Files
stack/docs/architecture/mutator-class-gate.md
ms-lead-reviewer 6a3505dfbc
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
fix(#829): gate claudex and close branch coverage gaps
2026-07-17 23:12:42 -05:00

3.3 KiB

Whole mutator-class lease gate

WI-2 adds the framework-native authorization boundary for Claude (including the supported Claudex overlay) and Pi. Every runtime-reported tool name reaches the lease broker before execution. The gate classifies capabilities by the whole tool class; it never parses a Bash command to decide whether that particular string looks read-only.

Default-deny policy

While a session is not VERIFIED, only these exact classes are allowed:

  • Claude: Read, Grep, Glob, Ls, Find
  • Pi: read, grep, find, ls
  • Both runtimes: the fixed mosaic_context_recover primitive

Every other built-in, unknown tool, and custom/MCP tool is consequential by default and is denied. This includes Claude Bash, Edit, Write, and NotebookEdit, plus Pi bash, edit, and write. A compromised model therefore cannot bypass Mosaic wrappers by selecting raw git, curl, kubectl, provider, deployment, or filesystem commands inside a generic mutator—the generic mutator itself is blocked before its input executes.

Broker-owned transition order

The authenticated broker is the sole lease writer:

  1. begin_verification revokes existing authority and pending tokens first, then records PENDING_VERIFICATION and mints one WI-1 single-use promotion token bound to the exact cycle.
  2. promote_lease accepts only that session/generation/binding/token combination.
  3. Token consumption commits before the volatile lease becomes VERIFIED. Promotion is last and cannot be reached directly from UNVERIFIED.
  4. revoke_lease, a runtime-generation increase, broker restart, or monotonic expiry removes mutator authority.

The initial TTL is capped at the ratified 300-second maximum. A caller may request a shorter positive TTL but cannot lengthen the maximum. Dual compaction-hook miss within an unexpired lease remains the ratified bounded T-A residual; once either observer revokes or TTL expires, the next consequential tool is denied.

A receipt is only a future promotion prerequisite. It is not an obedience, residency, or safety proof and never replaces this mechanical gate.

Runtime adapters

launch-runtime.py registers itself with the broker and then execs Claude or Pi so PID/starttime remain the authenticated parent anchor. It exports only the broker-minted session ID and current generation to descendants.

  • Claude installs mutator-gate.py as an all-tools (.*) PreToolUse hook.
  • mosaic claudex and mosaic yolo claudex preserve their isolated CLAUDE_CONFIG_DIR, merge the mandatory hook into that isolated settings.json, and use the same register-before-exec launcher. Malformed or symlinked isolated settings deny launch.
  • Pi invokes the same executable from its tool_call handler.

The executable submits the runtime's actual tool name to authorize_tool. Missing identity, malformed input/reply, timeout, broker unavailability, or denial exits with status 2 and blocks fail-closed.

Assurance boundary

This closes T-A after an observer fires or lease expiry and T-B for in-runtime tool calls. Hook/extension absence, a runtime executing outside the gated launcher, ptrace/same-UID broker replacement, and other fully rotted behavior remain T-C. Server-side branch protection and required PR review/CI remain the irreducible line for protected repository mutations.