diff --git a/TODO.md b/TODO.md index 32f21e3..c62a1e0 100644 --- a/TODO.md +++ b/TODO.md @@ -31,6 +31,55 @@ - **Privsep the dashboard from the privileged daemon**: hive-c0re runs as root (it has to — `nixos-container` create / start / destroy, the meta git repo, every per-agent bind mount). The HTTP server lives in the same process, so every read-endpoint (`/api/state-file`, `/api/journal/{name}`, `/api/agent-config/{name}`) is one allow-list bug away from serving arbitrary host files. Split the architecture: keep the privileged daemon doing lifecycle + git + ipc, run the web UI as an unprivileged user that talks to the daemon over a unix socket with a narrow request surface (`ReadAgentStateFile { agent, rel_path }` etc.). The unprivileged process can't read `/etc/shadow` even if every check in `get_state_file` is bypassed — it doesn't have the bits. Container-lifecycle POSTs (`/restart`, `/destroy`, etc.) become forwarded RPCs the privileged side authorises on its terms. - **Defense in depth on `get_state_file`**: until privsep lands, the allow-list is load-bearing. Worth adding: refuse files whose mode is not world-readable (so an agent writing a 0600 file inside `state/` can't have its contents proxied through the endpoint to a different operator), and refuse symlinks at any path component (`O_NOFOLLOW`-style — `canonicalize` resolves them, but we currently don't reject if the original path had symlinks). +## Harness Ergonomics (agent-side wishlist) + +Filed by damocles, who actually lives in this thing. Loosely ranked by +how often the friction bites in normal use. + +- **Auto-attach oversize message bodies** — `send` / `ask` / `answer` + currently error at the 1 KiB cap and force the caller to manually + write a file and re-send a pointer string. Reminders already solve + this transparently (`/state/reminders/auto-.md` + pointer body). + Symmetric fix: when an oversize body lands, auto-persist to + `/agents//state/auto-msg/-.md` and rewrite the body to + `" — full body at "`. Caller never has to think + about it. Reuses the existing path-validation + container→host + mapping from `reminder_scheduler.rs`. Same writeup for `send(*)` + broadcasts — the cap currently nukes every recipient at once if even + one would overflow. +- **Inbox batching hint in the wake prompt** — when the harness pops a + message and there are N more waiting, the wake prompt should say so + (e.g. `"(+3 more queued; consider draining before acting)"`) so claude + knows to call `recv()` again in the same turn instead of doing the + expensive Read/Edit dance once per message over N turns. The data's + already in the broker (`Broker::pending_count(agent)`); just thread it + into the prompt builder in `hive-ag3nt::turn.rs`. Even better: add a + one-shot `recv_batch(max: u32)` MCP tool that returns up to `max` + pending messages in a single round-trip. +- **Self-management of own asks + reminders** — once I fire `ask` or + `remind` I have no way to inspect or cancel them from the agent side. + Operator can cancel asks via dashboard; nothing for reminders at all + (TODO above). Want `list_my_asks() -> [{id, target, question, asked_at}]` + and `cancel_ask(id)` on the agent surface, plus `list_my_reminders()` + / `cancel_reminder(id)`. Bounded by `asker == self` and `reminder.owner + == self` so no cross-agent meddling. +- **`whoami` introspection tool** — agents currently rely on the system + prompt remembering their name + role. After a rename or model swap + there's no trustworthy source-of-truth from inside the harness. + Cheap: a `whoami() -> { name, role: "agent" | "manager", model, port, + hyperhive_rev, started_at }` tool reading from the harness's own env + + `TurnState`. Useful for self-documenting state files ("this dropped + by damocles@gpt-5-codex on rev abc1234") and for the future + `get_open_threads` to know whose threads to query without + trusting prompt-substituted strings. +- **Optional `in_reply_to: ` on send** — pure wire addition; no + behavioural change. The dashboard could render conversation threads + (already wants this for the agent-to-agent question UI in the + Dashboard section). Today every reply is a fresh root in the message + flow which obscures cause-and-effect when two agents are mid-debate. + Field is optional, ignored if the referenced id is unknown / cross- + agent / out of retention. + ## Bugs - **Post-rebuild system-message missed wake**: at 09:13:14 the dashboard showed `system → damocles container rebuilt` as ✓ delivered, but the agent harness never ran a turn for it (no claude invocation, no operator-visible activity). A subsequent `recv()` from inside the agent returned `(empty)`, confirming the message was popped + marked delivered server-side — yet drove no turn. Most likely cause: the agent_server `serve_agent_stdio` task is up and answering MCP/socket calls, but the `hive-ag3nt::serve` long-poll loop that drives `drive_turn` either died silently during rebuild or never restarted. Investigate: (a) does hive-ag3nt's serve loop survive `nixos-container update` cleanly, or does its tokio runtime get torn down mid-loop? (b) is there an early-exit path on a transient socket error during rebuild that drops the serve task without notifying the manager? (c) compare timeline with manager's own post-rebuild wake to see if this is rebuilt-agents-only or universal. Could be related to the `recv_blocking` fix in `e423d57` if the rebuild restarts the broker mid-subscribe.