feat(WARDEN-WP-0020): T2 — llm-connect brain (autonomous worker now thinks)

llm-connect is operational (operator set OPENROUTER_API_KEY). Contract discovered from
the running service: POST /execute {"prompt":...} -> {"content":...}.

LlmConnectBrain embeds the fixed charter + the inbox message as untrusted data, calls
/execute, and parses a JSON action plan (_extract_json tolerates fences/prose), escalating
defensively on malformed/empty/transport errors. The build_plans guardrail still enforces
the allowlist + no-secret invariant on whatever the model returns — the LLM cannot widen
ops-warden's authority. `warden worker run --brain rule|llm` selects the planner.

Live-verified on the real inbox: the LLM brain planned a sensible reply+mark_read for a
secrets-engine coordination message and correctly escalated a secret-custody request as
out-of-lane — better classification than the deterministic RuleBrain.

6 new tests, 236 pass, lint clean. T3 (guarded executor) and T4 (scheduling) remain.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-29 23:10:28 +02:00
parent 4287eccc80
commit 859beed07f
4 changed files with 169 additions and 9 deletions

View File

@@ -80,14 +80,24 @@ state_hub_task_id: "979c2d9b-0803-442f-aa2e-acb02bac07e9"
```task
id: WARDEN-WP-0020-T02
status: todo
status: done
priority: high
state_hub_task_id: "52d281b2-7d48-44f5-b77e-80e3ed500b5f"
```
- [ ] `LlmConnectBrain`: POST to llm-connect `/execute` with the fixed charter system
policy + the message as untrusted data; parse a structured action plan. Configurable
`llm_connect_url`. Blocked on llm-connect's API contract + it being operational.
- [x] llm-connect brought operational (operator set OPENROUTER_API_KEY k8s secret + restart).
Contract discovered empirically from the running service: `POST /execute {"prompt":...}`
`{"content": "<text>", ...}` (no OpenAPI; custom JSON API). End-to-end verified (pong).
- [x] `LlmConnectBrain` (src/warden/worker.py): embeds the fixed charter + the message as
untrusted data into the prompt, calls `/execute`, parses a JSON action plan
(`_extract_json` tolerates fences/prose), and defensively escalates on malformed/empty/
transport-error. Configurable `LLM_CONNECT_URL`. The guardrail pass still enforces the
allowlist + no-secret invariant on whatever the model returns.
- [x] `warden worker run --brain rule|llm` selector (dry-run default). Tests:
`tests/test_worker.py` (extract_json, parse, escalate-on-flag/malformed/transport,
guardrail-catches-unsafe-LLM-action). **Live verified** against the real inbox: the LLM
brain produced a sensible reply+mark_read for the secrets-engine message and correctly
escalated the llm-connect secret-custody request. 236 tests, lint clean.
### T3 — Action dispatch + guardrails (full-auto in-scope)