managarten

till/managarten

Fork 0

mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 20:21:09 +02:00

Commit graph

Author	SHA1	Message	Date
Till JS	e5d230e599	feat(agent-loop): M1 — policy gate + reminder channel + parallel reads Three Claude-Code-inspired primitives for runPlannerLoop, derived from the reverse-engineering reports in docs/reports/: 1. Policy gate (@mana/tool-registry) — evaluatePolicy() gates every tool dispatch: denies admin-scope, denies destructive tools not in the user's opt-in list, rate-limits per tool (30/60s default), flags prompt-injection markers in freetext without blocking. Wired into mana-mcp with a per-user rolling invocation log and POLICY_MODE env (off\|log-only\|enforce, default log-only). mana-ai uses detectInjectionMarker only — tool dispatch there is plan-only, so rate-limit/destructive checks don't apply yet. 2. Reminder channel (packages/shared-ai/src/planner/loop.ts) — new reminderChannel callback in PlannerLoopInput. Called once per round with LoopState snapshot (round, toolCallCount, usage, lastCall); returned strings wrap in <reminder> tags and inject as transient system messages into THIS LLM request only. Never pushed to messages[] — the Claude-Code <system-reminder> pattern that keeps the KV-cache prefix stable. 3. Parallel reads (loop.ts) — isParallelSafe predicate enables Promise.all dispatch when every tool_call in a round is parallel-safe, in batches of PARALLEL_TOOL_BATCH_SIZE=10. Any non-safe call downgrades the whole round to sequential. messages[] always appends in source order, never completion order, so the debug log stays linear. Default-off (undefined predicate) preserves pre-M1 behaviour. Tests: 21 new in tool-registry (policy), 9 new in shared-ai (5 parallel, 4 reminder). All 74 green, type-check clean across 4 packages. Design/plan: docs/plans/agent-loop-improvements-m1.md Reports: docs/reports/claude-code-architecture.md, docs/reports/mana-agent-improvements-from-claude-code.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 13:56:40 +02:00
Till JS	16c8818338	feat(mcp): M1+M1.5 MCP gateway + tool-registry + shared-crypto Foundation for autonomous Claude-driven testing. Plan: docs/plans/mana-mcp-and-personas.md. New packages - @mana/tool-registry — schema-first ToolSpec<InputSchema, OutputSchema> with zod generics, scope ('user-space' \| 'admin') and policyHint ('read' \| 'write' \| 'destructive'). sync-client helpers speak the mana-sync push/pull protocol directly so RLS and field-level LWW are preserved. MasterKeyClient fetches per-user MKs via the existing mana-auth GET /api/v1/me/encryption-vault/key endpoint (JWT-gated, ZK-aware, already audited) — no new service-key endpoint built. ZeroKnowledgeUserError surfaced as a typed throw. - @mana/shared-crypto — AES-GCM-256 primitives extracted from the web app's $lib/data/crypto/aes.ts so the server-side tool handlers and the browser produce byte-for-byte identical wire format (enc:1:{b64(iv)}.{b64(ct)}). Web app aes.ts now re-exports from shared-crypto — 5 existing importers unchanged, svelte-check stays green. New service - services/mana-mcp (:3069, Bun/Hono) — MCP Streamable HTTP gateway. JWKS auth against mana-auth, per-user session isolation (session-id belongs to the user who opened it — cross-user access returns 403), admin-scoped tools filtered out before registration. MasterKeyClient cached per process with a 5-minute TTL. 11 tools registered - habits.{create,list,update,archive}, spaces.list (plaintext, M1) - todo.{create,list,complete}, notes.{create,search}, journal.add (encrypted — field lists match apps/mana/apps/web/src/lib/data/crypto/registry.ts verbatim) Infra - Port 3069 added to docs/PORT_SCHEMA.md - services/mana-mcp/CLAUDE.md with architecture, auth model, tool-authoring recipe, local smoke-test steps - Root CLAUDE.md services list updated Type-check green across shared-crypto, mana-tool-registry, mana-mcp. svelte-check on apps/mana/apps/web stays at 0 errors / 0 warnings. Boot smoke verified: /health returns registry.loaded=true, unauthed /mcp → 401, invalid-JWT /mcp → 401 with descriptive message. Decisions locked in for later milestones (per plan D1–D10): - Personas will be real mana-auth users (users.kind='persona'), no service-key bypass (D1, D2) - Tool-registry is the SSOT; mana-ai and the legacy apps/api/src/mcp/server.ts get merged into it in M4 (three current parallel tool catalogs collapse to one) - Persona-runner (:3070) will be a separate service using the Claude Agent SDK + MCP client (D5) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 13:18:35 +02:00

Author

SHA1

Message

Date

Till JS

e5d230e599

feat(agent-loop): M1 — policy gate + reminder channel + parallel reads

Three Claude-Code-inspired primitives for runPlannerLoop, derived from the
reverse-engineering reports in docs/reports/:

1. **Policy gate** (@mana/tool-registry) — evaluatePolicy() gates every tool
   dispatch: denies admin-scope, denies destructive tools not in the user's
   opt-in list, rate-limits per tool (30/60s default), flags prompt-injection
   markers in freetext without blocking. Wired into mana-mcp with a
   per-user rolling invocation log and POLICY_MODE env (off|log-only|enforce,
   default log-only). mana-ai uses detectInjectionMarker only — tool dispatch
   there is plan-only, so rate-limit/destructive checks don't apply yet.

2. **Reminder channel** (packages/shared-ai/src/planner/loop.ts) — new
   reminderChannel callback in PlannerLoopInput. Called once per round with
   LoopState snapshot (round, toolCallCount, usage, lastCall); returned
   strings wrap in <reminder> tags and inject as transient system messages
   into THIS LLM request only. Never pushed to messages[] — the Claude-Code
   <system-reminder> pattern that keeps the KV-cache prefix stable.

3. **Parallel reads** (loop.ts) — isParallelSafe predicate enables
   Promise.all dispatch when every tool_call in a round is parallel-safe,
   in batches of PARALLEL_TOOL_BATCH_SIZE=10. Any non-safe call downgrades
   the whole round to sequential. messages[] always appends in source
   order, never completion order, so the debug log stays linear.
   Default-off (undefined predicate) preserves pre-M1 behaviour.

Tests: 21 new in tool-registry (policy), 9 new in shared-ai (5 parallel,
4 reminder). All 74 green, type-check clean across 4 packages.

Design/plan: docs/plans/agent-loop-improvements-m1.md
Reports: docs/reports/claude-code-architecture.md,
         docs/reports/mana-agent-improvements-from-claude-code.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-23 13:56:40 +02:00

Till JS

16c8818338

feat(mcp): M1+M1.5 MCP gateway + tool-registry + shared-crypto

Foundation for autonomous Claude-driven testing. Plan:
docs/plans/mana-mcp-and-personas.md.

New packages
- @mana/tool-registry — schema-first ToolSpec<InputSchema, OutputSchema>
  with zod generics, scope ('user-space' | 'admin') and policyHint
  ('read' | 'write' | 'destructive'). sync-client helpers speak the
  mana-sync push/pull protocol directly so RLS and field-level LWW are
  preserved. MasterKeyClient fetches per-user MKs via the existing
  mana-auth GET /api/v1/me/encryption-vault/key endpoint (JWT-gated,
  ZK-aware, already audited) — no new service-key endpoint built.
  ZeroKnowledgeUserError surfaced as a typed throw.
- @mana/shared-crypto — AES-GCM-256 primitives extracted from the web
  app's $lib/data/crypto/aes.ts so the server-side tool handlers and the
  browser produce byte-for-byte identical wire format
  (enc:1:{b64(iv)}.{b64(ct)}). Web app aes.ts now re-exports from
  shared-crypto — 5 existing importers unchanged, svelte-check stays
  green.

New service
- services/mana-mcp (:3069, Bun/Hono) — MCP Streamable HTTP gateway.
  JWKS auth against mana-auth, per-user session isolation (session-id
  belongs to the user who opened it — cross-user access returns 403),
  admin-scoped tools filtered out before registration. MasterKeyClient
  cached per process with a 5-minute TTL.

11 tools registered
- habits.{create,list,update,archive}, spaces.list (plaintext, M1)
- todo.{create,list,complete}, notes.{create,search}, journal.add
  (encrypted — field lists match
  apps/mana/apps/web/src/lib/data/crypto/registry.ts verbatim)

Infra
- Port 3069 added to docs/PORT_SCHEMA.md
- services/mana-mcp/CLAUDE.md with architecture, auth model,
  tool-authoring recipe, local smoke-test steps
- Root CLAUDE.md services list updated

Type-check green across shared-crypto, mana-tool-registry, mana-mcp.
svelte-check on apps/mana/apps/web stays at 0 errors / 0 warnings.
Boot smoke verified: /health returns registry.loaded=true, unauthed
/mcp → 401, invalid-JWT /mcp → 401 with descriptive message.

Decisions locked in for later milestones (per plan D1–D10):
- Personas will be real mana-auth users (users.kind='persona'), no
  service-key bypass (D1, D2)
- Tool-registry is the SSOT; mana-ai and the legacy
  apps/api/src/mcp/server.ts get merged into it in M4 (three current
  parallel tool catalogs collapse to one)
- Persona-runner (:3070) will be a separate service using the Claude
  Agent SDK + MCP client (D5)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-23 13:18:35 +02:00

2 commits