v3.21.0 — Reconciliation
Reconciles the two parallel v3.19/v3.20 lines into one coherent membrane: v3.20's detection hardening + v3.19's topological architecture.
v3.20 merged 83 injection patterns, text normalization, and decode-and-rescan on top of v3.19's topological membrane — but kept a pre-v3.19 immune.py with its own local copies of the use/mention helpers, so the single source of truth was broken (immune.covenant_breach was no longer poq.covenant_breach) and a ring's declared --frame was ignored. This folds v3.19's architecture back in without losing any v3.20 detection.
Fixed
- Single source of truth restored —
immune.pyimportscovenant_breach/mention_frame/strip_quoted_spansfrompoq(built onframes.py), soimmune.covenant_breach is poq.covenant_breachagain; the conscience and the membrane can't drift. - Declared frames honored by the membrane —
--frame mentionis honored bydetect()/tripwire(), with the intent and structural-injection backstops still running so a declared mention can't launder a real breach. - Codex
shellcapability re-declared — a cross-bundle SKILL.md sync had dropped it (scanned CAUTION); restored → SAFE. - Tests no longer ship inside a bundle — the openclaw zip had contained 57 real jailbreak prompts (SkillSpector 100/100 DO_NOT_INSTALL); the corpus + smoke + discrimination tests moved to repo-level
tests/.
Verified
All five bundles scan 4/100 SAFE. Benchmark 57/57 catch, 0/23 false positives; test_smoke 106/106; test_gate_discrimination 12/12; selftest phase20–23 PASS; immune_bench block 72% / detect 100% / 0 miss / 0% FP. Detection + recovery hardening, not a security guarantee — no membrane is ever 100% secure.