Refine v5.0.0+ port design: demote SecurityValidator, refresh Learning scope#170
Merged
Merged
Conversation
…g scope Three threads against Plans/v5-0-0-plus-port.md after read-only investigation of the v5 baseline: - SecurityValidator (HIGH #3) → Drop List. v5's SecurityPipeline.hook.ts self-documents (L4-7) as its replacement; PatternInspector consumes the same patterns.yaml shape from a baseline-shipped 156-line PATTERNS.yaml and is fail-closed on missing patterns where fork is fail-open. No documented residual gap. patterns.example.yaml (MED #12) drops with it. HIGH renumbered (3 — was 5); MED renumbered (6-13 — was 6-14); cross-refs updated. - Learning standalone pack (MED #10) text refreshed. Original "v5 has nothing equivalent" was inaccurate: v5 has substantial automated capture (5 hooks, weekly LearningPatternSynthesis CLI, WisdomFrames with CRYSTAL confidence) but no human curation loop, plus a doctrinal conflict with v5's stance on harness auto-memory for behavioural rules. Integration design tracked in #169. - Item #11 (formerly "Curated skill subset") rewritten as overlay-only budget bump via skillListingBudgetFraction / skillListingMaxDescChars in settings.json Class-B merge — accepts the token-use penalty and defers per-skill SKILL.md description curation to #168. Companion artefact: - reports/v5-learning-loop-vs-pack.md — citation-heavy comparison of v5's automated capture pipeline vs the fork's curation layer (~310 lines). Refs #166, #168, #169.
… similar, not identical PR #170 test-plan execution surfaced that the original "consumes the same patterns.yaml shape" claim overstates compatibility. The two trees diverge on the `bash` subkeys — v5 has `bash.trusted` (allowlist-bypass), fork has `bash.confirm` (user-prompt-on-match). Top-level structure (`version`, `philosophy`, `bash`, `paths`, `projects`) and `paths` subkeys are consistent. A user migrating with custom `bash.confirm:` rules in their patterns file would silently lose the prompt semantic if the file were copied verbatim to v5's path. This is a real port-time consideration the original Drop List entry concealed. Refs #170, #166.
This was referenced May 10, 2026
virtualian
added a commit
that referenced
this pull request
May 10, 2026
Backfill status into the design doc (Plans/v5-0-0-plus-port.md) covering issue #166 playbook completion, follow-up issue state on virtualian/pai-v5, and Phase B posture. Add overlay audit findings against the scaffold branch — one drift surfaced (SecurityValidator still present post-PR #170 demotion); flagged for separate cleanup gated on a Phase-B probe.
5 tasks
virtualian
added a commit
that referenced
this pull request
May 11, 2026
…166) (#172) Issue #166's Step 10 required (per End-to-end Verification gate #5) a runtime-vs-v5 comparison report with categorised inventories and 8 per-area prose sections. The parent plan's Step 11 focused-session structure (lines 387-405 of Plans/v5-0-0-is-a-major-keen-wall.md) explicitly authorises descoping the full multi-day prose deliverable: > "The plan describes Step 11 as design-doc generation driven by > Step 10's multi-day prose report. In practice, a focused session > produces a thinner just-enough version sufficient to drive port > priorities — without blocking on Step 10's full-prose deliverable." > > "The full Step 10 prose report can come later as archaeological > reference; it does not block the port work." This commit ships the mechanical first pass of gate #5 only: reports/v5-comparison/inventory-pai.txt — 674 entries, path-shifted diff marrair:.pai/ ↔ v5:.claude/ (v5 is single-root per the design doc's two-root decision, so the literal .pai/ ↔ .pai/ diff in the parent plan does not apply). reports/v5-comparison/inventory-claude.txt — 162 entries, apples-to-apples marrair:.claude/ ↔ v5:.claude/ user-config diff. Both files carry a header documenting methodology, excludes (runtime ephemera: node_modules/, sessions/, projects/, paste-cache/, file-history/, shell-snapshots/, etc.), and the <marrair> / <marrmini-fresh> path tokens for machine portability. Not delivered here (deferred as archaeological-only per the plan): - 7-label categorisation of every divergent file - 8 per-area prose sections (Algorithm, MEMORY, Skills, SecurityValidator, PAI-Install/installer engine, AISTEERINGRULES, Hooks, Two-root separation) The Learning area was separately deep-dived and shipped as reports/v5-learning-loop-vs-pack.md via PR #170. Gate #5 remains partially open by design; the design doc (Plans/v5-0-0-plus-port.md) carries the decision-grade content needed for port work. Issue #166 stays closed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two read-only investigations of the v5 baseline this session produced
findings that update
Plans/v5-0-0-plus-port.md:SecurityPipeline.hook.tsis a fail-closed superset that ships its own
PATTERNS.yaml(156 lines)in baseline. No documented residual gap. The whole port-on-top-of-v5
branch (HIGH#3 + MED#12 + the overlay file scaffolded in Sync v5.0.0 baseline + design doc (#166) #167) is gone.
but no human curation loop and a doctrinal conflict on harness auto-memory.
Integration design (port-side + v5 community survey) tracked in Investigate v5 Learning Loop integration — port-side curation layer + community research #169.
bump rather than v5 source edits; per-skill description curation deferred
to Curate SKILL.md descriptions to fit default skill-listing budget #168.
No code ported. Plan-and-evidence only.
What landed
Plans/v5-0-0-plus-port.mdreports/v5-learning-loop-vs-pack.md(NEW)Methodology validation
The migration plan's "verify-against-v5 first" bar paid off twice in one
session — once on Learning (item #10 wording), once on SecurityValidator
(item #3 dropped). The Adopt List bullet "fork's HIGH-priority hooks added
on top via overlay (SecurityValidator)" now reads "no HIGH-priority hook
ports survive verify-against-v5".
Test plan
the evidence in
reports/v5-learning-loop-vs-pack.mdand v5baseline files?
see item #13) iscorrect after the renumber
a SecurityValidator port issue
What this PR does NOT do
boundary gap)
in SecurityValidator: wire installer to materialize ~/.pai/package.json + bun install + PAI/PAISECURITYSYSTEM (#158 follow-up) #160/Wire installer to materialise SecurityValidator runtime artefacts (#160) #161/#16e21be still applies to v4.0.3+ on marrair until cutover)
Refs #166 (umbrella migration), #168 (skill description curation
follow-up), #169 (Learning Loop integration investigation).