fix: offline inspection mode for Glama tool detection#14
Merged
Conversation
When the BoJ REST API is unreachable (e.g. during Glama cloud inspection), the MCP bridge now returns static cartridge data instead of errors. All 5 tools respond gracefully: - boj_health: returns offline status with startup hint - boj_menu: returns full 18-cartridge manifest from embedded data - boj_cartridges: returns cartridge list - boj_cartridge_info: returns cartridge details from manifest - boj_cartridge_invoke: returns helpful error with startup hint This ensures Glama can inspect and detect tools even when running the server in their cloud where the local REST API doesn't exist. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Apr 19, 2026
Engine emits candidate envelopes INTO the quarantine (server-origin,
sender_idx=0xFE sentinel) for supervisor review via the existing
coord_review + coord_approve / coord_reject flow. Never auto-modifies
affinities.
New FFI + tools:
coord_set_declared_affinities(token, tags_csv) — self-reported strengths
coord_scan_suggestions(token) — runs scan, enqueues candidates
Scanner rules:
overclaim: avg_confidence >= 80% AND effective_affinity < 30% -> op_kind=fyi
promote: effective_affinity >= 70% AND tag not declared -> op_kind=fyi
remove: effective_affinity <= 20% AND attempts >= 5 -> op_kind=clarify
coord_report_outcome now takes an optional confidence_pct (8th arg,
-1 for unset). Log format extends track_update with a trailing
confidence byte (backward-compatible via length-check). coord_register
accepts an optional declared_affinities array.
coord_review adapter output adds an "origin" field
("peer" | "server-engine") so supervisors can tell engine-synthesised
suggestions from real peer messages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Apr 19, 2026
Zero-code convention for routing proof-sized tasks: proof:lean4 / proof:agda / proof:idris2 / proof:rocq / proof:tla / proof:echidna / proof:spark New section in envelope-design.adoc explains how peers advertise per- prover strengths via coord_register's declared_affinities (Task #14) and how the scheduler tie-breaks via max(confidence * effective_affinity) using the existing Task #13 machinery — no new server code. Worked example in schemas/examples/prover-tag-claim.ncl: a claim envelope for "proof:agda/category-pullback-universal" with difficulty_hint=high + task_difficulty=novel + sender_confidence, validated against the Nickel contracts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 20, 2026
…rds#92) (#102) ## Summary Surfaced by the Phase 2 ABI drift gate spot-check (iseriser/PR #14): `Oo7Mcp.SafeCli.ToolRisk` (5 tiers, `tierToInt` encoding 0–4) is declared in the Idris2 ABI but absent from `oo7_mcp_ffi.zig`. Adds the matching `pub const ToolRisk = enum(c_int)` with the encoding verified by `iseriser abi-verify` (exit 0 after this fix; was DRIFT before). ## Scope ABI parity only. Risk-tier *enforcement* (`categoryDefaultRisk` / `riskPromotion` from SafeCli) is currently Idris2-only — the Zig dispatcher does not yet gate on this enum. Wiring risk gates into the dispatcher is a separate follow-up; this PR keeps the change minimal so the Phase 2 gate can promote 007-mcp to its allowlist. ## Before / After ``` $ iseriser abi-emit-manifest --idris cartridges/007-mcp/abi/Oo7Mcp/SafeCli.idr \ --cartridge 007-mcp --source-path SafeCli.idr --out /tmp/007.json abi-emit-manifest: wrote /tmp/007.json (2 enums, 0 transitions) $ iseriser abi-verify --manifest /tmp/007.json \ --zig-ffi cartridges/007-mcp/ffi/oo7_mcp_ffi.zig # BEFORE: [enum-missing-in-zig] manifest declares enum `ToolRisk` but the Zig FFI has no `pub const ToolRisk = enum(c_int)` declaration # AFTER: abi-verify: OK — cartridge `007-mcp` ABI manifest agrees with `…/oo7_mcp_ffi.zig` ``` ## Test plan - [x] `iseriser abi-verify` → exit 0 - [x] `zig build test` (cartridges/007-mcp/ffi/) → 8/8 green - [ ] reviewer: confirm the documentation in the new enum's block-comment is accurate (mirrors `SafeCli.idr` lines 150-169 — 5 tiers, Tier 4 reserved-only-not-used) Refs hyperpolymath/standards#92 Refs hyperpolymath/standards#89 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
4 tasks
hyperpolymath
added a commit
that referenced
this pull request
Jun 8, 2026
…ards#91 / #100) Refreshes docs/integration/hcg-tier2-rollout-runbook.md from v0.1 (draft, 2026-05-20, pre Phase-D) to v0.2 reflecting the current state of the single-lane channel rooted at standards#91: - §1.1 Phase D deliverables: tick D-1..D-3 + D-4 bootstrap with http-capability-gateway PR refs (#12 / #14 / #22 / #26 / #30) and the boj-server D-1 load-profile (#168) that joint-closed standards#99 on 2026-06-01. The one remaining open item is the owner-driven perf-rebaseline workflow dispatch + `_status: scaffold-placeholder -> active` flip; called out explicitly rather than left as a stale unchecked checkbox. - §1.4 BoJ-side prereqs: tick the three loopback-bind layers (#130 / #131 / #132), the Phase C TrustPolicy clause (#106), the NetworkPolicy (#173), and the SSE-route policy coverage (#165). The Trustfile `tier_2_gateway.status: PENDING` line stays intentionally unchecked - it's the §6.4 last-action target. - §1.5 Gateway-side prereqs: tick the new `container/gateway-deploy.k9.ncl` from http-capability-gateway#38 (2026-06-03), record what stays PLACEHOLDER until cerro-torre signing runs, and expand the smoke-test entry with the concrete allow/deny sequence boj-server#165 deferred. - Header banner: replace the stale "Phase D has merged the scaffold only" Phase-D-dependency note with a current-state summary, bump version 0.1 -> 0.2, date 2026-05-20 -> 2026-06-08. - CHANGELOG.md: Documentation entry under [Unreleased] summarising the refresh. No code, infrastructure, or runtime behaviour changes. The runbook is the operator-facing source of truth for what's gating the next Phase E owner action; the drift it had was making "what's still open" harder to read at a glance. Refs hyperpolymath/standards#91 Refs hyperpolymath/standards#100 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
5 tasks
hyperpolymath
added a commit
that referenced
this pull request
Jun 9, 2026
) ## Summary Lands `config/gateway-policy-boj.yaml` — the **live** Verb Governance Spec the HCG tier-2 gateway loads via `POLICY_PATH` in staging (§2.1) and production (§3.1) per the rollout runbook. The Phase A worked example (`config/gateway-policy-boj-example.yaml`) is retained as the documentation artefact; the live file is now the operational one. Closes the example→live promotion item on the Phase E §1.5 checklist. Single-lane HCG tier-2 channel (`standards#91`). Phase A (#96), B (#97), C (#98), D (#99) are joint-closed; Phase E (`standards#100`) is the active phase, with multiple artefacts gating closure (§6.4 Trustfile flip is the last). This PR lands one tractable artefact; staging soak (§2), production traffic split (§3) and the §6.4 flip remain owner-driven. ## What this PR lands - **`config/gateway-policy-boj.yaml`** — live policy file. Content-identical to `gateway-policy-boj-example.yaml` at promotion time. Header rewritten to reflect its live-file role (operational artefact, not pedagogical), with `DEFAULT-DENY INVARIANT` reframed from "Phase A check" to "permanent invariant — must hold for every future gateway release". DSL v1 conformance preserved; all 28 routes (`global_verbs: [GET, POST]`; per-route `verbs`, `exposure`, `name`, `narrative`; `stealth_profile` on internal routes; top-level `stealth: { enabled: true, status_code: 404 }`) carried forward unchanged. - **Runbook §1.5** — flips the trailing "still to be promoted from this example before §3.1" note (on the existing `[x]` example-in-place line) to a discrete `[x]` item recording the live file's existence and the divergence policy ("future BoJ-surface evolution lands in the live file; the example remains as the worked-example artefact"). - **Runbook §2.1 step 2** — switches staging `POLICY_PATH` from the example to the live file so staging exercises the same artefact that production will. Production §3.1 (which inherits §2.1's environment with the traffic-shift mechanism overlaid) needs no change. - **Runbook header** — version 0.2 → 0.3; status line updated to acknowledge the live-policy promotion. ## What this PR deliberately does NOT do - **Close `standards#100`.** Per runbook §6.5 the joint-close happens after the §6.4 Trustfile flip (`tier_2_gateway.status: PENDING → DEPLOYED`), which itself follows the §3.3 100% production-soak window. Using `Refs` not `Closes` to match the established Phase E pattern (PRs #38, and Phase D PRs #14, #22, #26, #30 — all `Refs`'d their phase issue and the owner joint-closed the issue once the final artefact landed). This deliberately diverges from the dispatch brief's literal "Closes hyperpolymath/standards#<phase-issue-number>" line in favour of the canonical runbook §6.5 close-out discipline that the brief itself points to as the source of truth ("using the canonical sources"). The owner remains the sole closer of `standards#100`. - **Touch the HCG deploy spec.** `container/gateway-deploy.k9.ncl` in `hyperpolymath/http-capability-gateway` (PR #38) reads `POLICY_PATH` at deploy time from the env, so the live-file cut-over is a runbook + config artefact change on the BoJ side, not a deploy-spec change on the gateway side. No companion PR on the gateway repo. - **Diverge the live file from the example.** At promotion the two files are content-identical. Future divergence is intentional and the live file is authoritative; the example may be intentionally simpler. - **Trigger any deploy.** No traffic shift, no staging cut-over, no §6.4 flip happens at merge time. This is a static artefact landing. - **Update the deploy spec's `POLICY_PATH` default.** The deploy spec carries env-var declarations; the live-file path is operator-supplied at deploy time. ## Verification - [x] DSL v1 conformance: `dsl_version: "1"`; `governance.global_verbs` is `[GET, POST]`; every route has a non-empty `verbs`; `exposure ∈ {public, authenticated, internal}`; `stealth.enabled` boolean, `stealth.status_code: 404` in 100..599. - [x] All 28 example routes preserved unchanged in the live file (route count, `name`s, paths, verbs, exposures, narratives). - [x] SPDX header `MPL-2.0` matches repo convention (config/, docs/). - [x] Runbook §1.5 and §2.1 cross-references to `gateway-policy-boj.yaml` and `gateway-policy-boj-example.yaml` resolve. - [ ] Manual: `mix gateway.validate config/gateway-policy-boj.yaml` (gateway-side; can be run by the operator before §2.1 stand-up — see runbook §1.5 last open item, smoke-test). ## Channel position ``` standards#91 (parent, open) ├── #96 Phase A — closed (boj-server: contract + policy-authoring + example; gateway: -) ├── #97 Phase B — closed (gateway#10: mTLS primary path) ├── #98 Phase C — closed (gateway#11: strip; boj-server#106: TrustPolicy clause) ├── #99 Phase D — closed (boj-server#168 on 2026-06-01; gateway#12/#14/#22/#26/#30) └── #100 Phase E — IN PROGRESS ├── E5 runbook draft — boj-server#128 (landed; rehearsal pending) ├── E1 loopback prereqs — boj-server#130/#131/#132/#165/#173 (landed) ├── E1 deploy spec — http-capability-gateway#38 (landed) ├── E1 live policy promotion — THIS PR (in review) ├── E1 .ctp signing — owner follow-up ├── E2 staging cut-over — owner follow-up ├── E3 telemetry verification — owner follow-up ├── E4 production rollout — owner follow-up └── §6.4 Trustfile flip + §6.5 joint-close — owner-only ``` Refs hyperpolymath/standards#91 Refs hyperpolymath/standards#100 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_012FiVM8R8FWBgBsUGpnXTZM)_ Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Context
Glama runs inspection in their cloud where localhost:7700 doesn't exist. Previously, tool calls would fail. Now they return the static manifest data, allowing Glama to detect and catalogue all tools.
Test plan
BOJ_URL=http://localhost:1(unreachable)🤖 Generated with Claude Code