognito coherence
- [ ] ToolRouter arm must be `IsLocal == true`. If somehow registered
with a cloud provider, refuse at registration time. (functiongemma
is open-weight, so this is a sanity check, not a real concern.)
- [ ] Incognito gating already enforced via the existing
`localOnly` filter — no new code needed, but add a test that
ToolRouter is reachable under incognito.
---
## Open questions
- **Is the 5-category split correct?** `read / write / search / exec /
meta` was chosen before there was data. Phase A.2's distribution
output may show one category is overloaded and another empty,
which would suggest re-cutting before any LoRA work.
- **Does the same logic generalize to TaskType classification?**
gnoma's existing classifier (`internal/router/classifier.go`) also
does an enum pick from user prose. If functiongemma works for
`select_category`, it might also replace the TaskType classifier.
Out of scope for this plan — flagged for a future one.
---
## What is *not* changing in the immediate routing-defaults work
The session that produced this plan also covers a routing-defaults
refresh (family-keyed `Strengths` + `MaxComplexity`, non-chat exclude
list, Gemma 4 / Ministral 3 / Qwen 3.5 vision-prefix updates). That
work proceeds independently. functiongemma is registered there as
`Disabled: true` with a comment pointing at this plan — it stays out
of auto-routing until Phase A.3 says otherwise.
docs/superpowers/plans/2026-05-24-config-migration.md
+356
View File
@@ -0,0 +1,356 @@
# Config Migration — 2026-05-24
Fixes the silent-corruption pattern in `internal/config/write.go`
that produces zero-spammed config files, adds reader-side telemetry
to surface the resulting layering bugs (`gnoma doctor`), ships an
active migration command (`gnoma upgrade-config`), wires automatic
project-level migration on startup, and introduces a per-user
project registry so all of the above can operate cross-project.
Surfaces in TODO.md as "Config write/merge — silent corruption of
layered configs" with five sub-items; this plan promotes that entry
out of the bullet form into a phased design.
---
## Problem
`setConfig()` in `internal/config/write.go` reads the existing TOML
into a zero-valued `Config` struct, mutates one field, and writes
the entire struct back out. The encoder doesn't skip zero values,
so every untouched field gets serialized at its Go default — empty
strings, zero ints, `false` bools, empty maps.
The next layered load (`Load()``toml.Decode` over multiple
files) then **does not** treat those present-but-zero fields as
"unset" — TOML's "present field wins" semantics mean those zeros
overwrite higher-priority layers. Concrete failure observed
2026-05-24:
- User's global `~/.config/gnoma/config.toml` has
`[router].prefer = "cloud"`.
- An earlier `gnoma config set ...` call generated a project-level
`.gnoma/config.toml` containing `[router].prefer = ""`.
- The merge collapses to `Prefer = ""`, which
`ParsePreferPolicy("")` maps to `PreferAuto`.
- The TUI's `/router` command reads `auto` despite the global
config saying `cloud`. No warning, no error — purely silent.
Same root cause produces zero-spammed global configs
(`max_tokens = 0`, `permission.mode = ""`, etc.) that silently
override sensible defaults in `internal/config/defaults.go`.
This affects every layered field — provider, permission, tools,
session, router, security, slm. Cannot be patched per-field;
needs a structural fix.
---
## Non-goals
- **Schema redesign.** The current `Config` struct stays as-is.
This plan addresses how it's written and read, not what fields
exist.
- **Validation.** Future work; `gnoma doctor` will flag obviously
invalid values (empty enum strings, etc.) but a full validation
pass against the schema is out of scope here.
- **Migration of the bandit-router quality JSON.** Unrelated file,
unrelated format, separate concerns.
---
## Approach overview
Five phases, in dependency order:
1. **Encoder fix** — stop generating zero-spam in the first place.
2. **Project registry**`~/.config/gnoma/projects.json` so later
phases can operate cross-project without filesystem walks.
3. **`gnoma doctor`** — read-only diagnostic, scans global +
project configs (via registry), reports zero-spam, invalid
enums, removed keys, and the effective-merged view.
4. **`gnoma upgrade-config`** — active migration with `.bak`
backup + diff output; targets one file or all known projects.
5. **Auto-migration on startup** — when launch detects a
zero-spammed project config, run upgrade-config silently with
a banner-line notice.
Phases 1 + 2 land first. 3 builds on 1 + 2. 4 builds on 3. 5
builds on 4.
---
## Phase 1 — Encoder fix
`setConfig()` is the bug generator. The TOML library
(`BurntSushi/toml`) supports `omitempty` on struct tags but the
project's `Config` struct doesn't use it. Three options:
### Option A — `omitempty` on all fields
Tag every field with `,omitempty`. The encoder skips fields at
their Go zero value. **Caveat:** conflates "unset" with
"explicitly zero" for primitive types — a user who actually
wants `max_keep = 0` (no session retention) loses that setting on
the next write.
### Option B — `pelletier/go-toml/v2` document model
Switch encoder to a TOML library that exposes a document AST.
Edit only the targeted key, preserve everything else byte-for-byte.
Cleaner semantics, bigger refactor — also affects the decoder side.
### Option C (chosen) — hybrid
Use `omitempty` for fields where the Go zero value is never
user-intent (strings, maps, slices). For numeric fields where 0
is a legitimate user choice, switch the field to a pointer
(`*int`, `*float64`) so `nil` means "unset" and `*0` means
"explicitly zero". On decode, fall back to defaults for nil
pointers in the resolution layer.
This keeps the existing BurntSushi library, preserves user intent
across the full type space, and limits churn to the fields where
the zero/unset ambiguity actually matters.
### Phase 1 task list
- **P1-1:** Audit every `Config`-tree field. Tag string/map/slice
fields with `,omitempty`. List numeric/bool fields that need
pointer conversion.
- **P1-2:** Convert numeric/bool fields requiring zero-vs-unset
distinction to pointers. Update construction sites and getters.
- **P1-3:** Add a `Resolve()` method on `Config` that walks the
struct and substitutes default values for nil pointers, called
exactly once at the end of `Load()`. All consumer code reads
resolved values; raw layered structs are internal.
- **P1-4:** Tests covering: (a) write-then-read roundtrip
preserves only user-set fields, (b) explicit zero (e.g.
`max_keep = 0`) survives the roundtrip, (c) field absent from
TOML resolves to default.
- **P1-5:** Backwards-compat: when reading an existing zero-spammed
file, the resolver must treat all-zeros-in-a-section as the
default — see Phase 5 for the heuristic.
---
## Phase 2 — Project registry
New file at `~/.config/gnoma/projects.json`:
```json
{
"projects": [
{
"path": "/home/user/git/foo",
"first_seen": "2026-04-15T10:30:00Z",
"last_seen": "2026-05-24T19:23:00Z",
"session_count": 47
}
]
}
```
### Phase 2 task list
- **P2-1:** Add `internal/config/registry.go` with `Registry`,
`Load`, `Save`, `Record(projectRoot)`, `Prune(staleAfter time.Duration)`.
- **P2-2:** Save uses atomic-write (temp file + `os.Rename`) so a
crash mid-write doesn't corrupt the file.
- **P2-3:** Call `Registry.Record(projectRoot)` from
`cmd/gnoma/main.go` right after the startup-safety banner
decides to proceed. Failure is logged at Warn level but never
blocks startup.
- **P2-4:** Add `[config].project_registry` toggle in defaults.go
(bool, default `true`). When `false`, Record is a no-op.
- **P2-5:** Document the file in README §Security as part of the
no-phone-home scope note: this is purely local, never sent.
- **P2-6:** Tests: round-trip, atomic-write under fault injection,
toggle off path.
---
## Phase 3 — `gnoma doctor`
New subcommand. Read-only. Scans:
- Global config at `GlobalConfigPath()`.
- Every project in the registry (or filesystem-scan fallback when
the registry is disabled or empty).
- Active profile (when profile mode is on).
Reports per-file:
- **Zero-spam fields** — present-with-zero where higher layer or
default has non-zero. The very thing this plan exists to fix.
- **Invalid enum values** — `permission.mode = ""`,
`router.prefer = "yes"`, etc. Use existing parsers to detect.
- **Unknown keys** — fields in the TOML that don't map to any
`Config` struct field. Decoder ignores these silently today;
doctor surfaces them.
- **Removed keys** — known-historical fields from older schema
versions; suggest removal.
Reports per-stack:
- **Effective-merged values** — what gnoma will actually use after
layering. Helps the user see whether a project file is masking
a global setting.
### Phase 3 task list
- **P3-1:** Add `cmd/gnoma/doctor_cmd.go` with the subcommand
scaffold.
- **P3-2:** `internal/config/doctor.go` with the scan logic;
exported `Diagnose(paths []string) []Finding`.
- **P3-3:** Output: human format by default, `--json` for
CI/script consumption.
- **P3-4:** Exit non-zero when findings have severity ≥ Warn so
doctor is CI-friendly.
- **P3-5:** `--all-projects` flag (default off; uses registry).
- **P3-6:** Tests covering each finding type.
---
## Phase 4 — `gnoma upgrade-config`
Active migration. Writes:
- Original file → `<path>.bak-YYYYMMDD-HHMMSS` (deterministic
timestamp suffix).
- Cleaned content → original path.
- Stdout: unified diff of what changed.
### Phase 4 task list
- **P4-1:** Add `cmd/gnoma/upgrade_config_cmd.go`.
- **P4-2:** `internal/config/upgrade.go` with `Upgrade(path string)`
→ reads file, applies the Phase 1 cleaning (drop fields equal to
their resolved default, keep explicit zeros that diverge from the
default via the pointer semantics).
- **P4-3:** Atomic two-step write: rename original to `.bak-...`,
then atomic-write new content to original path. Crash midway
leaves both files present, never the corrupted state.
- **P4-4:** `--all-projects` flag using the registry.
- **P4-5:** `--dry-run` prints diffs without writing.
- **P4-6:** Tests: round-trip of zero-spammed input → cleaned
output → identical re-read; idempotency (running twice yields
no second `.bak`).
---
## Phase 5 — Auto-migration on startup
When `Load()` parses a project `.gnoma/config.toml` and the
heuristic flags it as zero-spammed (every field at the Go zero
value, no user content), gnoma:
- Runs the Phase 4 upgrade in-process.
- Writes `.gnoma/config.toml.bak-...`.
- Emits a single line to the startup safety banner:
`config: migrated .gnoma/config.toml (see .bak)`.
- Continues startup with the cleaned config.
### Heuristic for "zero-spam"
A config section is zero-spam if **all** of these hold:
- Every primitive field present in the file is at its Go zero
value.
- No `[[arms]]`, `[[mcp_servers]]`, or `[[hooks]]` blocks (those
are always user content).
- File modification time ≥ 24h old (so we don't migrate a config
the user is actively editing).
If only some fields are zero and some are user-set, we don't touch
it — the user's mix of explicit zeros and meaningful values takes
precedence.
### Phase 5 task list
- **P5-1:** Add `isZeroSpam(*Config) bool` heuristic in
`internal/config/upgrade.go`.
- **P5-2:** Wire from `Load()` post-merge: if project layer
is_zero_spam → call Upgrade on the project file, log via banner.
- **P5-3:** Add `[config].auto_migrate` toggle, default `true`.
Global configs are never auto-migrated; only project-level.
- **P5-4:** Banner integration: the existing safety banner gets
a new optional line for "config notices" right under the
cwd/sensitivity summary.
- **P5-5:** Tests: zero-spam project file gets migrated; mixed
project file is left alone; recently-modified file is left
alone; auto_migrate=false disables.
---
## Cross-cutting: schemas and resolution
The pointer-field design (Phase 1) needs a clear resolution layer.
Proposal: every Config section gets a `Resolved...Section` mirror
that has plain (non-pointer) types. After Load, the resolver
populates one from the other, substituting defaults for nils.
Examples already exist in the codebase: `ResolvedSafetySection`
mirrors `SafetySection`. The pattern is established; we just need
to extend it.
Consumer-side: code reads from `cfg.Resolved.X` not `cfg.X`.
Loud renaming will catch any reader still using the raw layered
struct.
---
## Risks
- **Pointer-field migration is wide-scope.** Every reader of the
affected fields needs to change. Mitigated by the
resolver-mirror pattern (`ResolvedXSection`) — readers move from
one struct to another, but the call sites don't change shape.
- **Auto-migration writes silently.** Users might be surprised
even with the banner notice. Mitigated by `.bak` preservation
and the heuristic only firing on files that are obviously
zero-spam.
- **Registry becomes the same class of bug.** Documented in the
TODO entry already; Phase 2 explicitly requires atomic-write
and `omitempty` discipline. If we get this wrong the fix is the
same shape as Phase 1.
- **Privacy.** The registry is a list of directories the user has
worked in. Local-only, opt-out toggle, README note required.
- **Backwards compatibility for tests.** Tests that construct
`Config` by hand with explicit zeros may need updating.
Approach: add a `MustResolve` helper for test construction so
tests don't need to know about the pointer/resolver split.
---
## Rollout
Phases 1 + 2 ship together as a single release (encoder fix
needs the resolver, registry is independent but small). Tag as
`v0.4.0` — schema-touching changes warrant a minor bump per
the project's pre-1.0 semver discipline.
Phase 3 (`gnoma doctor`) can ship in a `v0.4.x` patch — it's
read-only and adds no surface compatibility risk.
Phase 4 (`gnoma upgrade-config`) ships in a follow-up `v0.4.x`.
Phase 5 (auto-migration) ships once Phase 4 has been in the wild
for at least one release cycle, so users have a way to opt in /
inspect before it becomes implicit.
---
## Open questions
- Should `gnoma doctor` also check that the `quality.json` file
is well-formed? Same dir, different concern — probably belongs
in doctor's scope as the umbrella "diagnose my gnoma install"
command.
- Registry size cap? After a year of usage on a busy machine
the file could grow to a few thousand entries. Reasonable; no
cap planned, but `Prune(staleAfter)` exposed for users who
want manual cleanup.
- Profiles: how do profile configs interact with the doctor /
upgrade flow? Default: treat each profile file as its own
upgradeable unit. Doctor lists findings per-profile.
docs/superpowers/plans/2026-05-24-sensitive-content-policy.md
+278
View File
@@ -0,0 +1,278 @@
# Sensitive Content — Unified Policy — 2026-05-24
Promotes the "sensitive-content handling — unified policy" TODO
entry into a phased design. Three input paths can introduce
sensitive content into the conversation context — pasted images,
pasted text, and tool-read files. Today each path has different
defences; this plan unifies them behind a single policy with a
single consent UI.
Sibling concerns:
[`2026-05-19-post-slm-unlock.md`](2026-05-19-post-slm-unlock.md)
Phase F (entropy detection) and the outgoing-scan firewall
already cover detection in some places; this plan unifies the
*decision* layer that sits in front of them.
---
## Problem
Three input paths to the engine carry distinct sensitivity
risks; each is handled differently today.
### Path 1 — Pasted images (Ctrl+V in the TUI)
Screenshot might contain API keys, terminal output with creds,
private repo contents, family photos, etc. Today:
- Image bytes land in the user cache dir.
- The router only sends to vision-capable arms.
- Local arms are fine; cloud arms send full image content to
the provider.
- Incognito skips paste entirely (per the no-persistence
contract).
What's missing: at-paste preview / warning. The user often does
not realise what the screenshot contained until after it's been
sent.
### Path 2 — Pasted text
User pastes a chunk into the input composer. Could be a log
snippet with credentials, an `.env` file content, an SSH key,
or just text. Today:
- Goes straight into the input buffer with no scanning.
- Outgoing firewall scans the final composed message before
send — *after* the user has already pressed Enter, often
redacting silently in the background.
- The user sees `[REDACTED]` in their own message after the
fact, no consent step.
What's missing: at-paste detection so the user sees the warning
*before* committing to send.
### Path 3 — Tool-read files
`fs_read`, `bash`, etc. surface file contents to the model. Today:
- Outgoing firewall scans tool *results* before they reach the
next provider turn (`ScanToolResult`).
- Format-aware entropy detection (Phase F-1) reduces false
positives on UUIDs / SHA / ISO timestamps.
- The audit log (just shipped) records what got blocked /
redacted per session.
What's missing: nothing structurally on this path; it's the
most-mature of the three. Listed here only for completeness so
the unified policy can be honest about asymmetric coverage.
### The unification question
These three paths converge into "content that joins the context
window." A consistent policy needs to answer, for each path:
1. **When** does detection run? (at paste / at send / at receive)
2. **What** does the user see? (warning / preview / redacted
placeholder / silent)
3. **What** is their consent gate? (approve / deny / approve-with-
redaction / skip)
4. **Where** is the action recorded? (audit log, banner, slog)
Today the answers vary per path. This plan picks one set of
answers and applies them everywhere.
---
## Non-goals
- **New detectors.** This plan reuses the existing scanner
(regex + entropy + unicode-sanitize). Phase F-2's SLM-assisted
detector lands separately when telemetry warrants.
- **Egress allowlist.** Tracked in the security-boundary TODO
entry, separate plan.
- **Provider-side redaction.** That's the provider's problem.
This plan is about what leaves gnoma's process.
---
## Approach
Single policy module: `internal/security/sensitive_policy.go`.
Exposes one decision function:
```go
type Decision int
const (
DecisionAllow Decision = iota
DecisionWarn // show warning, allow on confirm
DecisionRedactAndAllow
DecisionBlock
)
type Inspection struct {
Path string // "paste_text", "paste_image", "tool_result"
Content string // for text paths
ImageBytes []byte // for image paths; nil otherwise
Matches []scanner.Match // pre-scanned hits
}
func Decide(insp Inspection, mode IncognitoMode, prefs Preferences) Decision
```
All three paths route through `Decide` with their own
`Inspection`. UI surface — the at-paste prompt, the at-send
warning, the redacted-placeholder view — sits in the TUI and is
driven by the Decision value.
### Path-specific wiring
| Path | When | UI | Default Decision rules |
|---|---|---|---|
| paste_text | Ctrl+V into composer | Inline warning under input box, with `Tab` to expand match details | Match in scanner → `Warn` (text stays, user dismisses); explicit block-tier match → `Block` (paste dropped) |
| paste_image | Ctrl+V image | Pre-paste OCR scan (small local model) + warning before insertion | OCR finds secret pattern → `Warn`; user can choose `Redact` (image kept, warning attached) or `Cancel`. Incognito → `Block` (already today). |
| tool_result | After tool runs | Banner: `firewall: redacted N items in this tool result` | Existing behaviour. `Decide` invoked just to keep the API surface consistent; matches go to audit log. |
### Preferences
New `[security.sensitive]` config section:
```toml
[security.sensitive]
warn_on_paste_text = true # default true
warn_on_paste_image = true # default true
ocr_image_paste = false # opt-in: requires local vision arm
auto_redact = false # default false: ask first, redact second
silent_tool_results = false # default false: show banner when redactions happen
```
### Incognito interaction
When incognito is active, **every** Decision is treated as either
`Block` or `RedactAndAllow` — never `Warn`-then-`Allow`. Incognito
implies "I don't trust this conversation to persist"; the
sensible default is to be strict about what flows in.
---
## Phases
### Phase A — Policy module + config
- **A-1:** Add `[security.sensitive]` section to config.go with
the four flags above.
- **A-2:** Add `internal/security/sensitive_policy.go` with
`Inspection`, `Decision`, `Decide`.
- **A-3:** Unit tests for the decision matrix.
### Phase B — Path 2 (pasted text)
Highest user-visible payoff for the smallest surface.
- **B-1:** TUI input composer intercepts paste, runs
`Decide(paste_text, ...)` before the bytes enter the buffer.
- **B-2:** Decision = Warn → status-line warning, paste still
goes in. `Tab` expands details.
- **B-3:** Decision = Block → paste discarded, status line
explains why; user can override with `Ctrl+Shift+V`
(force-paste) which bypasses but writes to audit log.
- **B-4:** Tests: paste-of-known-secret triggers warning;
redacted variant shows what would have been sent.
### Phase C — Path 3 (tool-results) banner
- **C-1:** When `ScanToolResult` redacts ≥1 item, the engine
emits a system message: `firewall: redacted 2 items in
read-file output (see audit log)`.
- **C-2:** Gated behind `silent_tool_results = false` default.
Users who already trust the firewall can flip it on.
- **C-3:** Tests: integration test asserting the system
message appears.
### Phase D — Path 1 (pasted images)
Most complex. Image OCR requires a local vision model; without
one the paste falls back to today's behaviour.
- **D-1:** Add OCR hook: when `ocr_image_paste = true` and a
vision-capable local arm is available, run a small OCR pass
over the image before insertion.
- **D-2:** Feed OCR output through the regex/entropy scanner.
Matches → `Decide(paste_image, ...)` with the original image
attached.
- **D-3:** TUI shows a preview thumbnail + warning before
insertion confirmation.
- **D-4:** Without a vision arm: feature degrades gracefully
(no OCR, paste proceeds as today, banner notes "image paste
scan unavailable — no local vision arm").
### Phase E — Audit log integration
All four Decision outcomes get an audit entry. The audit log
already has the file format from the security-boundary work;
just need to define new Action values:
- `paste_warn`, `paste_block`, `paste_force_override`
- `image_paste_warn`, `image_paste_block`, `image_paste_ocr_skip`
- `tool_result_banner` (when redactions surfaced to user)
---
## Risks
- **OCR adds latency to paste.** Bad UX if image OCR takes >300ms.
Mitigation: hard-cap OCR time at 500ms, skip if exceeded, fall
back to no-scan path with banner notice. Local vision models on
consumer hardware should comfortably make this budget.
- **False positives on text paste become annoying.** If
`warn_on_paste_text = true` fires on every code snippet, users
turn it off and the protection is gone. Use the same
entropy_safelist Phase F-1 ships (uuid/sha/iso8601/url) — those
are the high-FP categories.
- **OCR introduces a new attack surface.** A malicious image could
exploit the OCR model. Mitigation: only local-arm OCR (the
attacker's input never leaves the machine); never call cloud
vision models for OCR (would defeat the privacy purpose).
- **Phase D depends on having a local vision model.** Users without
one get degraded UX. Document this clearly; consider whether to
ship a small bundled OCR-tuned model (probably no — adds 100MB+
to install).
---
## Open questions
- Should there be a "trusted projects" list where the warnings
are suppressed? Could live in the project registry (sibling
plan). Useful for monorepos where the user explicitly trusts
the local code.
- The `Ctrl+Shift+V` force-paste override is a footgun. Do we
want a confirm-second-time dialog, or just the keybind?
- Should clipboard contents be cleared from the host clipboard
after a sensitive paste? Cross-platform-tricky; defer.
- Sensitive-pattern feedback loop: when a user dismisses a warning
as "this isn't a secret", do we learn from that? Privacy concern
— would need an explicit opt-in.
---
## Rollout
Phases A + B + C land together as one feature release. Phase D
(image OCR) is opt-in (`ocr_image_paste = true`) and can land in
a follow-up patch — its surface is large and benefits from real-
world UX feedback. Phase E threads through all four; it lands
incrementally per phase, not as a single batch.
Realistic target: Phase A/B/C in v0.5.0; Phase D in v0.5.x. All
behaviour is gated behind the four config flags so existing users
who don't opt in see no behavioural change.
---
## Cross-references
- TODO.md entry "Sensitive-content handling — unified policy"
- [`2026-05-19-post-slm-unlock.md`](2026-05-19-post-slm-unlock.md) — Phase F entropy detection
- [`2026-05-19-security-wave2-incognito.md`](2026-05-19-security-wave2-incognito.md) — incognito-mode contract
- TODO.md entry "Security boundary — egress controls + session audit log" — the audit log this plan piggybacks on
go.mod
+6 -6
View File
@@ -7,13 +7,15 @@ require (
charm.land/bubbletea/v2 v2.0.2
charm.land/glamour/v2 v2.0.0
charm.land/lipgloss/v2 v2.0.2
cloud.google.com/go/auth v0.19.0
github.com/BurntSushi/toml v1.6.0
github.com/VikingOwl91/mistral-go-sdk v1.3.0
github.com/anthropics/anthropic-sdk-go v1.29.0
github.com/atotto/clipboard v0.1.4
github.com/charmbracelet/x/ansi v0.11.6
github.com/openai/openai-go v1.12.0
github.com/pkoukk/tiktoken-go v0.1.8
golang.org/x/text v0.35.0
golang.org/x/text v0.37.0
google.golang.org/genai v1.52.1
gopkg.in/yaml.v3 v3.0.1
mvdan.cc/sh/v3 v3.13.0
@@ -21,10 +23,8 @@ require (
require (
cloud.google.com/go v0.123.0 // indirect
cloud.google.com/go/auth v0.19.0 // indirect
cloud.google.com/go/compute/metadata v0.9.0 // indirect
github.com/alecthomas/chroma/v2 v2.23.1 // indirect
github.com/atotto/clipboard v0.1.4 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/charmbracelet/colorprofile v0.4.2 // indirect
@@ -63,10 +63,10 @@ require (
go.opentelemetry.io/otel v1.42.0 // indirect
go.opentelemetry.io/otel/metric v1.42.0 // indirect
go.opentelemetry.io/otel/trace v1.42.0 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/crypto v0.51.0 // indirect
golang.org/x/net v0.55.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/sys v0.45.0 // indirect
google.golang.org/api v0.267.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
google.golang.org/grpc v1.79.3 // indirect
go.sum
+8 -8
View File
@@ -142,18 +142,18 @@ go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2W
go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
internal/config/config.go
+92
View File
@@ -17,6 +17,7 @@ type Config struct {
Session SessionSection `toml:"session"`
SLM SLMSection `toml:"slm"`
Router RouterSection `toml:"router"`
Safety SafetySection `toml:"safety"`
CLIAgents CLIAgentsSection `toml:"cli_agents"`
Arms []ArmConfig `toml:"arms"`
Hooks []HookConfig `toml:"hooks"`
@@ -93,12 +94,103 @@ type CLIAgentsSection map[string]string
// RouterSection holds router-level overrides. Most routing decisions are
// driven automatically by arm capabilities and the bandit; this section
// exists for the rare overrides that don't fit elsewhere.
// SafetySection controls the pre-launch dir-safety classifier — refuse
// in system roots, warn+keypress in $HOME and other dumping grounds,
// OK inside any git repo or project marker. Always shows a context
// banner regardless of tier. See
// docs/superpowers/plans/2026-05-23-startup-safety-banner.md.
type SafetySection struct {
// RefuseInSystemDirs gates the refuse path. When false, system
// roots like / and /etc are treated as warn-tier instead of refuse.
// Default: true.
RefuseInSystemDirs *bool `toml:"refuse_in_system_dirs"`
// WarnInHome gates the warn-tier check for $HOME and common
// dumping grounds (~/Desktop, ~/Downloads, /tmp). When false,
// these all become OK-tier (banner still shown). Default: true.
WarnInHome *bool `toml:"warn_in_home"`
// RequireProjectMarker, when true, treats any directory without
// a recognized project marker as warn-tier (even inside a git
// repo). Default: false — git repo is enough by default.
RequireProjectMarker bool `toml:"require_project_marker"`
}
// ResolvedSafety returns the effective Safety settings with defaults
// applied for any unset pointer fields. Pointer fields are used in the
// struct so we can distinguish "user omitted the key" from "user set
// it to false."
func (s SafetySection) ResolvedSafety() ResolvedSafetySection {
refuse := true
if s.RefuseInSystemDirs != nil {
refuse = *s.RefuseInSystemDirs
}
warn := true
if s.WarnInHome != nil {
warn = *s.WarnInHome
}
return ResolvedSafetySection{
RefuseInSystemDirs: refuse,
WarnInHome: warn,
RequireProjectMarker: s.RequireProjectMarker,
}
}
// ResolvedSafetySection is the SafetySection with defaults applied.
// Consumers (cmd/gnoma/main.go, internal/safety) read this rather than
// the raw config to avoid re-deriving defaults at each call site.
type ResolvedSafetySection struct {
RefuseInSystemDirs bool
WarnInHome bool
RequireProjectMarker bool
}
type RouterSection struct {
// ForceTwoStage forces the two-stage tool-routing path regardless of
// arm context window. Useful for debugging or for forcing the behavior
// on a large local model. Defaults to false: two-stage activates
// automatically on local arms with context window <= 16k.
ForceTwoStage bool `toml:"force_two_stage"`
// Prefer biases routing toward local arms ("local"), cloud arms
// ("cloud"), or leaves the tier-based selection unchanged ("auto").
// Default: "auto". Implemented as a soft score multiplier — does
// not hard-filter the dispreferred set. Forced arms (--provider X)
// and incognito take priority over this knob. See
// docs/superpowers/plans/2026-05-23-prefer-routing-policy.md.
Prefer string `toml:"prefer"`
// Bandit exposes the selector's tuning knobs. Defaults preserve
// previous hard-coded behaviour exactly; only set these when you
// need to tune the EMA quality tracker for an unusual workload.
Bandit BanditSection `toml:"bandit"`
}
// BanditSection holds the scoring knobs for the EMA quality tracker
// and the score blend used by the selector. Each field has a sentinel
// zero value that means "use the built-in default" so an empty TOML
// block is byte-identical to pre-config behaviour. See
// internal/router/feedback.go and internal/router/selector.go for the
// formulas these knobs feed into.
type BanditSection struct {
// QualityAlpha is the EMA smoothing factor for arm-quality
// observations. Larger values weight recent observations more.
// Default: 0.3 (~3-sample memory). 0.0 here means "use default".
QualityAlpha float64 `toml:"quality_alpha"`
// MinObservations is the minimum number of samples required
// before observed EMA overrides the heuristic fallback. Default:
// 3. 0 here means "use default".
MinObservations int `toml:"min_observations"`
// ObservedWeight is the weight of the observed EMA in the
// observed/heuristic blend inside scoreArm: the final quality is
// `observed*W + heuristic*(1-W)`. Default: 0.7. 0.0 here means
// "use default".
ObservedWeight float64 `toml:"observed_weight"`
// StrengthBonus is the quality bonus added when an arm declares
// the current task type in its Strengths list. Default: 0.15.
// 0.0 here means "use default".
StrengthBonus float64 `toml:"strength_bonus"`
}
// MCPServerConfig defines an MCP server to start and connect to.
internal/provider/google/provider_test.go
+1 -1
View File
@@ -38,7 +38,7 @@ func TestTryLoadOAuthCredentials_Formats(t *testing.T) {
name: "camelCase and milliseconds expiry",
data: oauthCreds{
AccessToken2: "token-camel",
ExpiresAt: time.Now().Add(1 * time.Hour).UnixNano() / 1e6,
ExpiresAt: time.Now().Add(1*time.Hour).UnixNano() / 1e6,
TokenType2: "Bearer",
},
expectError: false,
internal/provider/openai/provider.go
+14
View File
@@ -132,6 +132,17 @@ func (p *Provider) fallbackModels() []provider.ModelInfo {
MaxOutput: 32000,
},
},
{
ID: "gpt-5.3-codex", Name: "GPT-5.3 Codex", Provider: p.name,
Capabilities: provider.Capabilities{
ToolUse: true,
JSONOutput: true,
Vision: true,
ThinkingModes: []provider.EffortLevel{provider.EffortLow, provider.EffortMedium, provider.EffortHigh},
ContextWindow: 400000,
MaxOutput: 32000,
},
},
{
ID: "gpt-5.2", Name: "GPT-5.2 Thinking", Provider: p.name,
Capabilities: provider.Capabilities{
@@ -205,6 +216,9 @@ func inferOpenAIModelCapabilities(modelID string) provider.Capabilities {
case "gpt-5.5", "gpt-5.5-pro":
caps.ContextWindow = 1_000_000
caps.MaxOutput = 32000
case "gpt-5.3-codex":
caps.ContextWindow = 400000
caps.MaxOutput = 32000
case "gpt-5.2", "gpt-5.2-chat-latest":
caps.ContextWindow = 400000
caps.MaxOutput = 32000
internal/provider/ratelimits.go
+3
View File
@@ -140,6 +140,9 @@ func openaiDefaults() ProviderDefaults {
"gpt-5.5": {RPM: 500, TPM: 30_000, RPD: 10_000},
"gpt-5.5-pro": {RPM: 500, TPM: 30_000, RPD: 10_000},
"gpt-5.5-2026-04-23": {RPM: 500, TPM: 30_000, RPD: 10_000},
// GPT-5.3 Codex (coding-specialist branch).
"gpt-5.3-codex": {RPM: 500, TPM: 200_000, RPD: 10_000},
"gpt-5.3-codex-2026-02-15": {RPM: 500, TPM: 200_000, RPD: 10_000},
// GPT-5.2 generation.
"gpt-5.2": {RPM: 500, TPM: 200_000, RPD: 10_000},
"gpt-5.2-chat-latest": {RPM: 500, TPM: 200_000, RPD: 10_000},
internal/provider/subprocess/agent.go
+12 -1
View File
@@ -109,8 +109,19 @@ var knownAgents = []CLIAgent{
// structured-output flag and no image-input mechanism. JSON support
// is faked via PromptResponseFormat (best-effort, model-dependent);
// see TODO.md for tracking native stream-json support.
//
// ToolUse is false on purpose. agy streams plain text and the
// agyParser turns every line into an EventTextDelta — there is
// no path for a structured ToolCall event to come back. With
// ToolUse=true the router would dispatch tool-needing tasks
// (security_review, spawn_elfs, file edit) to agy; the
// underlying Gemini model would describe calling the tool in
// prose (invented UUIDs and "I will pause now"-style stubs),
// the engine would receive only text, and the turn would hang
// waiting for a tool call that never arrives. Flip back to
// true when native stream-json lands.
Capabilities: provider.Capabilities{
ToolUse: true,
ToolUse: false,
ContextWindow: 200000,
},
PromptResponseFormat: true,
internal/provider/subprocess/codex_test.go
+106
View File
@@ -195,6 +195,112 @@ func TestCodexParser_UsageMaxOfPaths(t *testing.T) {
}
}
func TestCodexParser_CachedInputTokens(t *testing.T) {
// codex 0.133.0 reports input_tokens as the TOTAL input (cache hits
// + new). To keep message.Usage.Add() correct — which sums
// InputTokens and CacheReadTokens as peers, not subsets — store
// the uncached residual in InputTokens and the hits separately.
// This matches the Anthropic provider's convention.
p := newCodexParser()
line := []byte(`{"type":"turn.completed","usage":{"input_tokens":17712,"cached_input_tokens":4992,"output_tokens":5}}`)
evts, err := p.ParseLine(line)
if err != nil {
t.Fatal(err)
}
if len(evts) != 1 || evts[0].Type != stream.EventUsage {
t.Fatalf("expected single EventUsage, got %+v", evts)
}
got := evts[0].Usage
if got.InputTokens != 12720 {
t.Errorf("InputTokens = %d, want 17712-4992 = 12720 (uncached residual)", got.InputTokens)
}
if got.CacheReadTokens != 4992 {
t.Errorf("CacheReadTokens = %d, want 4992", got.CacheReadTokens)
}
if got.OutputTokens != 5 {
t.Errorf("OutputTokens = %d, want 5", got.OutputTokens)
}
}
func TestCodexParser_ReasoningOutputTokens(t *testing.T) {
// reasoning_output_tokens appears at top level as a peer to
// output_tokens (codex 0.133.0). The peer positioning implies a
// separate billable counter, not a subset of output_tokens — so
// fold it into OutputTokens for accurate cost tracking.
p := newCodexParser()
line := []byte(`{"type":"turn.completed","usage":{"input_tokens":100,"output_tokens":50,"reasoning_output_tokens":200}}`)
evts, err := p.ParseLine(line)
if err != nil {
t.Fatal(err)
}
if len(evts) != 1 || evts[0].Type != stream.EventUsage {
t.Fatalf("expected single EventUsage, got %+v", evts)
}
if got := evts[0].Usage.OutputTokens; got != 250 {
t.Errorf("OutputTokens = %d, want 50 + 200 = 250", got)
}
}
func TestCodexParser_ZeroReasoningIsNoOp(t *testing.T) {
// Live codex 0.133.0 sample: 0 reasoning tokens (non-thinking
// model). Folding still produces the original output count.
p := newCodexParser()
line := []byte(`{"type":"turn.completed","usage":{"input_tokens":100,"output_tokens":5,"reasoning_output_tokens":0}}`)
evts, err := p.ParseLine(line)
if err != nil {
t.Fatal(err)
}
if got := evts[0].Usage.OutputTokens; got != 5 {
t.Errorf("OutputTokens = %d, want 5", got)
}
}
func TestCodexParser_CachedExceedsInputDoesNotUnderflow(t *testing.T) {
// Defensive: if a future codex build reports cached > input
// (schema drift, off-by-one), don't produce negative InputTokens.
p := newCodexParser()
line := []byte(`{"type":"turn.completed","usage":{"input_tokens":100,"cached_input_tokens":150}}`)
evts, err := p.ParseLine(line)
if err != nil {
t.Fatal(err)
}
if got := evts[0].Usage.InputTokens; got < 0 {
t.Errorf("InputTokens = %d, must not be negative", got)
}
if got := evts[0].Usage.CacheReadTokens; got != 150 {
t.Errorf("CacheReadTokens = %d, want 150 (recorded verbatim)", got)
}
}
func TestCodexParser_LiveSampleFromV0133(t *testing.T) {
// Verbatim line from the 2026-05-22 live `codex exec ... --json`
// run on codex-cli 0.133.0 — regression guard against schema drift.
p := newCodexParser()
line := []byte(`{"type":"turn.completed","usage":{"input_tokens":17712,"cached_input_tokens":4992,"output_tokens":5,"reasoning_output_tokens":0}}`)
evts, err := p.ParseLine(line)
if err != nil {
t.Fatal(err)
}
if len(evts) != 1 || evts[0].Type != stream.EventUsage {
t.Fatalf("expected single EventUsage, got %+v", evts)
}
got := evts[0].Usage
if got.InputTokens != 12720 {
t.Errorf("InputTokens = %d, want 12720", got.InputTokens)
}
if got.OutputTokens != 5 {
t.Errorf("OutputTokens = %d, want 5", got.OutputTokens)
}
if got.CacheReadTokens != 4992 {
t.Errorf("CacheReadTokens = %d, want 4992", got.CacheReadTokens)
}
}
func TestCodexParser_FixtureFile(t *testing.T) {
lines := loadFixture(t, "codex")
p := newCodexParser()
internal/provider/subprocess/format.go
+25 -6
View File
@@ -275,10 +275,12 @@ type codexItem struct {
}
type codexUsage struct {
InputTokens int64 `json:"input_tokens"`
OutputTokens int64 `json:"output_tokens"`
PromptTokens int64 `json:"prompt_tokens"`
CompletionTokens int64 `json:"completion_tokens"`
InputTokens int64 `json:"input_tokens"`
OutputTokens int64 `json:"output_tokens"`
PromptTokens int64 `json:"prompt_tokens"`
CompletionTokens int64 `json:"completion_tokens"`
CachedInputTokens int64 `json:"cached_input_tokens"`
ReasoningOutputTokens int64 `json:"reasoning_output_tokens"`
}
func (p *codexParser) ParseLine(line []byte) ([]stream.Event, error) {
@@ -320,11 +322,28 @@ func (p *codexParser) ParseLine(line []byte) ([]stream.Event, error) {
if ev.Usage.CompletionTokens > output {
output = ev.Usage.CompletionTokens
}
// codex (OpenAI Responses API semantics) reports input_tokens
// as the TOTAL input including cache hits. message.Usage.Add()
// sums InputTokens and CacheReadTokens as peers, so store the
// uncached residual here and the hit count separately —
// matches the anthropic provider. Clamp at zero in case a
// future codex build reports cached > input due to schema drift.
if ev.Usage.CachedInputTokens > 0 {
input -= ev.Usage.CachedInputTokens
if input < 0 {
input = 0
}
}
// reasoning_output_tokens appears at top level as a peer to
// output_tokens. Treat as a separately billable counter (not a
// nested subset) and fold in for accurate spend.
output += ev.Usage.ReasoningOutputTokens
return []stream.Event{{
Type: stream.EventUsage,
Usage: &message.Usage{
InputTokens: input,
OutputTokens: output,
InputTokens: input,
OutputTokens: output,
CacheReadTokens: ev.Usage.CachedInputTokens,
},
StopReason: message.StopEndTurn,
}}, nil
internal/router/bench_test.go
+4 -4
View File
@@ -57,12 +57,12 @@ func benchTasks() []Task {
func BenchmarkSelectBest(b *testing.B) {
arms := benchArms()
tasks := benchTasks()
qt := NewQualityTracker()
qt := NewQualityTracker(0, 0)
b.ResetTimer()
for b.Loop() {
for _, task := range tasks {
selectBest(qt, arms, task)
selectBest(qt, BanditParams{}, arms, task, PreferAuto)
}
}
}
@@ -99,13 +99,13 @@ func BenchmarkRouterSelect(b *testing.B) {
func BenchmarkScoreArm(b *testing.B) {
arms := benchArms()
qt := NewQualityTracker()
qt := NewQualityTracker(0, 0)
task := Task{Type: TaskGeneration, Priority: PriorityNormal, EstimatedTokens: 2000, RequiresTools: true, ComplexityScore: 0.5}
b.ResetTimer()
for b.Loop() {
for _, arm := range arms {
scoreArm(qt, arm, task)
scoreArm(qt, BanditParams{}, arm, task)
}
}
}
internal/router/defaults.go
+398
View File
@@ -0,0 +1,398 @@
package router
import (
"regexp"
"strconv"
"strings"
)
// FamilyDefaults are the per-model-family routing defaults applied at
// discovery time when the user has not supplied an [[arms]] override in
// config. Populated from the benchmark snapshot dated 2026-05-23
// (artificialanalysis.ai v4.0, llm-stats.com, kilo.ai); see
// docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md for
// rationale per entry.
//
// Zero-valued fields mean "router default" — only non-zero fields are
// applied. That keeps the table honest: an unset MaxComplexity stays 0
// (no ceiling) rather than getting a fake value.
//
// For families that span a wide parameter range (ministral-3 from
// 3B to 14B, qwen3 from 4B to 14B, tiny3.5 from 0.5B to 1.5B), use
// SizeCaps instead of MaxComplexity. The first SizeCap whose
// MinSizeB threshold the parsed model size meets wins; entries must
// be ordered largest-first.
type FamilyDefaults struct {
Strengths []TaskType
MaxComplexity float64
CostWeight float64
Disabled bool
SizeCaps []SizeCap
}
// SizeCap maps a minimum parameter count (in billions) to a
// MaxComplexity ceiling. Used in FamilyDefaults.SizeCaps when a family
// covers many sizes that warrant different ceilings.
type SizeCap struct {
MinSizeB float64
Cap float64
}
// knownFamilyDefaults is the family-prefix → defaults lookup table.
// Matching is longest-prefix-wins via ResolveFamilyDefaults, so
// "qwen3-coder" beats "qwen3" beats "qwen". Keys are matched against the
// model ID with case-insensitive prefix; namespace prefixes ending in "/"
// are stripped before matching (so reecdev/tiny3.5:1.5b also matches
// "tiny3.5").
//
// See the routing-defaults-refresh plan for the rationale per row.
// functiongemma is the only Disabled entry; everything else is auto-
// routable. Coder-family Strengths lean on the SWE-bench / Aider /
// HumanEval rankings in the 2026-05-23 snapshot; reasoning-family
// Strengths lean on MMLU / MATH / GPQA.
var knownFamilyDefaults = map[string]FamilyDefaults{
// --- Coder specialists --------------------------------------------------
"qwen3-coder": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskDebug},
MaxComplexity: 0.85, // 30B-A3B; 44.3% SWE-Bench Pro
},
"qwen2.5-coder": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskUnitTest},
MaxComplexity: 0.70, // 14B; Aider 73.7
},
"devstral": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskDebug},
MaxComplexity: 0.85, // 24B; 68% SWE-bench Verified, vision-capable
},
"yi-coder": {
Strengths: []TaskType{TaskGeneration, TaskRefactor},
MaxComplexity: 0.55, // 9B; HumanEval 85.4
},
"deepseek-coder": {
Strengths: []TaskType{TaskGeneration, TaskRefactor},
MaxComplexity: 0.65, // V2 Lite MoE; 16B-quality at 3B-speed
},
"starcoder": {
Strengths: []TaskType{TaskGeneration},
MaxComplexity: 0.45, // fill-in-middle specialist
},
// --- Reasoning specialists ----------------------------------------------
"phi-4-mini": {
Strengths: []TaskType{TaskBoilerplate, TaskExplain},
MaxComplexity: 0.35, // 3.8B compact
},
"phi-4": {
Strengths: []TaskType{TaskPlanning, TaskDebug, TaskReview},
MaxComplexity: 0.65, // 14B; MMLU 84.8, HumanEval 82.6
},
// --- Gemma family -------------------------------------------------------
"gemma4-e": { // Ollama-style edge ("gemma4-e4b-uc:latest")
Strengths: []TaskType{TaskExplain, TaskBoilerplate},
MaxComplexity: 0.45,
},
"gemma-4-e": { // GGUF-style edge ("gemma-4-e2b-it", "gemma-4-e4b-it")
Strengths: []TaskType{TaskExplain, TaskBoilerplate},
MaxComplexity: 0.45,
},
"gemma4": { // base ~9B multimodal
Strengths: []TaskType{TaskExplain, TaskReview, TaskGeneration},
MaxComplexity: 0.70,
},
"gemma-4": { // GGUF base variant — catch-all under hyphenated naming
Strengths: []TaskType{TaskExplain, TaskReview, TaskGeneration},
MaxComplexity: 0.70,
},
"gemma3": {
Strengths: []TaskType{TaskExplain, TaskReview},
MaxComplexity: 0.55,
},
"gemma2": {
Strengths: []TaskType{TaskExplain},
MaxComplexity: 0.40,
},
// --- Qwen family (size-keyed for the variants that span ranges) --------
"qwen3.5": {
Strengths: []TaskType{TaskBoilerplate, TaskExplain, TaskOrchestration},
SizeCaps: []SizeCap{
{MinSizeB: 9, Cap: 0.65}, // 9B distill (e.g. qwen3.5-9b-glm5.1-distill-v1)
{MinSizeB: 4, Cap: 0.50},
{MinSizeB: 0, Cap: 0.40},
},
},
"qwen3": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskDebug},
SizeCaps: []SizeCap{
{MinSizeB: 14, Cap: 0.75},
{MinSizeB: 7, Cap: 0.65},
{MinSizeB: 0, Cap: 0.50},
},
},
"qwen2.5": {
Strengths: []TaskType{TaskExplain, TaskRefactor},
SizeCaps: []SizeCap{
{MinSizeB: 14, Cap: 0.65},
{MinSizeB: 7, Cap: 0.55},
{MinSizeB: 0, Cap: 0.40},
},
},
"qwen": { // catch-all for unmatched Qwen variants
Strengths: []TaskType{TaskExplain},
MaxComplexity: 0.40,
},
// --- Mistral / Ministral families --------------------------------------
"ministral-3": {
Strengths: []TaskType{TaskOrchestration, TaskPlanning},
SizeCaps: []SizeCap{
{MinSizeB: 14, Cap: 0.70},
{MinSizeB: 8, Cap: 0.55},
{MinSizeB: 0, Cap: 0.35},
},
},
"mistral-small-3": {
Strengths: []TaskType{TaskOrchestration, TaskReview},
MaxComplexity: 0.65, // 24B; MMLU 81
},
"mistral": { // catch-all for Mistral 7B / Nemo / etc.
Strengths: []TaskType{TaskGeneration, TaskRefactor},
MaxComplexity: 0.50,
},
// --- Llama family -------------------------------------------------------
"llama4": {
Strengths: []TaskType{TaskExplain, TaskReview},
MaxComplexity: 0.50, // Scout / Maverick variants
},
"llama3.2": {
Strengths: []TaskType{TaskExplain, TaskBoilerplate},
MaxComplexity: 0.35, // tool-call friendly small
},
// --- Tiny / draft-class -------------------------------------------------
"tiny3.5": {
Strengths: []TaskType{TaskBoilerplate, TaskExplain},
SizeCaps: []SizeCap{
{MinSizeB: 1.5, Cap: 0.30},
{MinSizeB: 0, Cap: 0.20},
},
},
"granite": {
Strengths: []TaskType{TaskExplain, TaskBoilerplate},
MaxComplexity: 0.30, // IBM 8B and similar
},
// --- Vision-capable / specialists --------------------------------------
"minicpm-v": {
Strengths: []TaskType{TaskPlanning, TaskReview},
MaxComplexity: 0.55, // vision-thinking; vision flag set via prefix list
},
"glm-ocr": {
// No Strengths — narrow OCR-only specialist. Vision flag is set
// via knownVisionModelPrefixes; arm is registered but the router
// will rarely pick it because nothing promotes it.
MaxComplexity: 0.30,
},
"glm": { // catch-all GLM family
Strengths: []TaskType{TaskExplain},
MaxComplexity: 0.45,
},
// --- Closed-source frontier (cloud arms) --------------------------------
// Cloud entries set Strengths and CostWeight but leave MaxComplexity
// zero — cloud arms shouldn't have a complexity ceiling. CostWeight
// rationale per the 2026-05-23 plan:
// - 0.3 on frontier arms (Opus 4.7, GPT-5.5): keep them competitive
// for high-stakes tasks (SecurityReview, Planning) despite $4+/Mtok.
// - 0.5-0.7 on mid-tier coding specialists: standard cost influence.
// - 1.2 on cheap fast arms (Gemini 3.5 Flash): penalize cost more
// so they win only when cost is genuinely decisive.
"claude-opus-4-7": {
Strengths: []TaskType{TaskPlanning, TaskSecurityReview, TaskDebug, TaskRefactor},
CostWeight: 0.3,
},
"claude-sonnet-4-6": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskReview},
CostWeight: 0.7,
},
"gpt-5.5": {
Strengths: []TaskType{TaskPlanning, TaskSecurityReview, TaskGeneration},
CostWeight: 0.3,
},
"gpt-5.3-codex": {
Strengths: []TaskType{TaskGeneration, TaskRefactor, TaskDebug, TaskUnitTest},
CostWeight: 0.6,
},
"gpt-5.2": {
Strengths: []TaskType{TaskOrchestration, TaskReview},
CostWeight: 0.8,
},
"gemini-3.1-pro": {
Strengths: []TaskType{TaskPlanning, TaskReview, TaskOrchestration},
CostWeight: 0.5,
},
"gemini-3.5-flash": {
Strengths: []TaskType{TaskBoilerplate, TaskExplain, TaskOrchestration},
CostWeight: 1.2,
},
// --- Tool-router specialist (reserved, not auto-routed) -----------------
// functiongemma is Google's 270M function-calling specialist. It is
// not a chat model — it emits structured tool calls, not prose. We
// register it so it shows up in `gnoma providers` but mark it
// Disabled to keep it out of auto-routing until the dedicated
// ArmRoleToolRouter path ships. See
// docs/superpowers/plans/2026-05-23-tool-router-specialization.md
// for the phased plan (telemetry → fine-tune → wire in).
"functiongemma": {
Strengths: []TaskType{TaskOrchestration},
MaxComplexity: 0.40,
Disabled: true,
},
}
// ResolveFamilyDefaults returns the defaults for the given model ID, if
// any family prefix matches. Matching strategy:
//
// 1. Lowercase the ID.
// 2. Strip any namespace prefix ending in "/" (so "reecdev/tiny3.5:1.5b"
// becomes "tiny3.5:1.5b").
// 3. Among the family keys whose lowercase value is a prefix of the
// stripped ID, return the entry with the longest matching key.
//
// Returns (FamilyDefaults{}, false) when no family matches.
func ResolveFamilyDefaults(modelID string) (FamilyDefaults, bool) {
low := strings.ToLower(modelID)
if slash := strings.LastIndex(low, "/"); slash >= 0 {
low = low[slash+1:]
}
var bestKey string
var bestDefaults FamilyDefaults
found := false
for key, defaults := range knownFamilyDefaults {
k := strings.ToLower(key)
if !strings.HasPrefix(low, k) {
continue
}
if len(k) > len(bestKey) {
bestKey = k
bestDefaults = defaults
found = true
}
}
return bestDefaults, found
}
// ResolveMaxComplexity returns the MaxComplexity ceiling for the given
// model ID using its family defaults. If the family declares SizeCaps,
// the parsed parameter count selects the matching cap. If size parsing
// fails or the family has neither SizeCaps nor MaxComplexity, returns
// (0, false).
func ResolveMaxComplexity(modelID string) (float64, bool) {
defaults, ok := ResolveFamilyDefaults(modelID)
if !ok {
return 0, false
}
if len(defaults.SizeCaps) > 0 {
sizeB, sized := parseSizeFromModelID(modelID)
if !sized {
// Size parse failed — fall back to the smallest cap so we're
// conservative rather than optimistic.
return defaults.SizeCaps[len(defaults.SizeCaps)-1].Cap, true
}
for _, sc := range defaults.SizeCaps {
if sizeB >= sc.MinSizeB {
return sc.Cap, true
}
}
return defaults.SizeCaps[len(defaults.SizeCaps)-1].Cap, true
}
if defaults.MaxComplexity > 0 {
return defaults.MaxComplexity, true
}
return 0, false
}
// applyFamilyDefaults populates zero-valued routing fields on an Arm from
// the family-defaults table. Only fields that are still at their zero
// value get filled — user-supplied Strengths, MaxComplexity, CostWeight,
// or Disabled are never overwritten. Returns true when at least one
// family entry matched, false when the model is unknown.
//
// Looks up by arm.ModelName first; falls back to arm.ID.Model() when
// ModelName is empty (which test code commonly omits).
func applyFamilyDefaults(arm *Arm) bool {
if arm == nil {
return false
}
modelKey := arm.ModelName
if modelKey == "" {
modelKey = arm.ID.Model()
}
defaults, ok := ResolveFamilyDefaults(modelKey)
if !ok {
return false
}
if len(arm.Strengths) == 0 && len(defaults.Strengths) > 0 {
arm.Strengths = defaults.Strengths
}
if arm.MaxComplexity == 0 {
if cap, capOK := ResolveMaxComplexity(modelKey); capOK {
arm.MaxComplexity = cap
}
}
if arm.CostWeight == 0 && defaults.CostWeight > 0 {
arm.CostWeight = defaults.CostWeight
}
if defaults.Disabled {
arm.Disabled = true
}
return true
}
// pureSizeToken matches a token consisting of digits (optionally with a
// single decimal point) followed by 'b' or 'm' — and nothing else. Used
// after splitting the model ID on `:`, `-`, `_`, `/` to extract a pure
// parameter-size token like "14b", "1.5b", "500m" while ignoring tokens
// like "a3b" (active params, MoE) or "v0.3" (version).
var pureSizeToken = regexp.MustCompile(`^([0-9]+(?:\.[0-9]+)?)([bm])$`)
// parseSizeFromModelID extracts the model's parameter count in billions
// from its ID. Splits on common separators and looks for tokens of the
// form `<N>b` or `<N>m` (millions converted to billions). Returns the
// largest match — for IDs like "qwen3-coder:30b-a3b-q4_K_M" we want the
// total (30) rather than the active-params token (a3b would be skipped
// anyway because it isn't pure-digit prefixed).
func parseSizeFromModelID(id string) (float64, bool) {
low := strings.ToLower(id)
pieces := strings.FieldsFunc(low, func(r rune) bool {
switch r {
case ':', '-', '_', '/':
return true
}
return false
})
var best float64
found := false
for _, p := range pieces {
m := pureSizeToken.FindStringSubmatch(p)
if m == nil {
continue
}
n, err := strconv.ParseFloat(m[1], 64)
if err != nil {
continue
}
if m[2] == "m" {
n /= 1000.0
}
if n > best {
best = n
found = true
}
}
return best, found
}
internal/router/defaults_test.go
+474
View File
@@ -0,0 +1,474 @@
package router
import (
"reflect"
"sort"
"testing"
"somegit.dev/Owlibou/gnoma/internal/provider"
"somegit.dev/Owlibou/gnoma/internal/security"
)
// --- parseSizeFromModelID -------------------------------------------------
func TestParseSizeFromModelID(t *testing.T) {
cases := []struct {
name string
id string
want float64
wantOK bool
}{
{"ollama colon", "qwen3:14b", 14, true},
{"ollama colon decimal", "tiny3.5:1.5b", 1.5, true},
{"ollama colon millions", "reecdev/tiny3.5:500m", 0.5, true},
{"hyphen middle", "qwen3.5-9b-glm5.1-distill-v1", 9, true},
{"moe total wins over active", "qwen3-coder:30b-a3b-q4_K_M", 30, true},
{"namespace stripped", "google/functiongemma-270m-it", 0.27, true},
{"no size tag", "phi-4", 0, false},
{"plain version no b", "qwen3.5", 0, false},
{"gemma e-tag not pure size", "gemma-4-e2b-it", 0, false},
{"starcoder digit-only family", "starcoder2", 0, false},
{"large MoE", "qwen3-coder:480b", 480, true},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
got, ok := parseSizeFromModelID(tc.id)
if ok != tc.wantOK {
t.Fatalf("parseSizeFromModelID(%q) ok=%v, want %v (got value %v)", tc.id, ok, tc.wantOK, got)
}
if ok && got != tc.want {
t.Errorf("parseSizeFromModelID(%q) = %v, want %v", tc.id, got, tc.want)
}
})
}
}
// --- ResolveFamilyDefaults: longest-prefix discipline ---------------------
func TestResolveFamilyDefaults_LongestPrefixWins(t *testing.T) {
cases := []struct {
modelID string
wantFamily string // expected family key (longest matching)
}{
{"qwen3-coder:30b", "qwen3-coder"},
{"qwen3:14b", "qwen3"},
{"qwen3.5:4b", "qwen3.5"},
{"qwen3.5-9b-glm5.1-distill-v1", "qwen3.5"},
{"qwen2.5-coder:14b", "qwen2.5-coder"},
{"qwen2.5:7b", "qwen2.5"},
{"qwen-novel:7b", "qwen"},
{"mistral-small-3:24b", "mistral-small-3"},
{"mistral-7b-instruct-v0.3", "mistral"},
{"ministral-3:14b", "ministral-3"},
{"gemma4:latest", "gemma4"},
{"gemma4-e4b-uc:latest", "gemma4-e"},
{"gemma-4-e2b-it", "gemma-4-e"},
{"phi-4-mini", "phi-4-mini"},
{"phi-4:14b", "phi-4"},
{"tiny3.5:1.5b", "tiny3.5"},
{"reecdev/tiny3.5:500m", "tiny3.5"},
{"google/functiongemma-270m-it", "functiongemma"},
{"glm-ocr", "glm-ocr"},
{"glm-5.1", "glm"},
}
for _, tc := range cases {
t.Run(tc.modelID, func(t *testing.T) {
defaults, ok := ResolveFamilyDefaults(tc.modelID)
if !ok {
t.Fatalf("ResolveFamilyDefaults(%q) returned !ok", tc.modelID)
}
expected, ok := knownFamilyDefaults[tc.wantFamily]
if !ok {
t.Fatalf("test bug: %q not in knownFamilyDefaults", tc.wantFamily)
}
if !reflect.DeepEqual(defaults.Strengths, expected.Strengths) ||
defaults.MaxComplexity != expected.MaxComplexity ||
defaults.Disabled != expected.Disabled {
t.Errorf("%q resolved to wrong family — got Strengths=%v MaxComplexity=%v Disabled=%v, want family %q Strengths=%v MaxComplexity=%v Disabled=%v",
tc.modelID, defaults.Strengths, defaults.MaxComplexity, defaults.Disabled,
tc.wantFamily, expected.Strengths, expected.MaxComplexity, expected.Disabled)
}
})
}
}
func TestResolveFamilyDefaults_Unknown(t *testing.T) {
for _, id := range []string{
"some-novel-model:1.5b",
"falcon:7b",
"command-r:35b",
} {
if _, ok := ResolveFamilyDefaults(id); ok {
t.Errorf("ResolveFamilyDefaults(%q) should not match anything in the table", id)
}
}
}
// --- ResolveMaxComplexity: size-keyed lookup -----------------------------
func TestResolveMaxComplexity_SizeKeyed(t *testing.T) {
cases := []struct {
id string
want float64
}{
// ministral-3 ladder: 14b → 0.70, 8b → 0.55, 3b → 0.35
{"ministral-3:14b", 0.70},
{"ministral-3:8b", 0.55},
{"ministral-3:3b", 0.35},
// qwen3 ladder: 14b → 0.75, 7-13b → 0.65, <7b → 0.50
{"qwen3:14b", 0.75},
{"qwen3:7b", 0.65},
{"qwen3:4b", 0.50},
// qwen3.5 ladder: 9b → 0.65, 4-8b → 0.50, <4b → 0.40
{"qwen3.5-9b-glm5.1-distill-v1", 0.65},
{"qwen3.5:4b", 0.50},
// tiny3.5 ladder: 1.5b → 0.30, 0.5b → 0.20
{"reecdev/tiny3.5:1.5b", 0.30},
{"reecdev/tiny3.5:500m", 0.20},
// flat caps still resolve correctly
{"qwen3-coder:30b", 0.85},
{"phi-4:14b", 0.65},
{"gemma4-e4b-uc:latest", 0.45},
}
for _, tc := range cases {
t.Run(tc.id, func(t *testing.T) {
got, ok := ResolveMaxComplexity(tc.id)
if !ok {
t.Fatalf("ResolveMaxComplexity(%q) returned !ok", tc.id)
}
if got != tc.want {
t.Errorf("ResolveMaxComplexity(%q) = %v, want %v", tc.id, got, tc.want)
}
})
}
}
func TestResolveMaxComplexity_SizeParseFailsFallsBack(t *testing.T) {
// "qwen3" with no size tag — uses smallest SizeCap as conservative fallback.
got, ok := ResolveMaxComplexity("qwen3")
if !ok {
t.Fatal("ResolveMaxComplexity should resolve unsized qwen3 via fallback")
}
if got != 0.50 {
t.Errorf("ResolveMaxComplexity(\"qwen3\") = %v, want 0.50 (smallest SizeCap fallback)", got)
}
}
// --- Table integrity ------------------------------------------------------
// TestKnownFamilyDefaults_SizeCapsOrdered confirms SizeCaps entries are
// stored largest-first, since ResolveMaxComplexity iterates and stops at
// the first match.
func TestKnownFamilyDefaults_SizeCapsOrdered(t *testing.T) {
for key, fd := range knownFamilyDefaults {
if len(fd.SizeCaps) < 2 {
continue
}
thresholds := make([]float64, len(fd.SizeCaps))
for i, sc := range fd.SizeCaps {
thresholds[i] = sc.MinSizeB
}
sorted := append([]float64(nil), thresholds...)
sort.Sort(sort.Reverse(sort.Float64Slice(sorted)))
if !reflect.DeepEqual(thresholds, sorted) {
t.Errorf("family %q SizeCaps not ordered largest-first: %v", key, thresholds)
}
}
}
// TestKnownFamilyDefaults_NoDualSpec confirms entries don't declare both
// SizeCaps and MaxComplexity — they're mutually exclusive in the lookup.
func TestKnownFamilyDefaults_NoDualSpec(t *testing.T) {
for key, fd := range knownFamilyDefaults {
if len(fd.SizeCaps) > 0 && fd.MaxComplexity > 0 {
t.Errorf("family %q declares both SizeCaps and MaxComplexity; pick one", key)
}
}
}
// --- Cloud defaults --------------------------------------------------------
func TestResolveFamilyDefaults_CloudArms(t *testing.T) {
cases := []struct {
modelID string
wantStrengths []TaskType
wantCostWeight float64
}{
{"claude-opus-4-7", []TaskType{TaskPlanning, TaskSecurityReview, TaskDebug, TaskRefactor}, 0.3},
{"claude-sonnet-4-6", []TaskType{TaskGeneration, TaskRefactor, TaskReview}, 0.7},
{"gpt-5.5", []TaskType{TaskPlanning, TaskSecurityReview, TaskGeneration}, 0.3},
{"gpt-5.5-pro", []TaskType{TaskPlanning, TaskSecurityReview, TaskGeneration}, 0.3}, // shares prefix with gpt-5.5
{"gpt-5.3-codex", []TaskType{TaskGeneration, TaskRefactor, TaskDebug, TaskUnitTest}, 0.6},
{"gpt-5.2", []TaskType{TaskOrchestration, TaskReview}, 0.8},
{"gpt-5.2-chat-latest", []TaskType{TaskOrchestration, TaskReview}, 0.8},
{"gemini-3.1-pro", []TaskType{TaskPlanning, TaskReview, TaskOrchestration}, 0.5},
{"gemini-3.1-pro-preview", []TaskType{TaskPlanning, TaskReview, TaskOrchestration}, 0.5},
{"gemini-3.5-flash", []TaskType{TaskBoilerplate, TaskExplain, TaskOrchestration}, 1.2},
}
for _, tc := range cases {
t.Run(tc.modelID, func(t *testing.T) {
got, ok := ResolveFamilyDefaults(tc.modelID)
if !ok {
t.Fatalf("ResolveFamilyDefaults(%q) returned !ok", tc.modelID)
}
if !reflect.DeepEqual(got.Strengths, tc.wantStrengths) {
t.Errorf("%q Strengths = %v, want %v", tc.modelID, got.Strengths, tc.wantStrengths)
}
if got.CostWeight != tc.wantCostWeight {
t.Errorf("%q CostWeight = %v, want %v", tc.modelID, got.CostWeight, tc.wantCostWeight)
}
if got.MaxComplexity != 0 {
t.Errorf("%q MaxComplexity = %v, want 0 (cloud arms have no ceiling)", tc.modelID, got.MaxComplexity)
}
})
}
}
func TestResolveFamilyDefaults_CloudLegacyUnaffected(t *testing.T) {
// Legacy / unrelated cloud IDs must NOT pick up defaults — keeping
// users on older pinned models safe from imposed Strengths.
noMatch := []string{
"claude-opus-4-20250514",
"claude-sonnet-4-20250514",
"claude-haiku-4-5-20251001",
"gpt-4o",
"gpt-4o-mini",
"o3",
"o3-mini",
"gemini-2.5-pro",
"gemini-2.0-flash",
}
for _, id := range noMatch {
if _, ok := ResolveFamilyDefaults(id); ok {
t.Errorf("ResolveFamilyDefaults(%q) should not match (legacy model)", id)
}
}
}
func TestRegisterArm_AppliesCloudDefaults(t *testing.T) {
r := New(Config{})
r.RegisterArm(&Arm{
ID: NewArmID("openai", "gpt-5.3-codex"),
ModelName: "gpt-5.3-codex",
Capabilities: provider.Capabilities{
ToolUse: true, JSONOutput: true,
ContextWindow: 400000,
},
})
arm, ok := r.LookupArm(NewArmID("openai", "gpt-5.3-codex"))
if !ok {
t.Fatal("gpt-5.3-codex arm should be registered")
}
wantStrengths := []TaskType{TaskGeneration, TaskRefactor, TaskDebug, TaskUnitTest}
if !reflect.DeepEqual(arm.Strengths, wantStrengths) {
t.Errorf("Strengths = %v, want %v", arm.Strengths, wantStrengths)
}
if arm.CostWeight != 0.6 {
t.Errorf("CostWeight = %v, want 0.6", arm.CostWeight)
}
if arm.MaxComplexity != 0 {
t.Errorf("MaxComplexity = %v, want 0 (cloud arm)", arm.MaxComplexity)
}
}
func TestRegisterArm_DoesNotOverrideUserStrengths(t *testing.T) {
r := New(Config{})
r.RegisterArm(&Arm{
ID: NewArmID("anthropic", "claude-opus-4-7"),
ModelName: "claude-opus-4-7",
Strengths: []TaskType{TaskUnitTest}, // user-supplied; defaults should not overwrite
CostWeight: 0.5, // user-supplied
})
arm, _ := r.LookupArm(NewArmID("anthropic", "claude-opus-4-7"))
if !reflect.DeepEqual(arm.Strengths, []TaskType{TaskUnitTest}) {
t.Errorf("user-supplied Strengths overridden by defaults: got %v", arm.Strengths)
}
if arm.CostWeight != 0.5 {
t.Errorf("user-supplied CostWeight overridden: got %v", arm.CostWeight)
}
}
func TestRegisterArm_FallsBackToIDWhenModelNameMissing(t *testing.T) {
// Some test code constructs arms with ID but no ModelName.
// applyFamilyDefaults should fall back to ID.Model() so defaults
// still flow through.
r := New(Config{})
r.RegisterArm(&Arm{
ID: NewArmID("openai", "gpt-5.3-codex"),
// ModelName intentionally empty
})
arm, _ := r.LookupArm(NewArmID("openai", "gpt-5.3-codex"))
if arm.CostWeight != 0.6 {
t.Errorf("CostWeight = %v, want 0.6 (defaults should resolve via ID.Model() fallback)", arm.CostWeight)
}
}
// --- Integration: routing-payoff scenario --------------------------------
// TestRoutingDefaults_PayoffScenario is the user-facing demonstration that
// out-of-the-box selection now picks sensibly across a realistic local
// fleet, without any [[arms]] override. Per
// docs/superpowers/plans/2026-05-23-routing-defaults-refresh.md the
// motivating goal: incognito stops feeling random.
//
// Note on Thinking capability: real phi-4 supports extended reasoning,
// but DiscoveredModel today has no SupportsThinking field — discovery
// only flips ToolUse and Vision. The selector's heuristicQuality gives
// a +0.2 bump for Thinking+Planning that would otherwise push phi-4
// over the TaskPlanning quality floor (0.60). The test mutates the arm
// after registration to reflect what the model actually supports;
// surfacing a thinking flag in discovery is tracked separately (out of
// scope for the defaults-refresh plan).
func TestRoutingDefaults_PayoffScenario(t *testing.T) {
r := New(Config{})
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
models := []DiscoveredModel{
{ID: "reecdev/tiny3.5:1.5b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "phi-4:14b", Provider: "ollama", SupportsTools: true, ContextSize: 16384},
{ID: "qwen3-coder:30b", Provider: "ollama", SupportsTools: true, ContextSize: 262144},
}
RegisterDiscoveredModels(r, models, factory)
// Reflect phi-4's real Thinking capability — see test comment.
if arm, ok := r.LookupArm("ollama/phi-4:14b"); ok {
arm.Capabilities.ThinkingModes = []provider.EffortLevel{provider.EffortMedium}
}
cases := []struct {
name string
task Task
wantArmID ArmID
reason string
}{
{
name: "Generation picks qwen3-coder",
task: Task{Type: TaskGeneration, RequiresTools: true, ComplexityScore: 0.7, Priority: PriorityNormal, EstimatedTokens: 2000},
wantArmID: "ollama/qwen3-coder:30b",
reason: "qwen3-coder is Strengths-promoted for TaskGeneration and has the highest MaxComplexity (0.85)",
},
{
name: "Planning picks phi-4",
task: Task{Type: TaskPlanning, RequiresTools: true, ComplexityScore: 0.5, Priority: PriorityNormal, EstimatedTokens: 1500},
wantArmID: "ollama/phi-4:14b",
reason: "phi-4 is Strengths-promoted for TaskPlanning; qwen3-coder's strengths don't include Planning",
},
{
name: "Boilerplate picks tiny3.5",
task: Task{Type: TaskBoilerplate, RequiresTools: true, ComplexityScore: 0.1, Priority: PriorityLow, EstimatedTokens: 200},
wantArmID: "ollama/reecdev/tiny3.5:1.5b",
reason: "tiny3.5 Strengths include TaskBoilerplate; it's the cheapest viable arm for a trivial task",
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
decision := r.Select(tc.task)
if decision.Error != nil {
t.Fatalf("Select returned error: %v", decision.Error)
}
if decision.Arm == nil {
t.Fatal("Select returned nil arm")
}
if decision.Arm.ID != tc.wantArmID {
t.Errorf("got arm %q, want %q\n reason: %s", decision.Arm.ID, tc.wantArmID, tc.reason)
}
decision.Rollback()
})
}
}
// TestRoutingDefaults_LocalFleetVisibility makes sure the maintainer's
// actual Ollama inventory all register correctly (none accidentally
// excluded by the non-chat filter, all get sensible defaults).
func TestRoutingDefaults_LocalFleetVisibility(t *testing.T) {
r := New(Config{})
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
// Models from the maintainer's `ollama ls` output (2026-05-23 session).
models := []DiscoveredModel{
{ID: "reecdev/tiny3.5:1.5b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "reecdev/tiny3.5:500m", Provider: "ollama", ContextSize: 32768},
{ID: "ministral-3:3b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "qwen3.5:4b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "gemma4-e4b-uc:latest", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "gemma4:latest", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "qwen3:14b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "devstral-small-2:24b", Provider: "ollama", SupportsTools: true, ContextSize: 131072},
{ID: "qwen2.5-coder:14b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "embeddinggemma:latest", Provider: "ollama", ContextSize: 8192},
{ID: "functiongemma:latest", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "ministral-3:14b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "ministral-3:8b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
}
RegisterDiscoveredModels(r, models, factory)
registered := make(map[ArmID]*Arm)
for _, a := range r.Arms() {
registered[a.ID] = a
}
// embeddinggemma must be skipped entirely.
if _, ok := registered["ollama/embeddinggemma:latest"]; ok {
t.Error("embeddinggemma should be skipped by non-chat filter")
}
// Every other model must be registered.
wantRegistered := []ArmID{
"ollama/reecdev/tiny3.5:1.5b",
"ollama/reecdev/tiny3.5:500m",
"ollama/ministral-3:3b",
"ollama/qwen3.5:4b",
"ollama/gemma4-e4b-uc:latest",
"ollama/gemma4:latest",
"ollama/qwen3:14b",
"ollama/devstral-small-2:24b",
"ollama/qwen2.5-coder:14b",
"ollama/functiongemma:latest",
"ollama/ministral-3:14b",
"ollama/ministral-3:8b",
}
for _, id := range wantRegistered {
if _, ok := registered[id]; !ok {
t.Errorf("expected %q to be registered", id)
}
}
// Spot-check that defaults flowed through to the arms.
checks := []struct {
id ArmID
wantMaxComp float64
wantDisabled bool
wantStrengths []TaskType
}{
{"ollama/qwen3-coder:30b", 0, false, nil}, // not in fleet, sanity skip
{"ollama/devstral-small-2:24b", 0.85, false, []TaskType{TaskGeneration, TaskRefactor, TaskDebug}},
{"ollama/qwen3:14b", 0.75, false, []TaskType{TaskGeneration, TaskRefactor, TaskDebug}},
{"ollama/ministral-3:14b", 0.70, false, []TaskType{TaskOrchestration, TaskPlanning}},
{"ollama/ministral-3:8b", 0.55, false, []TaskType{TaskOrchestration, TaskPlanning}},
{"ollama/ministral-3:3b", 0.35, false, []TaskType{TaskOrchestration, TaskPlanning}},
{"ollama/reecdev/tiny3.5:1.5b", 0.30, false, []TaskType{TaskBoilerplate, TaskExplain}},
{"ollama/reecdev/tiny3.5:500m", 0.20, false, []TaskType{TaskBoilerplate, TaskExplain}},
{"ollama/functiongemma:latest", 0.40, true, []TaskType{TaskOrchestration}},
{"ollama/gemma4-e4b-uc:latest", 0.45, false, []TaskType{TaskExplain, TaskBoilerplate}},
{"ollama/qwen3.5:4b", 0.50, false, []TaskType{TaskBoilerplate, TaskExplain, TaskOrchestration}},
}
for _, c := range checks {
arm, ok := registered[c.id]
if !ok {
continue // already reported above
}
if arm.MaxComplexity != c.wantMaxComp {
t.Errorf("%s MaxComplexity = %v, want %v", c.id, arm.MaxComplexity, c.wantMaxComp)
}
if arm.Disabled != c.wantDisabled {
t.Errorf("%s Disabled = %v, want %v", c.id, arm.Disabled, c.wantDisabled)
}
if c.wantStrengths != nil && !reflect.DeepEqual(arm.Strengths, c.wantStrengths) {
t.Errorf("%s Strengths = %v, want %v", c.id, arm.Strengths, c.wantStrengths)
}
}
}
internal/router/discovery.go
+49 -1
View File
@@ -218,7 +218,10 @@ var knownVisionModelPrefixes = []string{
"minicpm-v",
"cogvlm",
"pixtral",
"gemma3", // gemma3 multimodal variants
"gemma3", // gemma3 multimodal variants
"gemma4", // gemma4 base + edge (e2b, e4b) variants
"gemma-4", // hyphenated GGUF naming (gemma-4-e2b-it, gemma-4-e4b-it)
"glm-ocr", // vision-language model specialized for OCR
}
func isKnownVisionModelName(model string) bool {
@@ -231,6 +234,39 @@ func isKnownVisionModelName(model string) bool {
return false
}
// nonChatModelPatterns lists case-insensitive substrings that mark a model
// as not suitable for chat routing. Discovery skips these entirely rather
// than registering them as broken chat arms — they're embedding models,
// speech-to-text, text-to-speech, audio realtime, or rerankers that would
// fail at inference time if the router selected them for a chat turn.
//
// Substring match (not prefix) because user namespaces (e.g.
// "someorg/whisper-finetune") would defeat a prefix-only check.
var nonChatModelPatterns = []string{
"whisper",
"moonshine",
"kokoros",
"vibevoice",
"-asr",
"-tts",
"-audio",
"-embedding",
"embedding-",
"embeddinggemma",
"-reranker",
"lfm2",
}
func isNonChatModel(model string) bool {
low := strings.ToLower(model)
for _, p := range nonChatModelPatterns {
if strings.Contains(low, p) {
return true
}
}
return false
}
// DiscoverLlamaCPP enumerates models served by a llama.cpp server.
//
// llama-server exposes /v1/models (OpenAI-compatible) — single-model
@@ -435,6 +471,13 @@ func reconcileArms(r *Router, discovered []DiscoveredModel, providerFactory func
// RegisterDiscoveredModels registers discovered local models as arms in the router.
func RegisterDiscoveredModels(r *Router, models []DiscoveredModel, providerFactory func(name, model string) SecureProvider) {
for _, m := range models {
// Skip non-chat models (embeddings, ASR, TTS, audio, rerankers).
// These would otherwise register as broken chat arms and fail at
// inference time when the router selected them.
if isNonChatModel(m.ID) {
continue
}
armID := NewArmID(m.Provider, m.ID)
// Skip if already registered
@@ -454,6 +497,11 @@ func RegisterDiscoveredModels(r *Router, models []DiscoveredModel, providerFacto
continue
}
// Family-keyed defaults (Strengths, MaxComplexity, CostWeight,
// Disabled) are applied inside Router.RegisterArm — single source
// of truth so cloud-arm and local-arm registration paths agree.
// User-supplied [[arms]] config in TOML overrides defaults later
// via ApplyArmOverrides.
r.RegisterArm(&Arm{
ID: armID,
Provider: prov,
internal/router/discovery_test.go
+167
View File
@@ -421,3 +421,170 @@ func TestDiscoverLlamaCPP_NoModelsIsError(t *testing.T) {
t.Error("expected error when /v1/models returns no entries, got nil")
}
}
// --- isNonChatModel pattern matching ---
func TestIsNonChatModel(t *testing.T) {
chat := []string{
"qwen3:14b",
"qwen3-coder:30b",
"gemma4:latest",
"gemma-4-e2b-it",
"devstral-small-2:24b",
"phi-4",
"reecdev/tiny3.5:1.5b",
"ministral-3:8b",
}
for _, m := range chat {
if isNonChatModel(m) {
t.Errorf("isNonChatModel(%q) = true, want false (chat model)", m)
}
}
nonChat := []string{
"whisper-base",
"moonshine-tiny",
"kokoros",
"kokoros-de",
"vibevoice",
"vibevoice-cpp",
"qwen3-asr-1.7b",
"qwen3-tts-1.7b-custom-voice",
"lfm2.5-audio-1.5b-realtime",
"embeddinggemma:latest",
"qwen3-vl-embedding-2b-gguf",
"qwen3-vl-reranker-2b-i1-gguf",
}
for _, m := range nonChat {
if !isNonChatModel(m) {
t.Errorf("isNonChatModel(%q) = false, want true (non-chat model)", m)
}
}
}
// --- isKnownVisionModelName covers new prefixes (R-2) ---
func TestIsKnownVisionModelName_NewFamilies(t *testing.T) {
vision := []string{
"gemma4:latest",
"gemma4-e4b-uc:latest",
"gemma-4-e2b-it",
"gemma-4-e4b-it",
"glm-ocr",
"gemma3:27b", // pre-existing, regression guard
"minicpm-v-4.6-thinking-gguf",
}
for _, m := range vision {
if !isKnownVisionModelName(m) {
t.Errorf("isKnownVisionModelName(%q) = false, want true", m)
}
}
nonVision := []string{
"qwen3:14b",
"devstral-small-2:24b",
"phi-4",
"functiongemma:latest", // Gemma-based but text-only function caller
}
for _, m := range nonVision {
if isKnownVisionModelName(m) {
t.Errorf("isKnownVisionModelName(%q) = true, want false", m)
}
}
}
// --- RegisterDiscoveredModels: skip non-chat, apply family defaults ---
func TestRegisterDiscoveredModels_SkipsNonChat(t *testing.T) {
r := New(Config{})
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
models := []DiscoveredModel{
{ID: "qwen3:14b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
{ID: "embeddinggemma:latest", Provider: "ollama", ContextSize: 8192},
{ID: "whisper-base", Provider: "ollama", ContextSize: 4096},
{ID: "kokoros", Provider: "ollama"},
{ID: "qwen3-vl-reranker-2b-gguf", Provider: "ollama"},
{ID: "gemma4:latest", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
}
RegisterDiscoveredModels(r, models, factory)
registered := make(map[ArmID]bool)
for _, a := range r.Arms() {
registered[a.ID] = true
}
wantRegistered := []ArmID{"ollama/qwen3:14b", "ollama/gemma4:latest"}
for _, id := range wantRegistered {
if !registered[id] {
t.Errorf("expected %q to be registered, got %v", id, registered)
}
}
wantSkipped := []ArmID{
"ollama/embeddinggemma:latest",
"ollama/whisper-base",
"ollama/kokoros",
"ollama/qwen3-vl-reranker-2b-gguf",
}
for _, id := range wantSkipped {
if registered[id] {
t.Errorf("expected %q to be skipped (non-chat), but it was registered", id)
}
}
}
func TestRegisterDiscoveredModels_AppliesFunctionGemmaDefaults(t *testing.T) {
r := New(Config{})
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
models := []DiscoveredModel{
{ID: "functiongemma:latest", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
}
RegisterDiscoveredModels(r, models, factory)
arm, ok := r.LookupArm("ollama/functiongemma:latest")
if !ok {
t.Fatal("functiongemma should be registered (Disabled, but visible)")
}
if !arm.Disabled {
t.Error("functiongemma arm should have Disabled=true")
}
if arm.MaxComplexity != 0.40 {
t.Errorf("functiongemma MaxComplexity = %v, want 0.40", arm.MaxComplexity)
}
if len(arm.Strengths) != 1 || arm.Strengths[0] != TaskOrchestration {
t.Errorf("functiongemma Strengths = %v, want [TaskOrchestration]", arm.Strengths)
}
}
func TestRegisterDiscoveredModels_NoDefaultsForUnknownFamily(t *testing.T) {
r := New(Config{})
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
models := []DiscoveredModel{
{ID: "some-novel-model:1.5b", Provider: "ollama", SupportsTools: true, ContextSize: 16384},
}
RegisterDiscoveredModels(r, models, factory)
arm, ok := r.LookupArm("ollama/some-novel-model:1.5b")
if !ok {
t.Fatal("unknown-family model should still register")
}
if arm.Disabled {
t.Error("unknown-family arm should not be disabled")
}
if arm.MaxComplexity != 0 {
t.Errorf("unknown-family MaxComplexity = %v, want 0 (no ceiling)", arm.MaxComplexity)
}
if len(arm.Strengths) != 0 {
t.Errorf("unknown-family Strengths = %v, want none", arm.Strengths)
}
}
internal/router/feedback.go
+26 -6
View File
@@ -2,9 +2,15 @@ package router
import "sync"
// Built-in defaults for the bandit knobs. Surfaced via
// [router.bandit] config keys; see BanditParams in router.go. Kept
// here so the QualityTracker has a sensible fallback when constructed
// without explicit parameters (tests, ad-hoc callers).
const (
qualityAlpha = 0.3 // EMA smoothing factor (~3-sample memory)
minObservations = 3 // min samples before observed score overrides heuristic
defaultQualityAlpha = 0.3 // EMA smoothing factor (~3-sample memory)
defaultMinObservations = 3 // min samples before observed score overrides heuristic
defaultObservedWeight = 0.7 // weight of observed score in observed/heuristic blend
defaultStrengthBonus = 0.15
)
// EMAScore tracks an exponential moving average quality score.
@@ -19,13 +25,27 @@ type QualityTracker struct {
mu sync.RWMutex
scores map[ArmID]map[TaskType]*EMAScore
classifierCount map[ClassifierSource]int
// Configurable knobs — set via NewQualityTracker. Pass 0 for any
// argument to keep the built-in default.
alpha float64
minObservations int
}
// NewQualityTracker returns an empty QualityTracker.
func NewQualityTracker() *QualityTracker {
// NewQualityTracker returns an empty QualityTracker. Pass 0 for any
// argument to keep the built-in default (alpha=0.3, minObs=3).
func NewQualityTracker(alpha float64, minObs int) *QualityTracker {
if alpha == 0 {
alpha = defaultQualityAlpha
}
if minObs == 0 {
minObs = defaultMinObservations
}
return &QualityTracker{
scores: make(map[ArmID]map[TaskType]*EMAScore),
classifierCount: make(map[ClassifierSource]int),
alpha: alpha,
minObservations: minObs,
}
}
@@ -71,7 +91,7 @@ func (qt *QualityTracker) Record(armID ArmID, taskType TaskType, success bool) {
if s.Count == 0 {
s.Value = observation
} else {
s.Value = qualityAlpha*observation + (1-qualityAlpha)*s.Value
s.Value = qt.alpha*observation + (1-qt.alpha)*s.Value
}
s.Count++
}
@@ -86,7 +106,7 @@ func (qt *QualityTracker) Quality(armID ArmID, taskType TaskType) (score float64
return 0, false
}
s, ok := m[taskType]
if !ok || s.Count < minObservations {
if !ok || s.Count < qt.minObservations {
return 0, false
}
return s.Value, true
internal/router/feedback_test.go
+46 -4
View File
@@ -8,7 +8,7 @@ import (
)
func TestQualityTracker_NoDataReturnsHeuristic(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
_, hasData := qt.Quality("arm:model", router.TaskGeneration)
if hasData {
t.Error("expected no data for unobserved arm")
@@ -16,7 +16,7 @@ func TestQualityTracker_NoDataReturnsHeuristic(t *testing.T) {
}
func TestQualityTracker_RecordUpdatesEMA(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
for i := 0; i < 3; i++ {
qt.Record("arm:model", router.TaskGeneration, true)
}
@@ -30,7 +30,7 @@ func TestQualityTracker_RecordUpdatesEMA(t *testing.T) {
}
func TestQualityTracker_AllFailuresLowScore(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
for i := 0; i < 5; i++ {
qt.Record("arm:model", router.TaskDebug, false)
}
@@ -41,7 +41,7 @@ func TestQualityTracker_AllFailuresLowScore(t *testing.T) {
}
func TestQualityTracker_ConcurrentSafe(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
done := make(chan struct{})
for i := 0; i < 10; i++ {
go func(success bool) {
@@ -113,3 +113,45 @@ func TestQualityTracker_InsufficientDataFallsBackToHeuristic(t *testing.T) {
}
decision.Rollback()
}
func TestQualityTracker_CustomAlphaShortensMemory(t *testing.T) {
// alpha=0.9 weights the latest sample heavily; after a single
// failure the score should drop further than with the default 0.3.
fast := router.NewQualityTracker(0.9, 0)
slow := router.NewQualityTracker(0.0, 0) // 0 → default 0.3
for _, qt := range []*router.QualityTracker{fast, slow} {
// Build up history at the high end with 5 successes.
for i := 0; i < 5; i++ {
qt.Record("arm:m", router.TaskGeneration, true)
}
// One failure.
qt.Record("arm:m", router.TaskGeneration, false)
}
fastScore, _ := fast.Quality("arm:m", router.TaskGeneration)
slowScore, _ := slow.Quality("arm:m", router.TaskGeneration)
if !(fastScore < slowScore) {
t.Errorf("expected fast alpha (0.9) to drop quality faster than default (0.3): fast=%f slow=%f", fastScore, slowScore)
}
}
func TestQualityTracker_CustomMinObservationsGatesScore(t *testing.T) {
// minObs=10 means Quality should return hasData=false until 10
// observations are recorded, even though the default would say
// "yes" after 3.
qt := router.NewQualityTracker(0, 10)
for i := 0; i < 5; i++ {
qt.Record("arm:m", router.TaskGeneration, true)
}
if _, hasData := qt.Quality("arm:m", router.TaskGeneration); hasData {
t.Error("expected hasData=false at 5 observations with minObs=10")
}
for i := 0; i < 5; i++ {
qt.Record("arm:m", router.TaskGeneration, true)
}
if _, hasData := qt.Quality("arm:m", router.TaskGeneration); !hasData {
t.Error("expected hasData=true after 10 observations with minObs=10")
}
}
internal/router/prefer_test.go
+375
View File
@@ -0,0 +1,375 @@
package router
import (
"testing"
"somegit.dev/Owlibou/gnoma/internal/provider"
"somegit.dev/Owlibou/gnoma/internal/security"
)
func TestParsePreferPolicy(t *testing.T) {
cases := []struct {
in string
want PreferPolicy
wantErr bool
}{
{"", PreferAuto, false},
{"auto", PreferAuto, false},
{"AUTO", PreferAuto, false},
{" auto ", PreferAuto, false},
{"local", PreferLocal, false},
{"Local", PreferLocal, false},
{"cloud", PreferCloud, false},
{"prefer-cloud", PreferAuto, true},
{"none", PreferAuto, true},
}
for _, tc := range cases {
t.Run(tc.in, func(t *testing.T) {
got, err := ParsePreferPolicy(tc.in)
if (err != nil) != tc.wantErr {
t.Fatalf("err=%v wantErr=%v", err, tc.wantErr)
}
if !tc.wantErr && got != tc.want {
t.Errorf("got %v, want %v", got, tc.want)
}
})
}
}
func TestPreferPolicy_String(t *testing.T) {
cases := map[PreferPolicy]string{
PreferAuto: "auto",
PreferLocal: "local",
PreferCloud: "cloud",
}
for in, want := range cases {
if got := in.String(); got != want {
t.Errorf("%d.String() = %q, want %q", in, got, want)
}
}
}
func TestPolicyMultiplier(t *testing.T) {
localArm := &Arm{IsLocal: true}
cloudArm := &Arm{IsLocal: false}
cases := []struct {
name string
arm *Arm
policy PreferPolicy
want float64
}{
{"auto/local", localArm, PreferAuto, 1.0},
{"auto/cloud", cloudArm, PreferAuto, 1.0},
{"local/local", localArm, PreferLocal, 1.0},
{"local/cloud", cloudArm, PreferLocal, 0.3},
{"cloud/local", localArm, PreferCloud, 0.5},
{"cloud/cloud", cloudArm, PreferCloud, 1.0},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
if got := policyMultiplier(tc.arm, tc.policy); got != tc.want {
t.Errorf("policyMultiplier(%+v, %v) = %v, want %v", tc.arm, tc.policy, got, tc.want)
}
})
}
}
// TestPreferPolicy_RouterAcceptanceScenarios is the user-facing payoff:
// the prefer knob shifts arm tiers so the dispreferred camp is walked
// last. The test uses a task type that neither arm has in its Strengths
// list so the tier walk actually runs (the Strengths-promoted path
// bypasses tier ordering entirely).
//
// Arms are chosen to be in adjacent base tiers — a general-purpose
// local arm at tier 2 (no MaxComplexity, no family-defaults match) and
// a cloud arm at tier 3. The +2 tier shift then puts the dispreferred
// arm at tier 4 (local) or 5 (cloud), behind the preferred camp.
//
// The Strengths-promoted case (cost-amplification can overwhelm the
// within-tier multiplier) is covered separately by
// TestPreferPolicy_StrengthsBeatsMultiplier, which validates that a
// strongly-tagged arm wins regardless of prefer.
func TestPreferPolicy_RouterAcceptanceScenarios(t *testing.T) {
makeRouter := func(policy PreferPolicy) *Router {
r := New(Config{})
r.SetPreferPolicy(policy)
// Local arm: family doesn't match any defaults entry, so no
// Strengths or MaxComplexity get attached — clean tier-2 arm.
r.RegisterArm(&Arm{
ID: NewArmID("ollama", "novel-local-llm:7b"),
ModelName: "novel-local-llm:7b",
Provider: security.WrapProvider(&stubProvider{name: "ollama", model: "novel-local-llm:7b"}, nil),
IsLocal: true,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 200000,
},
})
// Cloud arm: also no family match (we use a deliberately
// non-matching ID so Strengths defaults don't kick in).
r.RegisterArm(&Arm{
ID: NewArmID("anthropic", "novel-cloud-model"),
ModelName: "novel-cloud-model",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "novel-cloud-model"}, nil),
IsLocal: false,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
ThinkingModes: []provider.EffortLevel{provider.EffortMedium},
},
})
return r
}
task := Task{
Type: TaskExplain,
ComplexityScore: 0.5,
Priority: PriorityNormal,
RequiresTools: true,
EstimatedTokens: 1500,
}
t.Run("prefer=local picks the local arm", func(t *testing.T) {
r := makeRouter(PreferLocal)
decision := r.Select(task)
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if !decision.Arm.IsLocal {
t.Errorf("PreferLocal should pick local; got %s (IsLocal=%v)", decision.Arm.ID, decision.Arm.IsLocal)
}
decision.Rollback()
})
t.Run("prefer=cloud picks the cloud arm", func(t *testing.T) {
r := makeRouter(PreferCloud)
decision := r.Select(task)
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if decision.Arm.IsLocal {
t.Errorf("PreferCloud should pick cloud; got %s (IsLocal=%v)", decision.Arm.ID, decision.Arm.IsLocal)
}
decision.Rollback()
})
t.Run("prefer=auto preserves tier order (local tier 2 < cloud tier 3)", func(t *testing.T) {
r := makeRouter(PreferAuto)
decision := r.Select(task)
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if !decision.Arm.IsLocal {
t.Errorf("PreferAuto should preserve tier order (local wins); got %s", decision.Arm.ID)
}
decision.Rollback()
})
}
// TestPreferPolicy_SLMStillWinsUnderPreferCloud documents the
// SLM-protection behavior: under PreferCloud, a tier-0 SLM (an arm
// with MaxComplexity > 0 that fits the task) still wins because the
// +2 tier shift only moves it from tier 0 to tier 2, which is still
// below the cloud arm's tier 3. This matches the plan's intent: "the
// SLM does small stuff" survives PreferCloud — that's exactly what
// the SLM is for.
func TestPreferPolicy_SLMStillWinsUnderPreferCloud(t *testing.T) {
r := New(Config{})
r.SetPreferPolicy(PreferCloud)
// Tier-0 SLM (low MaxComplexity, fits the trivial task).
r.RegisterArm(&Arm{
ID: NewArmID("ollama", "tiny-slm:1.5b"),
ModelName: "tiny-slm:1.5b",
Provider: security.WrapProvider(&stubProvider{name: "ollama", model: "tiny-slm:1.5b"}, nil),
IsLocal: true,
MaxComplexity: 0.30,
Strengths: []TaskType{TaskBoilerplate},
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 32768,
},
})
r.RegisterArm(&Arm{
ID: NewArmID("anthropic", "claude-sonnet-4-6"),
ModelName: "claude-sonnet-4-6",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "claude-sonnet-4-6"}, nil),
IsLocal: false,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
},
})
decision := r.Select(Task{
Type: TaskBoilerplate,
ComplexityScore: 0.1,
Priority: PriorityLow,
RequiresTools: true,
EstimatedTokens: 200,
})
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if decision.Arm.ID != NewArmID("ollama", "tiny-slm:1.5b") {
t.Errorf("SLM should win trivial task even under PreferCloud (tier 0+2=2 < cloud 3); got %s", decision.Arm.ID)
}
decision.Rollback()
}
// TestPreferPolicy_StrengthsBeatsMultiplier: a cloud arm with a strong
// task-type tag still wins over a local arm without that tag, even
// under PreferLocal. Strengths is the primary signal; prefer is a
// secondary multiplier within the promoted/tier set.
func TestPreferPolicy_StrengthsBeatsMultiplier(t *testing.T) {
r := New(Config{})
r.SetPreferPolicy(PreferLocal)
// Local arm has no Strengths for SecurityReview.
localArm := &Arm{
ID: NewArmID("ollama", "qwen3:14b"),
ModelName: "qwen3:14b",
Provider: security.WrapProvider(&stubProvider{name: "ollama", model: "qwen3:14b"}, nil),
IsLocal: true,
Strengths: []TaskType{TaskGeneration},
MaxComplexity: 0.75,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 32768,
},
}
cloudArm := &Arm{
ID: NewArmID("anthropic", "claude-opus-4-7"),
ModelName: "claude-opus-4-7",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "claude-opus-4-7"}, nil),
IsLocal: false,
Strengths: []TaskType{TaskSecurityReview, TaskPlanning},
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
ThinkingModes: []provider.EffortLevel{provider.EffortHigh},
},
}
r.RegisterArm(localArm)
r.RegisterArm(cloudArm)
decision := r.Select(Task{
Type: TaskSecurityReview,
ComplexityScore: 0.8,
Priority: PriorityCritical,
RequiresTools: true,
EstimatedTokens: 3000,
})
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if decision.Arm.ID != cloudArm.ID {
t.Errorf("Strengths-tagged cloud arm should beat PreferLocal multiplier; got %s", decision.Arm.ID)
}
decision.Rollback()
}
// TestPreferPolicy_ForcedArmBypassesPolicy: --provider X must always win.
func TestPreferPolicy_ForcedArmBypassesPolicy(t *testing.T) {
r := New(Config{})
r.SetPreferPolicy(PreferLocal)
cloudArmID := NewArmID("anthropic", "claude-sonnet-4-6")
r.RegisterArm(&Arm{
ID: cloudArmID,
ModelName: "claude-sonnet-4-6",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "claude-sonnet-4-6"}, nil),
IsLocal: false,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
},
})
r.ForceArm(cloudArmID)
decision := r.Select(Task{Type: TaskGeneration, RequiresTools: true})
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if decision.Arm.ID != cloudArmID {
t.Errorf("forced arm should bypass PreferLocal; got %s, want %s", decision.Arm.ID, cloudArmID)
}
}
// TestPreferPolicy_IncognitoStillWins: incognito's hard filter must
// dominate the soft prefer bias.
func TestPreferPolicy_IncognitoStillWins(t *testing.T) {
r := New(Config{})
r.SetPreferPolicy(PreferCloud) // bias toward cloud
r.SetLocalOnly(true) // but incognito filters cloud out
factory := func(name, model string) SecureProvider {
return security.WrapProvider(&stubProvider{name: name, model: model}, nil)
}
RegisterDiscoveredModels(r, []DiscoveredModel{
{ID: "qwen3:14b", Provider: "ollama", SupportsTools: true, ContextSize: 32768},
}, factory)
r.RegisterArm(&Arm{
ID: NewArmID("anthropic", "claude-sonnet-4-6"),
ModelName: "claude-sonnet-4-6",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "claude-sonnet-4-6"}, nil),
IsLocal: false,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
},
})
decision := r.Select(Task{
Type: TaskExplain,
ComplexityScore: 0.4,
Priority: PriorityNormal,
RequiresTools: true,
EstimatedTokens: 1500,
})
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if !decision.Arm.IsLocal {
t.Errorf("incognito (LocalOnly=true) must beat PreferCloud; got %s", decision.Arm.ID)
}
decision.Rollback()
}
// TestPreferPolicy_LocalArmsExhaustedFallsBackToCloud: PreferLocal must
// not block cloud selection when the local fleet can't handle the task.
func TestPreferPolicy_LocalArmsExhaustedFallsBackToCloud(t *testing.T) {
r := New(Config{})
r.SetPreferPolicy(PreferLocal)
// Only a cloud arm registered.
r.RegisterArm(&Arm{
ID: NewArmID("anthropic", "claude-opus-4-7"),
ModelName: "claude-opus-4-7",
Provider: security.WrapProvider(&stubProvider{name: "anthropic", model: "claude-opus-4-7"}, nil),
IsLocal: false,
Capabilities: provider.Capabilities{
ToolUse: true,
ContextWindow: 1_000_000,
ThinkingModes: []provider.EffortLevel{provider.EffortHigh},
},
})
decision := r.Select(Task{
Type: TaskSecurityReview,
ComplexityScore: 0.9,
Priority: PriorityCritical,
RequiresTools: true,
EstimatedTokens: 5000,
})
if decision.Error != nil {
t.Fatalf("Select error: %v", decision.Error)
}
if decision.Arm.ID != NewArmID("anthropic", "claude-opus-4-7") {
t.Errorf("expected cloud arm to win when no local feasible; got %s", decision.Arm.ID)
}
decision.Rollback()
}
internal/router/quality_json_test.go
+7 -7
View File
@@ -8,7 +8,7 @@ import (
)
func TestQualityTracker_SnapshotRestore_RoundTrip(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
// Record some outcomes
qt.Record("anthropic/claude-3-5-sonnet", router.TaskGeneration, true)
qt.Record("anthropic/claude-3-5-sonnet", router.TaskGeneration, true)
@@ -33,7 +33,7 @@ func TestQualityTracker_SnapshotRestore_RoundTrip(t *testing.T) {
}
// Restore into a fresh tracker
qt2 := router.NewQualityTracker()
qt2 := router.NewQualityTracker(0, 0)
qt2.Restore(restored)
// After restore, Quality() should return data (Count >= minObservations=3)
@@ -47,7 +47,7 @@ func TestQualityTracker_SnapshotRestore_RoundTrip(t *testing.T) {
}
func TestQualityTracker_Snapshot_Empty(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
snap := qt.Snapshot()
if snap.Scores == nil {
t.Error("scores map should be initialized (not nil)")
@@ -58,7 +58,7 @@ func TestQualityTracker_Snapshot_Empty(t *testing.T) {
}
func TestQualityTracker_ClassifierCounts_RecordAndSnapshot(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
qt.RecordClassifier(router.ClassifierHeuristic)
qt.RecordClassifier(router.ClassifierSLM)
qt.RecordClassifier(router.ClassifierSLM)
@@ -92,7 +92,7 @@ func TestQualityTracker_ClassifierCounts_RecordAndSnapshot(t *testing.T) {
if err := json.Unmarshal(data, &restored); err != nil {
t.Fatal(err)
}
qt2 := router.NewQualityTracker()
qt2 := router.NewQualityTracker(0, 0)
qt2.Restore(restored)
if qt2.ClassifierCounts()[router.ClassifierSLM] != 2 {
t.Errorf("restored slm count = %d, want 2", qt2.ClassifierCounts()[router.ClassifierSLM])
@@ -107,7 +107,7 @@ func TestQualityTracker_Restore_BackCompat_NoClassifierCounts(t *testing.T) {
if err := json.Unmarshal(legacy, &snap); err != nil {
t.Fatal(err)
}
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
qt.Restore(snap)
if qt.ClassifierCounts() == nil {
t.Error("ClassifierCounts() must return a non-nil map after restoring old snapshot")
@@ -122,7 +122,7 @@ func TestQualityTracker_Restore_BackCompat_NoClassifierCounts(t *testing.T) {
}
func TestQualityTracker_Restore_Replaces(t *testing.T) {
qt := router.NewQualityTracker()
qt := router.NewQualityTracker(0, 0)
qt.Record("arm-a", router.TaskDebug, true)
qt.Record("arm-a", router.TaskDebug, true)
qt.Record("arm-a", router.TaskDebug, true)
internal/router/router.go
+110 -3
View File
@@ -4,6 +4,7 @@ import (
"context"
"fmt"
"log/slog"
"strings"
"sync"
"time"
@@ -22,12 +23,96 @@ type Router struct {
forcedArm ArmID
// When true, only local arms are considered (incognito mode)
localOnly bool
// Soft bias toward local / cloud arms (PreferAuto = unbiased)
preferPolicy PreferPolicy
quality *QualityTracker
bandit BanditParams
}
// PreferPolicy biases the scoring step toward local or cloud arms.
// See docs/superpowers/plans/2026-05-23-prefer-routing-policy.md.
type PreferPolicy int
const (
// PreferAuto leaves scoring unbiased — default, byte-identical to
// pre-policy behavior.
PreferAuto PreferPolicy = iota
// PreferLocal multiplies non-local arm scores by 0.3, biasing
// selection toward local arms while still allowing cloud arms to
// win when no local arm is feasible or a cloud arm is much stronger.
PreferLocal
// PreferCloud multiplies local arm scores by 0.5, biasing selection
// toward cloud arms while still allowing local arms (especially
// tier-0 SLMs) to win trivial tasks.
PreferCloud
)
// ParsePreferPolicy converts a TOML-friendly string to a PreferPolicy.
// Empty string and "auto" both map to PreferAuto. Unknown values return
// an actionable error.
func ParsePreferPolicy(s string) (PreferPolicy, error) {
switch strings.ToLower(strings.TrimSpace(s)) {
case "", "auto":
return PreferAuto, nil
case "local":
return PreferLocal, nil
case "cloud":
return PreferCloud, nil
default:
return PreferAuto, fmt.Errorf("invalid router.prefer value %q (expected \"local\", \"cloud\", or \"auto\")", s)
}
}
// String returns the canonical TOML value for the policy.
func (p PreferPolicy) String() string {
switch p {
case PreferLocal:
return "local"
case PreferCloud:
return "cloud"
default:
return "auto"
}
}
type Config struct {
Logger *slog.Logger
// Bandit tunes the selector's scoring knobs. Pass a zero value to
// keep all pre-config behaviour byte-identical; set individual
// fields to override the corresponding default.
Bandit BanditParams
}
// BanditParams controls the EMA quality tracker and score blend used
// by the selector. Each field has a "use default" sentinel (0 for
// floats and ints) so a zero-valued BanditParams is byte-identical to
// the pre-config hardcoded constants. Defaults are defined in
// resolveBanditParams below.
type BanditParams struct {
QualityAlpha float64
MinObservations int
ObservedWeight float64
StrengthBonus float64
}
// resolveBanditParams fills in the built-in defaults for any field
// left at its zero value. Centralised so the same defaults apply
// across NewQualityTracker, scoreArm, and any future caller.
func resolveBanditParams(p BanditParams) BanditParams {
if p.QualityAlpha == 0 {
p.QualityAlpha = defaultQualityAlpha
}
if p.MinObservations == 0 {
p.MinObservations = defaultMinObservations
}
if p.ObservedWeight == 0 {
p.ObservedWeight = defaultObservedWeight
}
if p.StrengthBonus == 0 {
p.StrengthBonus = defaultStrengthBonus
}
return p
}
func New(cfg Config) *Router {
@@ -35,15 +120,22 @@ func New(cfg Config) *Router {
if logger == nil {
logger = slog.Default()
}
params := resolveBanditParams(cfg.Bandit)
return &Router{
arms: make(map[ArmID]*Arm),
logger: logger,
quality: NewQualityTracker(),
quality: NewQualityTracker(params.QualityAlpha, params.MinObservations),
bandit: params,
}
}
// RegisterArm adds an arm to the router.
// RegisterArm adds an arm to the router. Family-keyed defaults
// (Strengths, MaxComplexity, CostWeight, Disabled) are applied to any
// fields still at their zero value — user-supplied values are never
// overwritten. See defaults.go for the family table.
func (r *Router) RegisterArm(arm *Arm) {
applyFamilyDefaults(arm)
r.mu.Lock()
defer r.mu.Unlock()
r.arms[arm.ID] = arm
@@ -118,7 +210,7 @@ func (r *Router) Select(task Task) RoutingDecision {
}
// Select best
best := selectBest(r.quality, feasible, task)
best := selectBest(r.quality, r.bandit, feasible, task, r.preferPolicy)
if best == nil {
return RoutingDecision{Error: fmt.Errorf("selection failed")}
}
@@ -184,6 +276,21 @@ func (r *Router) LocalOnly() bool {
return r.localOnly
}
// SetPreferPolicy biases scoring toward local or cloud arms. See
// PreferPolicy for the semantics. Soft bias only — does not hard-filter.
func (r *Router) SetPreferPolicy(p PreferPolicy) {
r.mu.Lock()
defer r.mu.Unlock()
r.preferPolicy = p
}
// PreferPolicy returns the current routing-preference bias.
func (r *Router) PreferPolicy() PreferPolicy {
r.mu.RLock()
defer r.mu.RUnlock()
return r.preferPolicy
}
// RemoveArm removes an arm from the router.
func (r *Router) RemoveArm(id ArmID) {
r.mu.Lock()
internal/router/router_test.go
+8 -8
View File
@@ -262,7 +262,7 @@ func TestSelectBest_PrefersToolSupport(t *testing.T) {
}
task := Task{Type: TaskGeneration, RequiresTools: true, Priority: PriorityNormal}
best := selectBest(nil, []*Arm{withoutTools, withTools}, task)
best := selectBest(nil, BanditParams{}, []*Arm{withoutTools, withTools}, task, PreferAuto)
if best.ID != "a/with-tools" {
t.Errorf("should prefer arm with tool support, got %s", best.ID)
@@ -282,7 +282,7 @@ func TestSelectBest_PrefersThinkingForPlanning(t *testing.T) {
}
task := Task{Type: TaskPlanning, RequiresTools: true, Priority: PriorityNormal, EstimatedTokens: 5000}
best := selectBest(nil, []*Arm{noThinking, thinking}, task)
best := selectBest(nil, BanditParams{}, []*Arm{noThinking, thinking}, task, PreferAuto)
if best.ID != "a/thinking" {
t.Errorf("should prefer thinking model for planning, got %s", best.ID)
@@ -602,7 +602,7 @@ func TestArmTier(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := armTier(tt.arm, tt.task); got != tt.want {
if got := armTier(tt.arm, tt.task, PreferAuto); got != tt.want {
t.Errorf("armTier = %d, want %d", got, tt.want)
}
})
@@ -625,7 +625,7 @@ func TestSelectBest_SmallArmWinsTrivialTask(t *testing.T) {
Capabilities: provider.Capabilities{ToolUse: false},
}
task := Task{Type: TaskExplain, ComplexityScore: 0.05, RequiresTools: false}
got := selectBest(nil, []*Arm{cliArm, smallArm}, task)
got := selectBest(nil, BanditParams{}, []*Arm{cliArm, smallArm}, task, PreferAuto)
if got != smallArm {
t.Errorf("selectBest = %v, want smallArm", got)
}
@@ -647,7 +647,7 @@ func TestSelectBest_CLIAgentWinsComplexTask(t *testing.T) {
Capabilities: provider.Capabilities{ToolUse: false},
}
task := Task{Type: TaskRefactor, ComplexityScore: 0.7, RequiresTools: true}
got := selectBest(nil, []*Arm{cliArm, smallArm}, task)
got := selectBest(nil, BanditParams{}, []*Arm{cliArm, smallArm}, task, PreferAuto)
if got != cliArm {
t.Errorf("selectBest = %v, want cliArm", got)
}
@@ -672,21 +672,21 @@ func TestSelectBest_TierPreference(t *testing.T) {
task := Task{Type: TaskGeneration, Priority: PriorityNormal, EstimatedTokens: 1000}
t.Run("CLI beats local and API", func(t *testing.T) {
best := selectBest(nil, []*Arm{apiArm, localArm, cliArm}, task)
best := selectBest(nil, BanditParams{}, []*Arm{apiArm, localArm, cliArm}, task, PreferAuto)
if best.ID != "subprocess/claude" {
t.Errorf("want subprocess/claude (tier 0), got %s", best.ID)
}
})
t.Run("local beats API when no CLI", func(t *testing.T) {
best := selectBest(nil, []*Arm{apiArm, localArm}, task)
best := selectBest(nil, BanditParams{}, []*Arm{apiArm, localArm}, task, PreferAuto)
if best.ID != "ollama/llama3" {
t.Errorf("want ollama/llama3 (tier 1), got %s", best.ID)
}
})
t.Run("API selected when only option", func(t *testing.T) {
best := selectBest(nil, []*Arm{apiArm}, task)
best := selectBest(nil, BanditParams{}, []*Arm{apiArm}, task, PreferAuto)
if best == nil || best.ID != "mistral/mistral-large" {
t.Errorf("want mistral/mistral-large (tier 2), got %v", best)
}
internal/router/selector.go
+77 -15
View File
@@ -43,7 +43,38 @@ func (d RoutingDecision) Rollback() {
// - 1: CLI agent
// - 2: local model (general purpose, no complexity ceiling)
// - 3: API provider
func armTier(arm *Arm, task Task) int {
//
// When prefer is PreferLocal, non-local non-CLI-agent arms (true cloud
// API arms) are demoted by +2 tiers so any local or CLI-agent option
// is preferred. When prefer is PreferCloud, IsLocal arms are demoted
// by +2 tiers so cloud arms win the tier walk. The +2 shift is enough
// to drop cloud below the locals (tier 3 → 5) and locals below cloud
// (tier 2 → 4) without colliding with any normal tier value, keeping
// the tier walk deterministic.
//
// The Strengths-promoted path in selectBest bypasses the tier walk
// entirely, so prefer-policy never blocks a strongly-tagged arm from
// winning the task it's tagged for. This is the intended interaction.
func armTier(arm *Arm, task Task, prefer PreferPolicy) int {
base := armBaseTier(arm, task)
switch prefer {
case PreferLocal:
// Demote pure cloud arms. CLI-agent arms proxy to cloud but
// remain "local" from a tooling perspective — leave them where
// they are. Users who want to exclude them should use
// `--provider X` or the existing exclude mechanisms.
if !arm.IsLocal && !arm.IsCLIAgent {
return base + 2
}
case PreferCloud:
if arm.IsLocal {
return base + 2
}
}
return base
}
func armBaseTier(arm *Arm, task Task) int {
if arm.MaxComplexity > 0 && task.ComplexityScore <= arm.MaxComplexity {
return 0
}
@@ -67,7 +98,7 @@ func armTier(arm *Arm, task Task) int {
//
// Step 2 (fallback): walk tiers low→high. Within a tier, highest-scoring
// arm wins.
func selectBest(qt *QualityTracker, arms []*Arm, task Task) *Arm {
func selectBest(qt *QualityTracker, params BanditParams, arms []*Arm, task Task, prefer PreferPolicy) *Arm {
if len(arms) == 0 {
return nil
}
@@ -79,29 +110,32 @@ func selectBest(qt *QualityTracker, arms []*Arm, task Task) *Arm {
}
}
if len(promoted) > 0 {
return bestScored(qt, promoted, task)
return bestScored(qt, params, promoted, task, prefer)
}
for tier := 0; tier <= 3; tier++ {
// Walk tiers low→high. armTier returns up to 5 when prefer is set
// (a dispreferred tier-3 cloud arm under PreferLocal lands at 5);
// the loop bound has to cover that.
for tier := 0; tier <= 5; tier++ {
var inTier []*Arm
for _, arm := range arms {
if armTier(arm, task) == tier {
if armTier(arm, task, prefer) == tier {
inTier = append(inTier, arm)
}
}
if len(inTier) > 0 {
return bestScored(qt, inTier, task)
return bestScored(qt, params, inTier, task, prefer)
}
}
return nil
}
// bestScored returns the highest-scoring arm within a set.
func bestScored(qt *QualityTracker, arms []*Arm, task Task) *Arm {
func bestScored(qt *QualityTracker, params BanditParams, arms []*Arm, task Task, prefer PreferPolicy) *Arm {
var best *Arm
bestScore := math.Inf(-1)
for _, arm := range arms {
score := scoreArm(qt, arm, task)
score := scoreArm(qt, params, arm, task) * policyMultiplier(arm, prefer)
if score > bestScore {
bestScore = score
best = arm
@@ -110,13 +144,40 @@ func bestScored(qt *QualityTracker, arms []*Arm, task Task) *Arm {
return best
}
// strengthScoreBonus is added to quality when an arm's Strengths list
// matches the incoming task type. Tunable in one place.
const strengthScoreBonus = 0.15
// policyMultiplier returns the prefer-policy score multiplier for an
// arm. Soft bias only — does not zero out the dispreferred set, so
// when only cloud arms are feasible under PreferLocal a cloud arm can
// still win. Calibrated against the typical scoreArm output range
// (~0.52.0) so a 0.3 multiplier is roughly equivalent to "non-local
// arm must be ~3x better than local to win."
//
// CLI-agent subprocess arms count as non-local because they proxy to
// cloud — the prefer knob is about the privacy/cost axis, not the
// tooling-locality axis. Users who want to pin subprocess specifically
// should use --provider subprocess, which bypasses the policy.
func policyMultiplier(arm *Arm, p PreferPolicy) float64 {
switch p {
case PreferLocal:
if arm.IsLocal {
return 1.0
}
return 0.3
case PreferCloud:
if arm.IsLocal {
return 0.5
}
return 1.0
default:
return 1.0
}
}
// scoreArm computes a quality/cost score for an arm.
// When the quality tracker has sufficient observations, blends observed EMA
// (70%) with heuristic (30%). Falls back to pure heuristic otherwise.
// (default 70%) with heuristic (default 30%). Falls back to pure heuristic
// otherwise. The blend ratio and strength bonus are tunable via
// BanditParams (config: [router.bandit]); a zero-valued params falls back
// to the built-in defaults.
//
// Strengths add a fixed bonus to quality when matching task.Type. CostWeight
// dampens the cost penalty linearly:
@@ -127,16 +188,17 @@ const strengthScoreBonus = 0.15
// the original effectiveCost == cost. With CostWeight=0 cost is fully
// ignored (effectiveCost = 1.0). Local arms with sub-1 raw costs are not
// amplified by fractional weights (the linear formula stays monotone).
func scoreArm(qt *QualityTracker, arm *Arm, task Task) float64 {
func scoreArm(qt *QualityTracker, params BanditParams, arm *Arm, task Task) float64 {
params = resolveBanditParams(params)
hq := heuristicQuality(arm, task)
quality := hq
if qt != nil {
if observed, hasData := qt.Quality(arm.ID, task.Type); hasData {
quality = 0.7*observed + 0.3*hq
quality = params.ObservedWeight*observed + (1-params.ObservedWeight)*hq
}
}
if arm.HasStrength(task.Type) {
quality += strengthScoreBonus
quality += params.StrengthBonus
}
value := task.ValueScore()
rawCost := effectiveCost(arm, task)
internal/router/strengths_test.go
+12 -12
View File
@@ -65,17 +65,17 @@ func TestScoreArm_CostWeightAffectsArmComparison(t *testing.T) {
// CostWeight=1.0: cost dominates, cheap arm wins.
cheap.CostWeight, expensive.CostWeight = 1.0, 1.0
if scoreArm(nil, cheap, task) <= scoreArm(nil, expensive, task) {
if scoreArm(nil, BanditParams{}, cheap, task) <= scoreArm(nil, BanditParams{}, expensive, task) {
t.Errorf("CostWeight=1.0: cheap arm should beat expensive arm; cheap=%v expensive=%v",
scoreArm(nil, cheap, task), scoreArm(nil, expensive, task))
scoreArm(nil, BanditParams{}, cheap, task), scoreArm(nil, BanditParams{}, expensive, task))
}
// CostWeight=0.0: cost ignored, quality alone decides → expensive (better
// context window) wins.
cheap.CostWeight, expensive.CostWeight = 0.001, 0.001
if scoreArm(nil, expensive, task) <= scoreArm(nil, cheap, task) {
if scoreArm(nil, BanditParams{}, expensive, task) <= scoreArm(nil, BanditParams{}, cheap, task) {
t.Errorf("CostWeight~0: higher-quality expensive arm should beat cheap arm; expensive=%v cheap=%v",
scoreArm(nil, expensive, task), scoreArm(nil, cheap, task))
scoreArm(nil, BanditParams{}, expensive, task), scoreArm(nil, BanditParams{}, cheap, task))
}
}
@@ -140,8 +140,8 @@ func TestScoreArm_StrengthBonus(t *testing.T) {
}
task := Task{Type: TaskSecurityReview, EstimatedTokens: 5000, RequiresTools: true, Priority: PriorityNormal}
a := scoreArm(nil, withoutStrength, task)
b := scoreArm(nil, withStrength, task)
a := scoreArm(nil, BanditParams{}, withoutStrength, task)
b := scoreArm(nil, BanditParams{}, withStrength, task)
if !(b > a) {
t.Errorf("strength-tagged arm score (%v) should exceed plain arm score (%v)", b, a)
}
@@ -160,8 +160,8 @@ func TestScoreArm_StrengthBonusDoesNotApplyToOtherTasks(t *testing.T) {
}
task := Task{Type: TaskDebug, EstimatedTokens: 5000, RequiresTools: true, Priority: PriorityNormal}
a := scoreArm(nil, plain, task)
b := scoreArm(nil, tagged, task)
a := scoreArm(nil, BanditParams{}, plain, task)
b := scoreArm(nil, BanditParams{}, tagged, task)
if math.Abs(a-b) > 1e-9 {
t.Errorf("non-matching task should ignore Strengths: plain=%v tagged=%v", a, b)
}
@@ -184,7 +184,7 @@ func TestSelectBest_StrengthPromotedArmBeatsCLIAgent(t *testing.T) {
}
task := Task{Type: TaskSecurityReview, EstimatedTokens: 5000, RequiresTools: true, Priority: PriorityNormal}
got := selectBest(nil, []*Arm{cliAgent, opus}, task)
got := selectBest(nil, BanditParams{}, []*Arm{cliAgent, opus}, task, PreferAuto)
if got == nil {
t.Fatal("selectBest returned nil")
}
@@ -208,7 +208,7 @@ func TestSelectBest_EmptyStrengthsPreservesTierOrder(t *testing.T) {
}
task := Task{Type: TaskSecurityReview, EstimatedTokens: 5000, RequiresTools: true, Priority: PriorityNormal}
got := selectBest(nil, []*Arm{cliAgent, opus}, task)
got := selectBest(nil, BanditParams{}, []*Arm{cliAgent, opus}, task, PreferAuto)
if got.ID != cliAgent.ID {
t.Errorf("without Strengths, CLI-agent tier-1 should win; got %s", got.ID)
}
@@ -327,7 +327,7 @@ func TestSelectBest_MultiplePromotedArmsBestQualityWins(t *testing.T) {
Strengths: []TaskType{TaskSecurityReview},
}
qt := NewQualityTracker()
qt := NewQualityTracker(0, 0)
// armB has consistently succeeded — minObservations=3 is enough to flip
// the score blend.
for i := 0; i < 5; i++ {
@@ -339,7 +339,7 @@ func TestSelectBest_MultiplePromotedArmsBestQualityWins(t *testing.T) {
}
task := Task{Type: TaskSecurityReview, EstimatedTokens: 5000, RequiresTools: true, Priority: PriorityNormal}
got := selectBest(qt, []*Arm{armA, armB}, task)
got := selectBest(qt, BanditParams{}, []*Arm{armA, armB}, task, PreferAuto)
if got == nil {
t.Fatal("selectBest returned nil")
}
internal/safety/banner.go
+144
View File
@@ -0,0 +1,144 @@
package safety
import (
"fmt"
"path/filepath"
"strings"
)
// SessionInfo carries the bits of session state the banner shows.
// Caller passes whatever is known at launch time; empty fields are
// omitted from the rendered banner.
type SessionInfo struct {
Version string // e.g. "0.2.1"
GitBranch string // empty if not in a git repo
GitDirty bool // true if working tree has uncommitted changes
ProjectType string // free-form, e.g. "Go module (somegit.dev/...)"
Provider string // e.g. "ollama"
Model string // e.g. "qwen3-coder:30b"
Permission string // e.g. "auto", "accept_edits"
Incognito bool
Prefer string // "auto" / "local" / "cloud"
Tenant string // optional, e.g. Kubernetes context name
}
// RenderContextBanner returns the always-shown banner with cwd, git,
// project, model, modes, and sensitive-file inventory. Result includes
// a trailing newline. Deterministic — safe for golden-string testing.
func RenderContextBanner(c Classification, info SessionInfo, sensitive []Match) string {
var sb strings.Builder
header := "gnoma"
if info.Version != "" {
header += " " + info.Version
}
header += " — ready"
sb.WriteString(header + "\n")
// Field labels are padded to 9 characters so the ":" separators
// align in monospace output. "sensitive" sets the width; everything
// else pads to match.
writeField(&sb, "cwd ", c.Path)
if info.GitBranch != "" {
state := "clean"
if info.GitDirty {
state = "dirty"
}
writeField(&sb, "git ", fmt.Sprintf("%s (%s)", info.GitBranch, state))
}
if info.ProjectType != "" {
writeField(&sb, "project ", info.ProjectType)
}
if info.Provider != "" || info.Model != "" {
writeField(&sb, "provider ", strings.TrimSpace(info.Provider+" / "+info.Model))
}
modes := renderModes(info)
if modes != "" {
writeField(&sb, "mode ", modes)
}
if info.Tenant != "" {
writeField(&sb, "tenant ", info.Tenant)
}
if len(sensitive) > 0 {
summary := fmt.Sprintf("%d match", len(sensitive))
if len(sensitive) != 1 {
summary = fmt.Sprintf("%d matches", len(sensitive))
}
names := make([]string, 0, len(sensitive))
shown := len(sensitive)
if shown > 3 {
shown = 3
}
for i := 0; i < shown; i++ {
names = append(names, filepath.Base(sensitive[i].Path))
}
if len(sensitive) > shown {
names = append(names, fmt.Sprintf("+%d more", len(sensitive)-shown))
}
writeField(&sb, "sensitive", fmt.Sprintf("%s: %s", summary, strings.Join(names, ", ")))
} else {
writeField(&sb, "sensitive", "0 matches in cwd")
}
sb.WriteString("---\n")
return sb.String()
}
// RenderWarnPrefix returns the banner text shown above the context
// banner when the cwd is TierWarn. The caller is responsible for
// reading a confirmation keystroke after printing this. Empty when
// the tier isn't TierWarn.
func RenderWarnPrefix(c Classification) string {
if c.Tier != TierWarn {
return ""
}
return fmt.Sprintf(
"WARNING: cwd is %s (%s).\n"+
" Any file the model reads / writes / executes is in your\n"+
" personal directory — including .ssh/, .aws/, shell history,\n"+
" browser profiles.\n"+
" Continue? [y/N] ",
c.Path, c.Reason,
)
}
// RenderRefuse returns the banner text shown when the cwd is
// TierRefuse. Caller prints this and exits non-zero.
func RenderRefuse(c Classification) string {
if c.Tier != TierRefuse {
return ""
}
return fmt.Sprintf(
"ERROR: gnoma will not start in %s.\n"+
" This directory (%s) contains system-critical files that\n"+
" should never be edited by a model. To override (you almost\n"+
" certainly should not), pass --dangerously-allow-anywhere.\n",
c.Path, c.Reason,
)
}
func writeField(sb *strings.Builder, label, value string) {
if value == "" {
return
}
sb.WriteString(label + " : " + value + "\n")
}
func renderModes(info SessionInfo) string {
var parts []string
if info.Permission != "" {
parts = append(parts, "permission="+info.Permission)
}
if info.Incognito {
parts = append(parts, "incognito=on")
} else if info.Permission != "" || info.Prefer != "" {
// Show incognito=off only when other modes are also rendered;
// keeps a bare banner from being noisier than necessary.
parts = append(parts, "incognito=off")
}
if info.Prefer != "" && info.Prefer != "auto" {
parts = append(parts, "prefer="+info.Prefer)
}
return strings.Join(parts, " ")
}
internal/safety/banner_test.go
+127
View File
@@ -0,0 +1,127 @@
package safety
import (
"strings"
"testing"
)
func TestRenderContextBanner_BasicFields(t *testing.T) {
c := Classification{Tier: TierOK, Path: "/home/cn/git/foo", Reason: "inside a git repo"}
info := SessionInfo{
Version: "0.2.1",
GitBranch: "dev",
GitDirty: false,
ProjectType: "Go module",
Provider: "ollama",
Model: "qwen3-coder:30b",
Permission: "auto",
Incognito: false,
Prefer: "auto",
}
out := RenderContextBanner(c, info, nil)
want := []string{
"gnoma 0.2.1 — ready",
"cwd",
"/home/cn/git/foo",
"git",
"dev (clean)",
"project",
"Go module",
"provider",
"ollama / qwen3-coder:30b",
"mode",
"permission=auto",
"sensitive",
"0 matches in cwd",
"---",
}
for _, w := range want {
if !strings.Contains(out, w) {
t.Errorf("banner missing %q\nfull output:\n%s", w, out)
}
}
}
func TestRenderContextBanner_DirtyGit(t *testing.T) {
c := Classification{Tier: TierOK, Path: "/somewhere", Reason: "ok"}
info := SessionInfo{Version: "x", GitBranch: "main", GitDirty: true}
out := RenderContextBanner(c, info, nil)
if !strings.Contains(out, "main (dirty)") {
t.Errorf("dirty git not surfaced:\n%s", out)
}
}
func TestRenderContextBanner_SensitiveMatches(t *testing.T) {
c := Classification{Tier: TierWarn, Path: "/home/cn", Reason: "home"}
info := SessionInfo{Version: "x"}
matches := []Match{
{Path: "/home/cn/.env", Reason: "env file"},
{Path: "/home/cn/id_rsa", Reason: "private key"},
{Path: "/home/cn/.ssh", Reason: "credentials directory"},
{Path: "/home/cn/aws_credentials", Reason: "credentials file"},
}
out := RenderContextBanner(c, info, matches)
// 4 matches, banner truncates to 3 + "+N more"
if !strings.Contains(out, "4 matches") {
t.Errorf("expected '4 matches' summary, got:\n%s", out)
}
if !strings.Contains(out, "+1 more") {
t.Errorf("expected +1 more truncation, got:\n%s", out)
}
}
func TestRenderContextBanner_OmitsEmptyFields(t *testing.T) {
c := Classification{Tier: TierOK, Path: "/x", Reason: ""}
info := SessionInfo{} // everything empty
out := RenderContextBanner(c, info, nil)
if strings.Contains(out, "provider :") {
t.Errorf("empty provider/model should be omitted:\n%s", out)
}
if strings.Contains(out, "git :") {
t.Errorf("empty git branch should be omitted:\n%s", out)
}
}
func TestRenderWarnPrefix(t *testing.T) {
c := Classification{Tier: TierWarn, Path: "/home/cn", Reason: "personal directory"}
out := RenderWarnPrefix(c)
if !strings.Contains(out, "WARNING") {
t.Errorf("warn prefix missing WARNING:\n%s", out)
}
if !strings.Contains(out, "/home/cn") {
t.Errorf("warn prefix missing path:\n%s", out)
}
if !strings.Contains(out, "[y/N]") {
t.Errorf("warn prefix missing keypress prompt:\n%s", out)
}
}
func TestRenderWarnPrefix_EmptyOnNonWarnTier(t *testing.T) {
if got := RenderWarnPrefix(Classification{Tier: TierOK}); got != "" {
t.Errorf("non-warn tier should produce empty warn prefix, got %q", got)
}
if got := RenderWarnPrefix(Classification{Tier: TierRefuse}); got != "" {
t.Errorf("refuse tier should produce empty warn prefix, got %q", got)
}
}
func TestRenderRefuse(t *testing.T) {
c := Classification{Tier: TierRefuse, Path: "/etc", Reason: "system directory"}
out := RenderRefuse(c)
if !strings.Contains(out, "ERROR") {
t.Errorf("refuse banner missing ERROR:\n%s", out)
}
if !strings.Contains(out, "/etc") {
t.Errorf("refuse banner missing path:\n%s", out)
}
if !strings.Contains(out, "--dangerously-allow-anywhere") {
t.Errorf("refuse banner missing override hint:\n%s", out)
}
}
func TestRenderRefuse_EmptyOnNonRefuseTier(t *testing.T) {
if got := RenderRefuse(Classification{Tier: TierOK}); got != "" {
t.Errorf("non-refuse tier should produce empty refuse text, got %q", got)
}
}
internal/safety/cwd.go
+266
View File
@@ -0,0 +1,266 @@
// Package safety implements gnoma's pre-launch directory-safety
// classifier and context banner. See
// docs/superpowers/plans/2026-05-23-startup-safety-banner.md for the
// full design.
//
// The classifier categorizes the current working directory into one of
// three tiers (OK, Warn, Refuse) and renders an informational banner
// summarizing where gnoma is about to run. The runtime (cmd/gnoma) is
// responsible for the user-interaction part (printing the banner,
// gating on a keypress under TierWarn, exiting under TierRefuse).
package safety
import (
"os"
"path/filepath"
"runtime"
"strings"
"somegit.dev/Owlibou/gnoma/internal/config"
)
// Tier classifies the safety risk of the current working directory.
type Tier int
const (
// TierOK — directory is safe to operate in. Either inside a git
// repo, or contains a recognized project marker.
TierOK Tier = iota
// TierWarn — sensitive personal directory ($HOME, ~/Downloads,
// /tmp, etc.). The runtime should banner + keypress before
// continuing.
TierWarn
// TierRefuse — system root or near-root (/etc, /sys, /usr, etc.).
// The runtime should refuse to launch unless overridden.
TierRefuse
)
// String returns a human-readable tier name.
func (t Tier) String() string {
switch t {
case TierOK:
return "ok"
case TierWarn:
return "warn"
case TierRefuse:
return "refuse"
default:
return "unknown"
}
}
// Classification carries the tier plus a human-readable reason and the
// resolved-symlink absolute path that was classified.
type Classification struct {
Tier Tier
Path string // absolute, symlink-resolved cwd
Reason string // short message suitable for banner display
}
// ClassifyCWD inspects the given absolute cwd path and returns its
// safety tier under the given config. Resolves symlinks before
// classification so a symlink like ~/etc-mirror → /etc doesn't fool
// the check.
//
// Project markers (.git/, .gnoma/, go.mod, package.json,
// pyproject.toml, Cargo.toml, Makefile, Dockerfile) force TierOK
// regardless of parent dir, unless require_project_marker is true (in
// which case lack of any marker forces at least TierWarn).
//
// Container detection: when /.dockerenv or /run/.containerenv exists,
// refuse-tier roots are downgraded to warn-tier (containers typically
// run from /workspace or /app which is "OK" but the root itself can
// be /). Implemented via a flag carried through the helpers.
func ClassifyCWD(cwd string, cfg config.ResolvedSafetySection) Classification {
abs, err := filepath.Abs(cwd)
if err != nil {
abs = cwd
}
resolved, err := filepath.EvalSymlinks(abs)
if err != nil {
resolved = abs
}
if hasProjectMarker(resolved) {
return Classification{Tier: TierOK, Path: resolved, Reason: "project marker present"}
}
if isInGitRepo(resolved) {
if cfg.RequireProjectMarker {
return Classification{
Tier: TierWarn,
Path: resolved,
Reason: "in git repo but no recognized project marker (require_project_marker=true)",
}
}
return Classification{Tier: TierOK, Path: resolved, Reason: "inside a git repo"}
}
inContainer := isInContainer()
if isSystemRoot(resolved) {
if cfg.RefuseInSystemDirs && !inContainer {
return Classification{Tier: TierRefuse, Path: resolved, Reason: "system directory"}
}
// Containers downgrade refuse to warn — running from / inside
// a container is common (some devcontainers chroot there).
return Classification{Tier: TierWarn, Path: resolved, Reason: "system directory (container)"}
}
if isPersonalDumpingGround(resolved) {
if cfg.WarnInHome {
return Classification{Tier: TierWarn, Path: resolved, Reason: "personal directory ($HOME, /tmp, or common dumping ground)"}
}
return Classification{Tier: TierOK, Path: resolved, Reason: "personal directory (warn_in_home=false)"}
}
if cfg.RequireProjectMarker {
return Classification{Tier: TierWarn, Path: resolved, Reason: "no recognized project marker (require_project_marker=true)"}
}
return Classification{Tier: TierOK, Path: resolved, Reason: "no risk indicators"}
}
// projectMarkers are filenames whose presence in the cwd's top level
// signals "this is a project root." `.git` is intentionally NOT in
// this list — git presence is handled by isInGitRepo so the
// RequireProjectMarker config knob can distinguish "git repo but no
// project file" (warn-tier under that knob) from "go.mod exists"
// (always ok-tier).
var projectMarkers = []string{
".gnoma",
"go.mod",
"package.json",
"pyproject.toml",
"Cargo.toml",
"Makefile",
"Dockerfile",
"build.gradle",
"build.gradle.kts",
"pom.xml",
}
func hasProjectMarker(path string) bool {
for _, m := range projectMarkers {
if _, err := os.Stat(filepath.Join(path, m)); err == nil {
return true
}
}
return false
}
// isInGitRepo walks up from path looking for a .git directory or file.
// Stops at the filesystem root.
func isInGitRepo(path string) bool {
cur := path
for {
gitPath := filepath.Join(cur, ".git")
if info, err := os.Stat(gitPath); err == nil {
_ = info
return true
}
parent := filepath.Dir(cur)
if parent == cur {
return false
}
cur = parent
}
}
// systemRoots lists directories (and their descendants) that are
// considered too dangerous to operate inside without an explicit
// override. Platform-specific entries are added in the helpers below.
var systemRoots = []string{
"/etc",
"/sys",
"/proc",
"/usr",
"/var",
"/bin",
"/sbin",
"/boot",
"/root",
"/dev",
}
// systemRootsMacOS lists additional roots that exist only on macOS.
var systemRootsMacOS = []string{
"/System",
"/Library",
"/private",
"/Applications",
}
// isSystemRoot reports whether path is at or under a known system
// root. Includes "/" itself (no path prefix would match it
// otherwise).
func isSystemRoot(path string) bool {
if path == "/" {
return true
}
roots := systemRoots
if runtime.GOOS == "darwin" {
roots = append(append([]string(nil), systemRoots...), systemRootsMacOS...)
}
for _, root := range roots {
if path == root || strings.HasPrefix(path, root+"/") {
return true
}
}
return false
}
// personalDumpingGrounds lists directories that typically hold mixed
// sensitive/non-sensitive files — usually-fine for ad-hoc poking, but
// worth a confirmation prompt because a model with tool access can
// easily reach .ssh keys, config files, browser profiles, etc.
//
// The check is exact path match against the user's home dir plus
// resolved sub-paths, NOT a prefix match — a project inside ~/git/foo
// shouldn't trigger warn just because it's under $HOME. The git/marker
// checks above already capture that.
func isPersonalDumpingGround(path string) bool {
home, err := os.UserHomeDir()
if err != nil || home == "" {
// If we can't resolve $HOME, fall back to a conservative
// warn-anywhere stance for /tmp.
return path == "/tmp" || strings.HasPrefix(path, "/tmp/")
}
if path == home {
return true
}
dumps := []string{
home,
filepath.Join(home, "Desktop"),
filepath.Join(home, "Downloads"),
filepath.Join(home, "Documents"),
filepath.Join(home, "Music"),
filepath.Join(home, "Pictures"),
filepath.Join(home, "Videos"),
filepath.Join(home, ".config"),
filepath.Join(home, ".local"),
filepath.Join(home, ".cache"),
"/tmp",
}
for _, d := range dumps {
if path == d {
return true
}
}
return false
}
// isInContainer reports whether the process appears to be running
// inside a Linux container. Two common signals: /.dockerenv (Docker)
// and /run/.containerenv (Podman). Best-effort — false negatives are
// acceptable; false positives just downgrade refuse-tier paths to
// warn, which is the lesser failure.
func isInContainer() bool {
for _, marker := range []string{"/.dockerenv", "/run/.containerenv"} {
if _, err := os.Stat(marker); err == nil {
return true
}
}
return false
}
internal/safety/cwd_test.go
+152
View File
@@ -0,0 +1,152 @@
package safety
import (
"os"
"path/filepath"
"testing"
"somegit.dev/Owlibou/gnoma/internal/config"
)
func defaultCfg() config.ResolvedSafetySection {
return config.ResolvedSafetySection{
RefuseInSystemDirs: true,
WarnInHome: true,
RequireProjectMarker: false,
}
}
func TestClassifyCWD_SystemRoots(t *testing.T) {
cfg := defaultCfg()
cases := []string{"/etc", "/etc/foo", "/sys", "/proc/1", "/var/log", "/usr/local"}
for _, p := range cases {
t.Run(p, func(t *testing.T) {
c := ClassifyCWD(p, cfg)
// When running inside a container, system roots are
// downgraded to warn. The CI/container case is acceptable.
if c.Tier == TierRefuse {
return
}
if c.Tier == TierWarn && isInContainer() {
return
}
t.Errorf("%s tier = %v, want refuse (or warn under container)", p, c.Tier)
})
}
}
func TestClassifyCWD_HomeIsWarn(t *testing.T) {
home, err := os.UserHomeDir()
if err != nil || home == "" {
t.Skip("UserHomeDir unavailable")
}
cfg := defaultCfg()
c := ClassifyCWD(home, cfg)
if c.Tier != TierWarn {
t.Errorf("$HOME tier = %v, want warn", c.Tier)
}
}
func TestClassifyCWD_TmpIsWarn(t *testing.T) {
cfg := defaultCfg()
c := ClassifyCWD("/tmp", cfg)
if c.Tier != TierWarn {
t.Errorf("/tmp tier = %v, want warn", c.Tier)
}
}
func TestClassifyCWD_ProjectMarkerForcesOK(t *testing.T) {
dir := t.TempDir()
// Drop a project marker.
if err := os.WriteFile(filepath.Join(dir, "go.mod"), []byte("module test"), 0o600); err != nil {
t.Fatal(err)
}
cfg := defaultCfg()
c := ClassifyCWD(dir, cfg)
if c.Tier != TierOK {
t.Errorf("dir with go.mod tier = %v, want ok", c.Tier)
}
}
func TestClassifyCWD_GitRepoIsOK(t *testing.T) {
dir := t.TempDir()
// Drop a .git directory (file would also be accepted — git worktrees).
if err := os.MkdirAll(filepath.Join(dir, ".git"), 0o700); err != nil {
t.Fatal(err)
}
cfg := defaultCfg()
c := ClassifyCWD(dir, cfg)
if c.Tier != TierOK {
t.Errorf("dir with .git tier = %v, want ok", c.Tier)
}
}
func TestClassifyCWD_RequireProjectMarker_GitRepoWithoutMarker(t *testing.T) {
dir := t.TempDir()
if err := os.MkdirAll(filepath.Join(dir, ".git"), 0o700); err != nil {
t.Fatal(err)
}
cfg := defaultCfg()
cfg.RequireProjectMarker = true
c := ClassifyCWD(dir, cfg)
if c.Tier != TierWarn {
t.Errorf("git repo without marker under RequireProjectMarker tier = %v, want warn", c.Tier)
}
}
func TestClassifyCWD_ProjectInsideHomeIsOK(t *testing.T) {
home, err := os.UserHomeDir()
if err != nil || home == "" {
t.Skip("UserHomeDir unavailable")
}
// Project markers anywhere — including inside $HOME — must
// override the personal-dumping-ground warn.
dir := filepath.Join(home, ".gnoma-safety-test-tmp")
if err := os.MkdirAll(dir, 0o700); err != nil {
t.Skipf("could not create test dir: %v", err)
}
defer func() { _ = os.RemoveAll(dir) }()
if err := os.WriteFile(filepath.Join(dir, "go.mod"), []byte("module test"), 0o600); err != nil {
t.Fatal(err)
}
cfg := defaultCfg()
c := ClassifyCWD(dir, cfg)
if c.Tier != TierOK {
t.Errorf("project dir inside $HOME tier = %v, want ok", c.Tier)
}
}
func TestClassifyCWD_RefuseDisabled(t *testing.T) {
cfg := defaultCfg()
cfg.RefuseInSystemDirs = false
c := ClassifyCWD("/etc", cfg)
if c.Tier == TierRefuse {
t.Errorf("with refuse_in_system_dirs=false, /etc tier = %v, want warn or ok", c.Tier)
}
}
func TestClassifyCWD_WarnInHomeDisabled(t *testing.T) {
home, err := os.UserHomeDir()
if err != nil || home == "" {
t.Skip("UserHomeDir unavailable")
}
cfg := defaultCfg()
cfg.WarnInHome = false
c := ClassifyCWD(home, cfg)
if c.Tier != TierOK {
t.Errorf("with warn_in_home=false, $HOME tier = %v, want ok", c.Tier)
}
}
func TestTier_String(t *testing.T) {
cases := map[Tier]string{
TierOK: "ok",
TierWarn: "warn",
TierRefuse: "refuse",
}
for tier, want := range cases {
if got := tier.String(); got != want {
t.Errorf("%d.String() = %q, want %q", tier, got, want)
}
}
}
internal/safety/sensitive.go
+165
View File
@@ -0,0 +1,165 @@
package safety
import (
"os"
"path/filepath"
"sort"
"strings"
)
// Match represents a sensitive file found in the cwd's top level.
type Match struct {
Path string // path relative to cwd, e.g. ".env" or ".ssh"
Reason string // short label, e.g. "env file", "private key"
}
// sensitivePatterns is the rule table. Each entry has a check that
// runs against a single dirent (with d.Name() and d.IsDir() readily
// available) plus a label for reporting.
var sensitivePatterns = []struct {
Label string
Match func(name string, isDir bool) bool
}{
{"env file", func(name string, isDir bool) bool {
if isDir {
return false
}
low := strings.ToLower(name)
// Match `.env`, `.env.foo`, `env.local`, but NOT `.envrc`
// (envrc is direnv config, not credential storage) and NOT
// conventional templates like `.env.example`, `.env.sample`,
// `.env.template`, `.env.dist`, `.env.default` (which hold
// variable LISTS, no values).
if low == ".env" {
return true
}
if !strings.HasPrefix(low, ".env.") && !strings.HasPrefix(low, "env.local") {
return false
}
if isEnvTemplate(low) {
return false
}
return true
}},
{"private key", func(name string, isDir bool) bool {
if isDir {
return false
}
low := strings.ToLower(name)
if strings.HasSuffix(low, ".pem") || strings.HasSuffix(low, ".key") ||
strings.HasSuffix(low, ".crt") || strings.HasSuffix(low, ".p12") ||
strings.HasSuffix(low, ".pfx") {
return true
}
// SSH private-key default names.
if name == "id_rsa" || name == "id_ed25519" || name == "id_ecdsa" || name == "id_dsa" {
return true
}
return false
}},
{"credentials file", func(name string, isDir bool) bool {
if isDir {
return false
}
low := strings.ToLower(name)
// Match credential-y filenames without being too aggressive.
// "credentials" as a substring is fine (e.g. ".aws_credentials")
// but we'd rather not flag every "secret-something.go" source
// file. Restrict "secret" matches to filenames that look like
// data, not source.
if strings.Contains(low, "credentials") {
return true
}
if strings.HasSuffix(low, ".secret") || strings.HasSuffix(low, ".secrets") {
return true
}
return false
}},
{"shell secrets", func(name string, isDir bool) bool {
if isDir {
return false
}
return name == ".netrc" || name == ".pgpass"
}},
{"password vault", func(name string, isDir bool) bool {
if isDir {
return false
}
low := strings.ToLower(name)
return strings.HasSuffix(low, ".kdbx") || strings.HasSuffix(low, ".kbdx")
}},
{"credentials directory", func(name string, isDir bool) bool {
if !isDir {
return false
}
switch name {
case ".ssh", ".aws", ".kube", ".gcloud", ".azure", ".docker":
return true
}
return false
}},
}
// envTemplateSuffixes lists conventional .env template suffixes that
// hold variable names without values — `.env.example`, `.env.sample`,
// etc. Skipped during the sensitive scan to keep the banner honest;
// real credential files (.env, .env.production, .env.local) still
// match.
var envTemplateSuffixes = []string{
".example",
".sample",
".template",
".dist",
".default",
}
func isEnvTemplate(low string) bool {
for _, suf := range envTemplateSuffixes {
if strings.HasSuffix(low, suf) {
return true
}
}
return false
}
// scanLimit caps the number of dir entries inspected. Prevents a
// pathological case (cwd handed a giant temp dir, /tmp with thousands
// of files, etc.) from making the safety scan slow.
const scanLimit = 1000
// ScanCWDForSensitive walks the cwd's top level (no recursion) and
// returns sensitive matches. Conservative by design: only matches the
// rules in sensitivePatterns. Bounded to scanLimit entries to keep
// the safety check fast even in pathological directories.
//
// Results are sorted by path for deterministic ordering — both the
// banner and the tests rely on this.
func ScanCWDForSensitive(cwd string) []Match {
entries, err := os.ReadDir(cwd)
if err != nil {
return nil
}
var matches []Match
for i, entry := range entries {
if i >= scanLimit {
break
}
name := entry.Name()
isDir := entry.IsDir()
for _, p := range sensitivePatterns {
if p.Match(name, isDir) {
matches = append(matches, Match{
Path: filepath.Join(cwd, name),
Reason: p.Label,
})
break
}
}
}
sort.Slice(matches, func(i, j int) bool {
return matches[i].Path < matches[j].Path
})
return matches
}
internal/safety/sensitive_test.go
+157
View File
@@ -0,0 +1,157 @@
package safety
import (
"os"
"path/filepath"
"sort"
"testing"
)
func TestScanCWDForSensitive_Matches(t *testing.T) {
dir := t.TempDir()
// Sensitive files we expect to flag.
sensitive := []string{
".env",
".env.local",
"id_rsa",
"private.pem",
"aws_credentials",
".netrc",
"vault.kdbx",
}
// Non-sensitive control files.
control := []string{
".envrc", // direnv config, not a credential
"main.go",
"README.md",
"secret_handler.go", // source code, not data
}
for _, f := range sensitive {
if err := os.WriteFile(filepath.Join(dir, f), []byte("x"), 0o600); err != nil {
t.Fatal(err)
}
}
for _, f := range control {
if err := os.WriteFile(filepath.Join(dir, f), []byte("x"), 0o600); err != nil {
t.Fatal(err)
}
}
// Sensitive directory.
if err := os.MkdirAll(filepath.Join(dir, ".ssh"), 0o700); err != nil {
t.Fatal(err)
}
matches := ScanCWDForSensitive(dir)
wantNames := append([]string{}, sensitive...)
wantNames = append(wantNames, ".ssh")
sort.Strings(wantNames)
gotNames := make([]string, 0, len(matches))
for _, m := range matches {
gotNames = append(gotNames, filepath.Base(m.Path))
}
sort.Strings(gotNames)
if len(gotNames) != len(wantNames) {
t.Errorf("matched %d files (%v), want %d (%v)", len(gotNames), gotNames, len(wantNames), wantNames)
}
for i, n := range wantNames {
if i >= len(gotNames) || gotNames[i] != n {
t.Errorf("match[%d] = %q, want %q (got=%v want=%v)", i, gotNames[i], n, gotNames, wantNames)
}
}
}
func TestScanCWDForSensitive_EmptyDir(t *testing.T) {
dir := t.TempDir()
matches := ScanCWDForSensitive(dir)
if len(matches) != 0 {
t.Errorf("empty dir matched %v, want none", matches)
}
}
func TestScanCWDForSensitive_PrecisionNoFalsePositives(t *testing.T) {
dir := t.TempDir()
// Files that look credential-y but conventionally hold no
// secrets — must NOT be flagged.
control := []string{
".envrc", // direnv config
"secret_handler.go", // source code
".env.example", // template
".env.sample", // template
".env.template", // template
".env.dist", // template
".env.default", // template
"env.local.example", // template
}
for _, name := range control {
if err := os.WriteFile(filepath.Join(dir, name), []byte("x"), 0o600); err != nil {
t.Fatal(err)
}
}
matches := ScanCWDForSensitive(dir)
if len(matches) != 0 {
names := make([]string, 0, len(matches))
for _, m := range matches {
names = append(names, filepath.Base(m.Path))
}
t.Errorf("precision regression: none of %v should flag, got %v", control, names)
}
}
func TestScanCWDForSensitive_RealEnvFilesStillMatch(t *testing.T) {
dir := t.TempDir()
// Real env files (non-template) must still be flagged.
real := []string{
".env",
".env.local",
".env.production",
".env.staging",
"env.local",
"env.local.production",
}
for _, name := range real {
if err := os.WriteFile(filepath.Join(dir, name), []byte("API_KEY=secret"), 0o600); err != nil {
t.Fatal(err)
}
}
matches := ScanCWDForSensitive(dir)
if len(matches) != len(real) {
got := make([]string, 0, len(matches))
for _, m := range matches {
got = append(got, filepath.Base(m.Path))
}
t.Errorf("expected %d real env files flagged, got %d (%v)", len(real), len(matches), got)
}
}
func TestScanCWDForSensitive_BoundedScan(t *testing.T) {
dir := t.TempDir()
// Populate just over the scan limit. The function should not panic
// or hang. Result count is at most scanLimit (matches may be 0 if
// the entries beyond the cap happen to be sensitive — that's OK,
// the bound is a safety knob, not a correctness one).
for i := 0; i < scanLimit+10; i++ {
if err := os.WriteFile(filepath.Join(dir, "file"+itoa(i)), []byte("x"), 0o600); err != nil {
t.Fatal(err)
}
}
_ = ScanCWDForSensitive(dir) // mustn't panic
}
// itoa avoids importing strconv just for one use.
func itoa(n int) string {
if n == 0 {
return "0"
}
var buf [20]byte
i := len(buf)
for n > 0 {
i--
buf[i] = byte('0' + n%10)
n /= 10
}
return string(buf[i:])
}
internal/security/audit.go
+121
View File
@@ -0,0 +1,121 @@
package security
import (
"encoding/json"
"log/slog"
"os"
"path/filepath"
"sync"
"time"
)
// AuditEvent records a single firewall action (block / redact / sanitize)
// in a structured form intended for per-session post-mortem grepping.
//
// Discipline: this struct must never carry the raw bytes of any matched
// secret. The Pattern field names the matcher (e.g. "anthropic_api_key",
// "high_entropy"); TokenLen carries the length of the offending token so
// the user can recognise it in a transcript without re-leaking it.
type AuditEvent struct {
// Timestamp is the wall-clock time of the event in UTC.
Timestamp time.Time `json:"ts"`
// Action is one of: "block", "redact", "warn", "unicode_sanitize".
Action string `json:"action"`
// Pattern is the human-readable matcher name (regex tag or
// "high_entropy" / "unicode"). Never the matched bytes themselves.
Pattern string `json:"pattern,omitempty"`
// Source describes where in the data flow the event fired —
// "message_text", "tool_result", "tool_call_args",
// "system_prompt", etc.
Source string `json:"source,omitempty"`
// TokenLen is the length of the offending token (or chars
// changed for unicode_sanitize). Length only, never the bytes.
TokenLen int `json:"token_len,omitempty"`
}
// AuditLogger appends AuditEvent records to a per-session JSON Lines
// file. Safe for concurrent use. Writes are skipped while incognito
// mode is active so the no-persistence contract is honoured.
//
// A nil *AuditLogger is a valid no-op — callers can use the same
// `audit.Record(...)` shape whether or not auditing is configured.
type AuditLogger struct {
path string
incognito *IncognitoMode
logger *slog.Logger
mu sync.Mutex
}
// AuditLoggerConfig controls how AuditLogger is constructed.
type AuditLoggerConfig struct {
// Path is the full filesystem path to write JSONL events to.
// Parent directories are created lazily on first successful Record.
Path string
// Incognito gates writes; when active, Record is a no-op.
// Optional — pass nil to always persist.
Incognito *IncognitoMode
// Logger receives one Warn per write failure so the user sees
// disk-full / permission errors instead of silently losing
// audit records. Defaults to slog.Default() when nil.
Logger *slog.Logger
}
// NewAuditLogger builds an AuditLogger. Pass a zero Path to disable
// auditing (returns nil).
func NewAuditLogger(cfg AuditLoggerConfig) *AuditLogger {
if cfg.Path == "" {
return nil
}
logger := cfg.Logger
if logger == nil {
logger = slog.Default()
}
return &AuditLogger{
path: cfg.Path,
incognito: cfg.Incognito,
logger: logger,
}
}
// Record appends an event to the audit log. Safe to call on a nil
// receiver (no-op). Skipped silently when incognito is active.
// Write failures are logged at Warn level but do not propagate to
// the caller — auditing is best-effort and must not crash the
// scanner pipeline.
func (a *AuditLogger) Record(ev AuditEvent) {
if a == nil {
return
}
if a.incognito != nil && a.incognito.Active() {
return
}
if ev.Timestamp.IsZero() {
ev.Timestamp = time.Now().UTC()
}
a.mu.Lock()
defer a.mu.Unlock()
if err := os.MkdirAll(filepath.Dir(a.path), 0o700); err != nil {
a.logger.Warn("audit: mkdir failed", "path", a.path, "err", err)
return
}
f, err := os.OpenFile(a.path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o600)
if err != nil {
a.logger.Warn("audit: open failed", "path", a.path, "err", err)
return
}
defer f.Close()
if err := json.NewEncoder(f).Encode(ev); err != nil {
a.logger.Warn("audit: encode failed", "path", a.path, "err", err)
}
}
// Path returns the file path the logger writes to. Empty when the
// logger is disabled (nil receiver returns "").
func (a *AuditLogger) Path() string {
if a == nil {
return ""
}
return a.path
}
internal/security/audit_test.go
+139
View File
@@ -0,0 +1,139 @@
package security
import (
"bufio"
"encoding/json"
"os"
"path/filepath"
"strings"
"testing"
)
func readAuditLines(t *testing.T, path string) []AuditEvent {
t.Helper()
f, err := os.Open(path)
if err != nil {
t.Fatalf("open audit log: %v", err)
}
defer f.Close()
var events []AuditEvent
sc := bufio.NewScanner(f)
for sc.Scan() {
var ev AuditEvent
if err := json.Unmarshal(sc.Bytes(), &ev); err != nil {
t.Fatalf("decode line %q: %v", sc.Text(), err)
}
events = append(events, ev)
}
if err := sc.Err(); err != nil {
t.Fatalf("scan audit log: %v", err)
}
return events
}
func TestAuditLogger_NilReceiverIsNoop(t *testing.T) {
var a *AuditLogger
// Must not panic.
a.Record(AuditEvent{Action: "block"})
}
func TestAuditLogger_DisabledWhenPathEmpty(t *testing.T) {
a := NewAuditLogger(AuditLoggerConfig{})
if a != nil {
t.Errorf("expected nil logger for empty path, got %v", a)
}
}
func TestAuditLogger_AppendsJSONLines(t *testing.T) {
dir := t.TempDir()
path := filepath.Join(dir, "audit.jsonl")
a := NewAuditLogger(AuditLoggerConfig{Path: path})
if a == nil {
t.Fatal("expected non-nil logger")
}
a.Record(AuditEvent{Action: "block", Pattern: "anthropic_api_key", Source: "tool_result", TokenLen: 51})
a.Record(AuditEvent{Action: "redact", Pattern: "high_entropy", Source: "message_text", TokenLen: 42})
events := readAuditLines(t, path)
if len(events) != 2 {
t.Fatalf("expected 2 events, got %d", len(events))
}
if events[0].Action != "block" || events[0].Pattern != "anthropic_api_key" {
t.Errorf("event 0 = %+v", events[0])
}
if events[0].Timestamp.IsZero() {
t.Error("event 0 missing timestamp")
}
if events[1].Action != "redact" || events[1].TokenLen != 42 {
t.Errorf("event 1 = %+v", events[1])
}
}
func TestAuditLogger_SkipsUnderIncognito(t *testing.T) {
dir := t.TempDir()
path := filepath.Join(dir, "audit.jsonl")
incog := NewIncognitoMode()
a := NewAuditLogger(AuditLoggerConfig{Path: path, Incognito: incog})
incog.Activate()
a.Record(AuditEvent{Action: "block", Pattern: "x"})
if _, err := os.Stat(path); !os.IsNotExist(err) {
t.Errorf("expected audit file to not exist under incognito, got err=%v", err)
}
incog.Deactivate()
a.Record(AuditEvent{Action: "block", Pattern: "y"})
events := readAuditLines(t, path)
if len(events) != 1 {
t.Fatalf("expected 1 event after deactivate, got %d", len(events))
}
if events[0].Pattern != "y" {
t.Errorf("expected pattern=y (incognito event dropped), got %q", events[0].Pattern)
}
}
func TestAuditLogger_CreatesParentDir(t *testing.T) {
dir := t.TempDir()
path := filepath.Join(dir, "deeply", "nested", "audit.jsonl")
a := NewAuditLogger(AuditLoggerConfig{Path: path})
a.Record(AuditEvent{Action: "block"})
if _, err := os.Stat(path); err != nil {
t.Errorf("expected audit file at %s, got err=%v", path, err)
}
}
func TestFirewall_RecordsRedactionToAudit(t *testing.T) {
dir := t.TempDir()
auditPath := filepath.Join(dir, "audit.jsonl")
audit := NewAuditLogger(AuditLoggerConfig{Path: auditPath})
fw := NewFirewall(FirewallConfig{
ScanOutgoing: true,
ScanToolResults: true,
Audit: audit,
})
// Anthropic key prefix is a built-in redact pattern; emit it
// through the tool-result scanning path.
cleaned := fw.ScanToolResult("here is the key sk-ant-abcdef1234567890abcdef1234567890abcdef")
if !strings.Contains(cleaned, "[REDACTED]") {
t.Errorf("expected [REDACTED] in cleaned content, got %q", cleaned)
}
events := readAuditLines(t, auditPath)
var sawAnthropicRedact bool
for _, ev := range events {
if ev.Action == "redact" && ev.Pattern == "anthropic_api_key" && ev.Source == "tool_result" {
sawAnthropicRedact = true
if ev.TokenLen == 0 {
t.Errorf("expected non-zero TokenLen on redact event, got %+v", ev)
}
}
}
if !sawAnthropicRedact {
t.Errorf("expected an anthropic_api_key redact event in audit log, got %+v", events)
}
}
internal/security/firewall.go
+36
View File
@@ -14,6 +14,7 @@ type Firewall struct {
scanner *Scanner
incognito *IncognitoMode
logger *slog.Logger
audit *AuditLogger // optional; nil = no per-session audit log
// Config
scanOutgoing bool
@@ -27,6 +28,11 @@ type FirewallConfig struct {
EntropyThreshold float64
EntropySafelist []string
Logger *slog.Logger
// Audit is the optional per-session audit logger. Set via
// SetAudit after the session ID is known — the firewall is
// typically constructed before the session ID is generated.
// nil is safe; auditing simply turns into a no-op.
Audit *AuditLogger
}
func NewFirewall(cfg FirewallConfig) *Firewall {
@@ -50,11 +56,20 @@ func NewFirewall(cfg FirewallConfig) *Firewall {
scanner: scanner,
incognito: NewIncognitoMode(),
logger: logger,
audit: cfg.Audit,
scanOutgoing: cfg.ScanOutgoing,
scanToolResults: cfg.ScanToolResults,
}
}
// SetAudit attaches an AuditLogger after construction. The firewall
// is typically built before the session ID exists, so callers usually
// construct the AuditLogger later and inject it via this setter.
// Pass nil to disable auditing.
func (f *Firewall) SetAudit(a *AuditLogger) {
f.audit = a
}
// Incognito returns the incognito mode controller.
func (f *Firewall) Incognito() *IncognitoMode {
return f.incognito
@@ -131,7 +146,16 @@ func (f *Firewall) scanMessage(m message.Message) message.Message {
func (f *Firewall) scanAndRedact(content, source string) string {
// Unicode sanitization first
originalLen := len(content)
content = SanitizeUnicode(content)
if delta := originalLen - len(content); delta != 0 {
f.audit.Record(AuditEvent{
Action: "unicode_sanitize",
Pattern: "unicode",
Source: source,
TokenLen: delta,
})
}
// Secret scanning
matches := f.scanner.Scan(content)
@@ -146,6 +170,12 @@ func (f *Firewall) scanAndRedact(content, source string) string {
"pattern", m.Pattern,
"source", source,
)
f.audit.Record(AuditEvent{
Action: "block",
Pattern: m.Pattern,
Source: source,
TokenLen: m.End - m.Start,
})
return "[BLOCKED: content contained a secret]"
default:
f.logger.Debug("secret redacted",
@@ -153,6 +183,12 @@ func (f *Firewall) scanAndRedact(content, source string) string {
"action", m.Action,
"source", source,
)
f.audit.Record(AuditEvent{
Action: string(m.Action),
Pattern: m.Pattern,
Source: source,
TokenLen: m.End - m.Start,
})
}
}
internal/tui/app.go
+23 -1
View File
@@ -1403,6 +1403,28 @@ func (m Model) handleCommand(cmd string) (tea.Model, tea.Cmd) {
m.injectSystemContext(msg)
return m, nil
case "/router":
if m.config.Router == nil {
m.messages = append(m.messages, chatMessage{role: "error", content: "router not configured"})
return m, nil
}
if args == "" || args == "help" {
current := m.config.Router.PreferPolicy().String()
m.messages = append(m.messages, chatMessage{role: "system",
content: fmt.Sprintf("router.prefer = %s\nUsage: /router <auto|local|cloud>\n auto — no bias; tier order + Strengths decide\n local — cloud arms demoted; locals win when feasible\n cloud — local arms demoted; cloud arms win (except tier-0 SLM)", current)})
return m, nil
}
policy, err := router.ParsePreferPolicy(args)
if err != nil {
m.messages = append(m.messages, chatMessage{role: "error", content: err.Error()})
return m, nil
}
m.config.Router.SetPreferPolicy(policy)
msg := fmt.Sprintf("router.prefer = %s (runtime override; not written to config)", policy.String())
m.messages = append(m.messages, chatMessage{role: "system", content: msg})
m.injectSystemContext(msg)
return m, nil
case "/profile":
if args == "" {
m = m.closeAllPickers()
@@ -1532,7 +1554,7 @@ func (m Model) handleCommand(cmd string) (tea.Model, tea.Cmd) {
return m, nil
}
m.messages = append(m.messages, chatMessage{role: "system",
content: "Commands:\n /init generate or update AGENTS.md project docs\n /clear, /new clear chat and start new conversation\n /config show current config\n /incognito toggle incognito (Ctrl+X)\n /keys show keyboard shortcuts\n /model [name] list/switch models\n /permission [mode] set permission mode (Shift+Tab to cycle)\n /plugins list installed plugins\n /profile [name] list profiles / switch (re-execs gnoma)\n /provider show current provider\n /replay scroll to top to re-read conversation\n /resume [id] list or restore saved sessions\n /shell [cmd] open interactive shell (or run cmd in shell)\n /skills list loaded skills\n /usage show token usage and cost\n /help show this help\n /quit exit gnoma\n\nSkills (use /<name> [args] to invoke):\n Add .md files with YAML front matter to .gnoma/skills/ or ~/.config/gnoma/skills/"})
content: "Commands:\n /init generate or update AGENTS.md project docs\n /clear, /new clear chat and start new conversation\n /config show current config\n /incognito toggle incognito (Ctrl+X)\n /keys show keyboard shortcuts\n /model [name] list/switch models\n /permission [mode] set permission mode (Shift+Tab to cycle)\n /plugins list installed plugins\n /profile [name] list profiles / switch (re-execs gnoma)\n /provider show current provider\n /replay scroll to top to re-read conversation\n /resume [id] list or restore saved sessions\n /router [mode] show or set routing preference (auto/local/cloud)\n /shell [cmd] open interactive shell (or run cmd in shell)\n /skills list loaded skills\n /usage show token usage and cost\n /help show this help\n /quit exit gnoma\n\nSkills (use /<name> [args] to invoke):\n Add .md files with YAML front matter to .gnoma/skills/ or ~/.config/gnoma/skills/"})
return m, nil
case "/keys":
internal/tui/completions.go
+35 -5
View File
@@ -22,7 +22,10 @@ var builtinCommands = []cmdEntry{
{"/exit", "exit gnoma"},
{"/help", "show available commands and shortcuts"},
{"/incognito", "toggle incognito mode (no persistence, local-only routing)"},
{"/init", "initialize project — create AGENTS.md"},
// /init is provided by the bundled skill at
// internal/skill/skills/init.md; do not duplicate it here. The dedup
// in completionSource() would skip a duplicate entry anyway, but
// omitting it keeps the source-of-truth single.
{"/keys", "show keyboard shortcuts"},
{"/model", "list or switch active model"},
{"/new", "start a new conversation"},
@@ -34,6 +37,7 @@ var builtinCommands = []cmdEntry{
{"/quit", "quit gnoma"},
{"/replay", "replay last assistant response"},
{"/resume", "browse and resume a saved session"},
{"/router", "show or set routing preference (auto/local/cloud)"},
{"/shell", "open interactive shell"},
{"/theme", "list themes or set active theme"},
{"/skills", "list available skills"},
@@ -46,11 +50,27 @@ var permissionModes = []string{
"auto", "default", "accept_edits", "bypass", "deny", "plan",
}
// completionSource builds a sorted command list from builtins + skills.
func completionSource(skills *skill.Registry) []cmdEntry {
entries := make([]cmdEntry, len(builtinCommands))
copy(entries, builtinCommands)
// routerPreferModes lists valid values for /router completion.
var routerPreferModes = []string{"auto", "local", "cloud"}
// completionSource builds a sorted command list from builtins + skills.
// Skill names shadow builtin names so a skill (bundled or user-defined)
// can replace a static entry without producing a duplicate in the picker.
func completionSource(skills *skill.Registry) []cmdEntry {
skillNames := make(map[string]struct{})
if skills != nil {
for _, s := range skills.All() {
skillNames["/"+s.Frontmatter.Name] = struct{}{}
}
}
entries := make([]cmdEntry, 0, len(builtinCommands)+len(skillNames))
for _, c := range builtinCommands {
if _, shadowed := skillNames[c.name]; shadowed {
continue
}
entries = append(entries, c)
}
if skills != nil {
for _, s := range skills.All() {
desc := s.Frontmatter.Description
@@ -150,6 +170,16 @@ func matchArgCompletion(input string, profileNames []string, providerNames []str
return cmd + " " + mode
}
}
case "/router":
if arg == "" {
return ""
}
lower := strings.ToLower(arg)
for _, mode := range routerPreferModes {
if strings.HasPrefix(mode, lower) && mode != arg {
return cmd + " " + mode
}
}
case "/profile":
if arg == "" || len(profileNames) == 0 {
return ""