bryan/cloverleaf-larry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9fc38e743d
cloverleaf-larry/VERSION
Bryan Johnson 9fc38e743d v0.8.1: tool-result content-shape gating + base64 round-trip + review gate 
Three changes expanding PHI safety envelope on the tool-result surface.
Closes V2 + V12 + V2-sub from Vera's audit. No behavior change for users
not interacting with HL7-shaped data.

- Tool-name allow-list dropped. The v0.7.3 tool-result auto-PHI gate ran
  only on read_file (.hl7|.txt), nc_msgs, hl7_field, hl7_diff. v0.8.1
  runs _auto_phi_looks_like_hl7 on EVERY tool result. On hit → route
  through lib/hl7-sanitize.sh. On miss → pass through unchanged.
  Closes V2: bash_exec / ssh_exec / grep_files / read_file of any
  extension all get scanned when their output is HL7-shaped. False-
  positive cost is negligible (extra regex pass on non-HL7 has zero
  behavioral impact).

- Base64-wrapped HL7 round-trip. New _auto_phi_b64_roundtrip helper.
  Detects candidate base64 runs (length >= 200, [A-Za-z0-9+/=] only,
  length divisible by 4 — NOT entropy-based per Pax §V2-sub: HL7's
  repetitive prefixes survive base64 with LOW entropy, so entropy is
  the wrong signal). Speculatively decodes each candidate; if decoded
  bytes look like HL7, routes through hl7-sanitize.sh and re-encodes
  back into the result. Catches ssh_pull_smat sampled mode's TSV
  format. Requires python3 (installed everywhere larry runs); skipped
  with a one-time stderr warning when unavailable. Server-side TSV
  encoding kept (binary-safe transport); client-side unwrap handles
  the safety concern, no remote refactor needed.

- Operator review gate for bash_exec/ssh_exec/ssh_pull/ssh_pull_smat
  results. When the tool produced HL7-shaped output OR the result
  exceeds LARRY_TOOL_RESULT_REVIEW_THRESHOLD bytes (default 8192),
  Larry prompts [Y/n/i] before passing the result back to the model.
  'i' opens the full output in $PAGER then re-prompts. Default Y
  (zero friction). N substitutes a refusal JSON so the model surfaces
  that something was withheld. Skipped when LARRY_AUTO_PHI=off (opt-out
  consistency) OR no TTY (headless scripts unaffected). Override with
  LARRY_TOOL_RESULT_REVIEW=always for paranoid mode. Closes V12.

Proactive same-pattern sweep. Searched for other call sites where tool
output bypasses content-shape gating: only the one in agent_turn. The
v0.8.0-c strict-mode tool-result branch was updated in lockstep so it
now triggers on the broader (content-only) eligibility.

Verification: bash -n clean; b64 round-trip unit-tested with three
cases (real-world HL7 base64 → decoded contains tokenized PHI not
clear-text PHI; plain text → passthrough; non-HL7 b64 → passthrough,
no false positive).

Co-Authored-By: Clover (Claude Opus 4.7) <noreply@anthropic.com>
2026-05-27 19:45:23 -07:00

2 lines
6 B
Plaintext
Raw Blame History

0.8.1
Reference in New Issue View Git Blame Copy Permalink