manual_slop/conductor/tracks/architecture_boundary_hardening_20260302/spec.md

Track Specification: Architecture Boundary Hardening

Overview

The manual_slop project serves dual roles: it is an end-user GUI application built around Human-In-The-Loop (HITL) AI orchestration, and it is the sandbox for the AI meta-tooling (mma_exec.py, tool_call.py) being used to develop it. Because mcp_client.py is shared between both environments to provide robust code investigation tools, a critical HITL bypass has emerged. Additionally, the meta-tooling scripts are bleeding tokens.

Current State Audit

1. HITL Bypass in manual_slop Application:

   • Location: ai_client.py inside _send_gemini, _send_gemini_cli, _send_anthropic, and _send_deepseek.
   • Issue: The pre_tool_callback is explicitly only checked if name == TOOL_NAME (which is run_powershell).
   • If an AI agent running inside the GUI calls set_file_slice or py_update_definition, the code falls through to elif name in mcp_client.TOOL_NAMES: and dispatches it immediately, silently mutating the user's codebase without approval.
   • Requirement: The application strictly requires step-by-step deterministic user approval for any filesystem modification, whether by script or direct AST manipulation.

2. Token Firewall Leak in Meta-Tooling (mma_exec.py):

   • Location: scripts/mma_exec.py:101.
   • Issue: UNFETTERED_MODULES hardcodes ['mcp_client', 'project_manager', 'events', 'aggregate']. If a worker targets a file that imports mcp_client, the script injects the full mcp_client.py (~450 lines) into the context instead of its skeleton, blowing out the token budget and destroying Context Amnesia.

3. DAG Engine Blocking Stalls (dag_engine.py):

   • Location: dag_engine.py -> get_ready_tasks()
   • Issue: get_ready_tasks requires all dependencies to be explicitly completed. If a task is marked blocked (e.g. after max retries in the ConductorEngine), its dependents stay todo forever. The ConductorEngine.run() loop has no logic to handle this cleanly, causing an infinite stall.

Desired State

• Any mutating tool from mcp_client.py (set_file_slice, py_update_definition, py_set_signature, py_set_var_declaration, write_file) must trigger a user approval dialogue, just like run_powershell.
• The UNFETTERED_MODULES list must be completely removed from mma_exec.py so all dependencies are reliably skeletonized.
• The dag_engine.py must cascade blocked status to downstream tasks so the track halts cleanly instead of deadlocking.

Technical Constraints

• The UI modal must be updated or a new pre_mutation_callback must be introduced to handle showing the proposed AST edit vs the proposed script.
• Keep the boundary clear: changes in ai_client.py affect the user's manual_slop application experience. Changes in mma_exec.py affect our meta-tooling environment.