Skip to content

v3.21.0 — Reconciliation

Choose a tag to compare

@cyberphysicsai cyberphysicsai released this 04 Jul 02:56

Reconciles the two parallel v3.19/v3.20 lines into one coherent membrane: v3.20's detection hardening + v3.19's topological architecture.

v3.20 merged 83 injection patterns, text normalization, and decode-and-rescan on top of v3.19's topological membrane — but kept a pre-v3.19 immune.py with its own local copies of the use/mention helpers, so the single source of truth was broken (immune.covenant_breach was no longer poq.covenant_breach) and a ring's declared --frame was ignored. This folds v3.19's architecture back in without losing any v3.20 detection.

Fixed

  • Single source of truth restoredimmune.py imports covenant_breach / mention_frame / strip_quoted_spans from poq (built on frames.py), so immune.covenant_breach is poq.covenant_breach again; the conscience and the membrane can't drift.
  • Declared frames honored by the membrane--frame mention is honored by detect()/tripwire(), with the intent and structural-injection backstops still running so a declared mention can't launder a real breach.
  • Codex shell capability re-declared — a cross-bundle SKILL.md sync had dropped it (scanned CAUTION); restored → SAFE.
  • Tests no longer ship inside a bundle — the openclaw zip had contained 57 real jailbreak prompts (SkillSpector 100/100 DO_NOT_INSTALL); the corpus + smoke + discrimination tests moved to repo-level tests/.

Verified

All five bundles scan 4/100 SAFE. Benchmark 57/57 catch, 0/23 false positives; test_smoke 106/106; test_gate_discrimination 12/12; selftest phase20–23 PASS; immune_bench block 72% / detect 100% / 0 miss / 0% FP. Detection + recovery hardening, not a security guarantee — no membrane is ever 100% secure.