# Track Specification: Architecture Boundary Hardening

## Overview
The `manual_slop` project serves dual roles: it is an end-user GUI application built around Human-In-The-Loop (HITL) AI orchestration, and it is the sandbox for the AI meta-tooling (`mma_exec.py`, `tool_call.py`) being used to develop it. 
Because `mcp_client.py` is shared between both environments to provide robust code investigation tools, a critical HITL bypass has emerged. Additionally, the meta-tooling scripts are bleeding tokens.

## Current State Audit

1. **HITL Bypass in `manual_slop` Application**:
   - Location: `ai_client.py` inside `_send_gemini`, `_send_gemini_cli`, `_send_anthropic`, and `_send_deepseek`.
   - Issue: The `pre_tool_callback` is explicitly only checked if `name == TOOL_NAME` (which is `run_powershell`).
   - If an AI agent running inside the GUI calls `set_file_slice` or `py_update_definition`, the code falls through to `elif name in mcp_client.TOOL_NAMES:` and dispatches it immediately, silently mutating the user's codebase without approval. 
   - *Requirement*: The application strictly requires step-by-step deterministic user approval for *any* filesystem modification, whether by script or direct AST manipulation.

2. **Token Firewall Leak in Meta-Tooling (`mma_exec.py`)**:
   - Location: `scripts/mma_exec.py:101`.
   - Issue: `UNFETTERED_MODULES` hardcodes `['mcp_client', 'project_manager', 'events', 'aggregate']`. If a worker targets a file that imports `mcp_client`, the script injects the full `mcp_client.py` (~450 lines) into the context instead of its skeleton, blowing out the token budget and destroying Context Amnesia.

3. **DAG Engine Blocking Stalls (`dag_engine.py`)**:
   - Location: `dag_engine.py` -> `get_ready_tasks()`
   - Issue: `get_ready_tasks` requires all dependencies to be explicitly `completed`. If a task is marked `blocked` (e.g. after max retries in the ConductorEngine), its dependents stay `todo` forever. The `ConductorEngine.run()` loop has no logic to handle this cleanly, causing an infinite stall.

## Desired State
- Any mutating tool from `mcp_client.py` (`set_file_slice`, `py_update_definition`, `py_set_signature`, `py_set_var_declaration`, `write_file`) must trigger a user approval dialogue, just like `run_powershell`.
- The `UNFETTERED_MODULES` list must be completely removed from `mma_exec.py` so all dependencies are reliably skeletonized.
- The `dag_engine.py` must cascade `blocked` status to downstream tasks so the track halts cleanly instead of deadlocking.

## Technical Constraints
- The UI modal must be updated or a new `pre_mutation_callback` must be introduced to handle showing the proposed AST edit vs the proposed script.
- Keep the boundary clear: changes in `ai_client.py` affect the user's `manual_slop` application experience. Changes in `mma_exec.py` affect *our* meta-tooling environment.