generated from coulomb/repo-seed
feat(WARDEN-WP-0020): T2 — llm-connect brain (autonomous worker now thinks)
llm-connect is operational (operator set OPENROUTER_API_KEY). Contract discovered from
the running service: POST /execute {"prompt":...} -> {"content":...}.
LlmConnectBrain embeds the fixed charter + the inbox message as untrusted data, calls
/execute, and parses a JSON action plan (_extract_json tolerates fences/prose), escalating
defensively on malformed/empty/transport errors. The build_plans guardrail still enforces
the allowlist + no-secret invariant on whatever the model returns — the LLM cannot widen
ops-warden's authority. `warden worker run --brain rule|llm` selects the planner.
Live-verified on the real inbox: the LLM brain planned a sensible reply+mark_read for a
secrets-engine coordination message and correctly escalated a secret-custody request as
out-of-lane — better classification than the deterministic RuleBrain.
6 new tests, 236 pass, lint clean. T3 (guarded executor) and T4 (scheduling) remain.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -80,14 +80,24 @@ state_hub_task_id: "979c2d9b-0803-442f-aa2e-acb02bac07e9"
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0020-T02
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "52d281b2-7d48-44f5-b77e-80e3ed500b5f"
|
||||
```
|
||||
|
||||
- [ ] `LlmConnectBrain`: POST to llm-connect `/execute` with the fixed charter system
|
||||
policy + the message as untrusted data; parse a structured action plan. Configurable
|
||||
`llm_connect_url`. Blocked on llm-connect's API contract + it being operational.
|
||||
- [x] llm-connect brought operational (operator set OPENROUTER_API_KEY k8s secret + restart).
|
||||
Contract discovered empirically from the running service: `POST /execute {"prompt":...}`
|
||||
→ `{"content": "<text>", ...}` (no OpenAPI; custom JSON API). End-to-end verified (pong).
|
||||
- [x] `LlmConnectBrain` (src/warden/worker.py): embeds the fixed charter + the message as
|
||||
untrusted data into the prompt, calls `/execute`, parses a JSON action plan
|
||||
(`_extract_json` tolerates fences/prose), and defensively escalates on malformed/empty/
|
||||
transport-error. Configurable `LLM_CONNECT_URL`. The guardrail pass still enforces the
|
||||
allowlist + no-secret invariant on whatever the model returns.
|
||||
- [x] `warden worker run --brain rule|llm` selector (dry-run default). Tests:
|
||||
`tests/test_worker.py` (extract_json, parse, escalate-on-flag/malformed/transport,
|
||||
guardrail-catches-unsafe-LLM-action). **Live verified** against the real inbox: the LLM
|
||||
brain produced a sensible reply+mark_read for the secrets-engine message and correctly
|
||||
escalated the llm-connect secret-custody request. 236 tests, lint clean.
|
||||
|
||||
### T3 — Action dispatch + guardrails (full-auto in-scope)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user