Build out assembly live: sandboxed --files, spoken approval, keyless tools#269
Open
alexkroman wants to merge 105 commits into
Open
Build out assembly live: sandboxed --files, spoken approval, keyless tools#269alexkroman wants to merge 105 commits into
assembly live: sandboxed --files, spoken approval, keyless tools#269alexkroman wants to merge 105 commits into
Conversation
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ict-invariance pyright rejects passing a narrowly-inferred dict literal to a dict[str, object] parameter because dict is invariant in its value type. Explicitly annotating _GEOCODE and _FORECAST as dict[str, object] widens the declared type and resolves the error without changing weather_tool.py's public interface. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…peline SDD) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…gate Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a focused unit test for `_tool_capabilities` that asserts the exact list (both phrases, in order) when both web-search and weather tools are present — killing any mutation that drops or swaps either capability block. Also tighten `test_build_live_tools_has_weather_and_web_search_when_keyed` to assert the exact sorted set instead of two loose `in` checks, so a duplicated or extra tool is caught. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Make `_events_from_chunk`'s `verbose` parameter keyword-only (FBT001). Add `stream` to `CompiledAgent` protocol so `_stream_graph`'s `graph.stream(…)` type-checks; narrow each yielded item with `isinstance(…, tuple)` instead of unpacking blindly. Narrow `_drive_graph`'s stream chunks to `dict` before passing to `_log_flow` (the protocol change exposed that assignment). No escape hatches added; `hasattr(graph, "stream")` guard still lets invoke-only test fakes take the `invoke` branch at runtime. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…table) Add three targeted assertions to tests/test_agent_cascade_weather.py to kill surviving mutants from the diff-scoped sweep: pin count=1 in the geocode URL, add a short daily-array test that kills the and->or length-guard mutation, and add an exact-dict assertion that pins the entire _WMO_DESCRIPTIONS table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…tests Remove the unreachable `yield # pragma: no cover` lines from the _Boom and _CliBoom stream-method fakes (a plain raising method is not a generator and works identically — the raise propagates before the for-loop iterates). Simplify _collect to drop the dead **kwargs branch (no caller passes kwargs). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a general-purpose subagent under --files: gateway-bound (model omitted), full toolset on the sandboxed backend, own interrupt_on so its write/edit/execute also prompt y/n. Flag the genuine unknown -- whether subagent HITL surfaces through our approval loop -- as a verification spike that gates shipping; read-only subagent is the safety floor if it doesn't surface. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… 500-line gate The filler + planning-discard work and the #258 merge pushed engine.py and two test files over the 500-line file-length gate. Extract the Renderer/Player protocols and CascadeDeps into agent_cascade/_io.py (re-exported from engine), and consolidate the spoken-filler + planning-discard tests into test_agent_cascade_filler.py. Also drop the stale test_live_tui_launch.py (duplicate of this branch's test_live_tui_wiring.py) and retarget CascadeDeps.real patches at _io. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- New capability: voice y/n approval (unambiguous spoken token, fail-safe reject, keyboard fallback for risk.py-flagged destructive commands) as milestone M3 - Fix memory wiring to the idiomatic create_deep_agent(memory=) param - Fix Goal/Context contradiction (--files already edits today; new work is execute/memory/delegation/voice, not editing) - Clarify shell-rc write-deny only bites when cwd==$HOME; add bwrap --chdir - Restructure into M1 (execute+memory) / M2 (subagents) / M3 (voice approval) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…on kills) Pre-existing branch debt from concurrent WIP, not part of M1: - engine.py: __all__ re-exports CascadeDeps/Renderer/Player (mypy --no-implicit-reexport) - filler test: import AIMessageChunk from its real source, not via the brain test module - cover weather _get_json net seam, brain._decide non-dict coercion, _runtime detach early return - kill surviving mutants: frozen dataclasses (Done/Failure/Timeout/SpeechDelta/ToolNotice/ ApprovalPause), _speaking init=False, _answered guard, _decide or->and, _stream_graph gated default; text.py clause-slice +1/+2 is an equivalent mutant (pragma: no mutate) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
brain._build_fs_backend now returns SandboxedShellBackend (a SandboxBackendProtocol), so deepagents binds a functional execute; execute joins _WRITE_TOOLS/interrupt_on; --files turns on MemoryMiddleware via memory=[./.deepagents/AGENTS.md]; _TOOL_LABELS[execute]=Running code; prompt advertises running code. (A002 per-file ignore for the CompiledAgent test fake.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ion kills - --files help string: read/write/run code, sandboxed; regenerate the run --help golden - REFERENCE.md + aai_cli/AGENTS.md: sandboxed execute + per-project memory (drop the stale 'execute is inert' / 'no shell' wording) - kill mutation survivors: sandbox _TIMEOUT_EXIT pinned to literal 124, virtual_mode default asserted; modals _answered initial-False pragma'd (behavior-tested but the mutation harness mis-selects covering tests for this Textual __init__ line) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…l cap The voice TUI rendered a turn's answer *between* tool affordances and left an empty gap above it: begin_reply (fired by reply_started, which lands during the first tool call's spoken filler) eagerly mounted the AssistantMessage, so later tool lines mounted below it and the answer streamed into the early widget. Defer the reply widget to the first streamed sentence (show_agent_sentence already mounts lazily) so the answer always lands below every tool affordance, with no placeholder gap. Also replace the brittle recursion cap with a per-turn tool-call budget: ToolCallLimitMiddleware(run_limit=CascadeConfig.tool_call_limit=10, exit_behavior="continue") wired into the deepagents middleware stack. Once the budget is hit, further tool calls are blocked and the model is forced to answer with what it gathered — a graceful stop instead of GraphRecursionError surfaced as a raw turn error. langgraph's own recursion_limit rides the deepagents default as a far-off safety net. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Apply two principles to the live cascade's generated guidance layer: - Faithful reporting: whenever tools are bound, tell the model not to claim an action happened until the tool returns, and to admit failures briefly instead of inventing an answer. - Reversibility/consent: under --files, warn that file writes and code execution can't be undone, so confirm out loud before destructive actions and never narrate a change as done before it lands. Both live in build_system_prompt (tool-aware, non-overridable) rather than the user-overridable persona. Adds tests pinning each behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…to the greeting begin_reply stopped resetting _reply_msg in the prior ordering fix — it dropped the eager mount but also the reset. The greeting streams through show_agent_sentence (with no reply_done after it), so _reply_msg still pointed at the greeting when the first turn began; the answer then streamed into the greeting widget at the top, concatenating onto it and landing above the turn's tool affordances (tool calls appearing under the response). Reset _reply_msg to None in begin_reply (still deferring the mount): the next streamed sentence opens a fresh widget that mounts after the turn's tool lines, so the greeting stays its own line and the answer always renders below the tools. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Gateway-bound (no model key), full sandboxed tools (no tools key), interrupt_on mirrors the caller's write tools so the subagent's own mutations stay gated. Includes the M2 plan. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Formalizes the resolved HITL spike: a real deepagents graph with a gated general-purpose subagent; the subagent's write pauses through build_streamer/_pending_writes/the approver, lands on approve, is skipped on reject. Ignore the deepagents-boundary test in tests-pyright (mirrors test_agent_cascade_brain/prompt/model). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…agent (M2) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pure phrase grammar for the hands-free approval gate: only an unambiguous action-bearing affirmative approves; bare yes, negations, unrelated/empty speech all reject. The risk-tier keyboard fallback lives in the engine wiring (next). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
resolve_approval(): destructive tier (risk.risk_warning fires) -> keyboard only; otherwise the engine's injected race outcome resolves it (keypress verbatim, spoken token via the grammar, timeout/ambiguous -> reject). Concurrency stays behind the await_outcome seam so it's hermetic. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A --files approval modal can now be resolved by voice as well as a keypress: the engine routes the next final transcript during an approval pause to the open modal, which applies the grammar (spoken_decision) — an unambiguous affirmative approves, anything else rejects. Destructive commands (risk.risk_warning) ignore the spoken answer and require a keypress. - spoken_approval.spoken_decision: approve/reject/ignore(destructive) from a transcript - modals.ApprovalScreen.try_voice: resolve the open modal by voice (destructive -> ignore) - tui.submit_voice_approval: route a transcript to the open modal (UI-thread hop) - engine: _awaiting_approval gate + on_turn routes the next final transcript during a pause; run_cascade gains on_approval_voice; _exec wires it to the TUI Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add four short, spoken-safe guidance clauses to the live voice agent's system prompt, adapted from openclaw's prompt-engineering patterns: - persona latch: the operational rules outrank the user persona's style, so a chatty/in-character persona can't override brevity or honesty - retry-on-empty: rephrase a thin/empty lookup once before concluding - read-before-clobber (--files): read a file before overwriting, prefer merging over wholesale replacement unless asked - worked example in the no-tools path for the documented "offer to look it up, then go silent" failure Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The tool dropped today's high/low (the outlook started at tomorrow), so "what's the high today?" had no datum and the model echoed the current temp. format_report now returns every interesting field: current temp (°C/°F), feels-like, humidity, wind, and condition; today's own high/low + rain chance; then the two-day outlook. The forecast query is widened to fetch those fields. Also declare langchain as a direct dependency (brain.py imports its public langchain.agents.middleware API, so depend on what you import) and restore the list-item entry in the brain module's mypy disable_error_code (the invariant middleware boundary, matching origin/main). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… gates Get scripts/check.sh fully green on the branch: - Split the write-approval (--files) tests out of test_agent_cascade_brain.py (521 -> 445 lines) into test_agent_cascade_approval.py to clear the 500-line max-file-length gate; add the new file to pyrightconfig.tests.json's ignore list alongside its sibling (the deepagents/langchain boundary type-noise). - Cover LiveAgentApp.submit_voice_approval (the spoken-approval routing) with a pilot test, closing the patch-coverage hole at tui.py. - Kill two surviving mutants on changed lines: move the # pragma: no mutate onto engine.py's init=False line (it sat on the closing paren) and pragma modals.py's _expanded init (same Textual __init__ false-survivor as _answered). - Reword a test comment that literally contained `# pragma: no cover`, a false positive for the no-new-escape-hatches gate. - Anchor the gate's cast() matcher with \b so it no longer counts identifiers ending in "cast" (weather_tool._forecast) as casts. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V2Rac3g5UYHc6LXub19pG4
| def _is_boundary(text: str, index: int) -> bool: | ||
| """True when the char at ``index`` ends a clause: a terminator/separator that is the | ||
| last char or is followed by whitespace (so a '.' inside "$3.50" never splits).""" | ||
| return index + 1 == len(text) or text[index + 1].isspace() |
There was a problem hiding this comment.
_is_boundary now treats end-of-buffer as a boundary, so pop_clauses can emit trailing '.' from partial chunks (e.g. "$3.") before "50" arrives, causing incorrect streamed number splitting.
Details
✨ AI Reasoning
1) The helper is intended to split incrementally while avoiding premature boundaries inside numbers.
2) The new boundary check returns true at end-of-buffer.
3) In the clause loop, hard terminators at that position are immediately flushed.
4) That makes partial numeric tokens terminate early during streaming, so the described safety condition is no longer true.
5) This is a concrete behavior mismatch, not a style issue.
🔧 How do I fix it?
Trace execution paths carefully. Ensure precondition checks happen before using values, validate ranges before checking impossible conditions, and don't check for states that the code has already ruled out.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| producer = threading.Thread(target=produce, daemon=True) # pragma: no mutate | ||
| producer.start() | ||
| spoken: list[str] = [] | ||
| tail = self._consume(events, before, spoken) |
There was a problem hiding this comment.
_generate_reply no longer guarantees clearing _awaiting_approval on all exit paths; a failure during an active ApprovalPause can leave the gate stuck on and misroute later user turns.
Details
✨ AI Reasoning
The updated reply flow now exits without an unconditional cleanup step after processing streamed events. During an approval pause, the gate is armed when a pause-start event arrives. If the turn then ends via an error/timeout path before a pause-end event, the gate never gets disarmed. After that, subsequent finalized transcripts are routed as approval responses instead of normal user turns, so conversation flow can get stuck in an invalid state.
🔧 How do I fix it?
Trace execution paths carefully. Ensure precondition checks happen before using values, validate ranges before checking impossible conditions, and don't check for states that the code has already ruled out.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| Marks the reply as speaking on the first spoken delta (so a UI interrupt can cut it). | ||
| Returns the new buffer, or ``None`` if a TTS failure cut the turn (the caller aborts).""" | ||
| if used_tool: | ||
| return buffer + item.text |
There was a problem hiding this comment.
Replacing list-based accumulation with repeated string concatenation (buffer + item.text) inside the streaming loop can cause quadratic allocations for long replies; use list.append and ''.join at the end instead.
Details
✨ AI Reasoning
The reply consumer previously accumulated post-tool narration in a list to avoid repeated reallocation; the diff replaces that with incremental string concatenation (buffer + item.text) inside a loop that processes streamed text deltas. Streaming text can be unbounded per turn, so concatenating into a single Python str on every delta causes repeated allocation and copying, turning linear accumulation into quadratic work. This harms performance for long replies or verbose planning output and is a straightforward pattern regression introduced by the change.
🔧 How do I fix it?
Move constant work outside loops. Use StringBuilder instead of string concatenation in loops. Cache compiled regex patterns. Use hash-based lookups instead of nested loops. Batch database operations instead of N+1 queries.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| def pending(self) -> int: | ||
| """How many unplayed samples are still queued (>0 while audio is audibly playing).""" | ||
| ... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Builds out the client-orchestrated
assembly livevoice agent (theagent_cascadeslice) and retires the oldassembly codecommand. Highlights across the branch:--filessandboxed cowork. Swaps the in-memory backend for a real-cwdSandboxedShellBackendwith a functional, OS-sandboxedexecute(sandbox-exec/SBPL on macOS,bwrapon Linux; refused — never unconfined — elsewhere). Writes/edits/execute are gated viainterrupt_on+ an approver, and--filesturns on durable per-project memory plus one gateway-bound, sandbox-backed general-purpose subagent (the deepagentstasktool).assembly coderemoved, with its shared modules relocated intoagent_cascade/and the help/docs/architecture references cleaned up.Gate-greening (final commit)
Brought
scripts/check.shfully green on the branch:test_agent_cascade_brain.py(521 → 445 lines) intotest_agent_cascade_approval.pyto clear the 500-line gate.LiveAgentApp.submit_voice_approvalto close a patch-coverage hole.# pragma: no mutateonengine.py'sinit=Falseline; pragma'dmodals.py's_expandedinit).`# pragma: no cover`, and thecast(matcher counting_forecast(— now anchored with\b.Test plan
./scripts/check.sh→All checks passed.(full gate: ruff/mypy/pyright/vulture/deptry/import-linter/xenon, 90% branch + Textual coverage, 100% patch coverage, diff-scoped mutation gate, escape-hatch gates, build + twine).🤖 Generated with Claude Code
https://claude.ai/code/session_01V2Rac3g5UYHc6LXub19pG4
Generated by Claude Code