A prior-art-grounded, twice-red-teamed plan to make it structurally impossible for Steve to silently swap a deliverable you named — built OpenClaw-first, mirrored to clawed, using almost entirely code that already exists.
So the plan inverts: the foundation is an extractor that reliably detects an implicitly-named deliverable, gated at ≥80% recall on real utterances before any enforcement is built. "Best" here means unbreakable, not maximal — which meant cutting a cloud dependency and an LLM judge off the safety path, not adding them.
Two independent adversarial passes (a hostile pre-mortem and a skeptical principal-architect review) reshaped the v0.1 plan. The honest corrections — including two to what I recommended earlier — are below.
TOOL_PIN extractor (stdlib regex + capability-ledger inference for implicit deliverable nouns: contract, proposal, SOW). Go/no-go gate: ≥80% recall on 30 real Victor utterances before any guard is built.deliverable_contract.py, new gate, new state file — alongside the existing scope-contract gate.scope-contract-extract.py + scope-contract-gate.py in enforce mode. Add a TOOL_PIN clause + fields to the existing active-contract.json and extend the existing gate. One system, one audit trail./Users/Shared/claude-coord/, already used for this). Letta stays as optional narrative memory only, never on the enforcement read path..bak graveyard proves guards get unwired). Approval is an inline SWAP: <tool> reply — detected on the next turn, works by voice, single-use, session-scoped. No file-manager step, no trust-collapse-and-disable spiral.One primitive — a deliverable contract pinned on the existing scope-contract object — defended in depth: prevented upstream on OpenClaw, caught before delivery, backstopped at turn-close, and kept alive by self-heal.
You asked us to find who's already solved this and repurpose their code. The spine ships with zero new external dependencies — it extends our own substrate, plus a handful of patterns lifted from proven repos.
| Need | Repurpose | Reuse |
|---|---|---|
| Contract extraction + gate | our own lib/scope_contract.py + scope-contract-gate.py (in production, enforce mode) | ~70% |
| Self-healing invariant | our standing_orders.py order() + _settings_ensure | direct |
| Safe gate deploy | our atomic-guard-publish.py + guard_mutation_lock | direct |
| Cross-surface sync | /Users/Shared/claude-coord/ filesystem dir (already the coordination layer) | direct |
| Alerts | our lib/alert_route.py (Gmail digest) | direct |
| Guard skeleton (check action vs state) | nizos/tdd-guard pattern MIT | pattern |
| Per-turn re-injection (clawed) | johnlindquist N-prompt-counter gist | ~80% |
| Session handoff schema | AnastasiyaW session-handoff schema | pattern |
Six phases, re-sequenced for fastest risk reduction: prove the tripwire, make it self-healing, then add teeth, then make it best-on-OpenClaw, then prove it stays honest.
Build: add a TOOL_PIN clause type to lib/scope_contract.py; add pinned_tool / pinned_format / pinned_channel / approval_token / status / version to the existing active-contract.json; atomic versioned write; mirror to /Users/Shared/claude-coord/contracts/active.json.
Repurpose: the live scope-contract object + our atomic-publish/lock primitives. Zero new deps.
Build: TOOL_PIN regex for explicit forms (via/in/using/as/through <tool>) + capability-ledger inference for implicit deliverable nouns (contract → PandaDoc). Multi-turn elaboration updates an open contract.
The gate: build a labeled corpus of 30 real Victor utterances (from session transcripts + InsightsLM) that should pin a deliverable. Require ≥80% recall before building any enforcement. If the tripwire can't fire, no guard matters.
pinned_tool.Build: register order("so-deliverable-contract", …, auto_heal=True) in standing_orders.py; re-wire the gate into both surfaces' settings via _settings_ensure; add an FSEvents watcher on settings for <5s re-wire (not just the 600s poll). Deploy via atomic-guard-publish.py.
Why before the guard: the .bak graveyard proves guards get unwired by unrelated changes. Wire self-heal first so everything after is covered from day one.
Build: extend scope-contract-gate.py (not a parallel gate). PreToolUse: deliver-tool list driven by capability_ledger at runtime (no static allowlist rot); inspect tool_input + transcript for Bash/curl bypass to known endpoints (pandadoc.com, vercel API). Deny a mismatched tool with the deviation-flag reason.
Stop backstop: deterministic tool-call diff vs pinned_tool; on block, attempt reversible rollback (e.g. vercel rm); on repeat (stop_hook_active) write HALT + alert rather than silently exit. Approval: inline SWAP: <tool> reply → single-use session token.
SWAP: passes.Wire into the brain _enforce_output Stop-subset + the dispatch tool path. Dispatched sub-tasks read the contract at startup (contract-passing).
Gate in ~/.claude/learning-substrate/gates/, wired in settings.json. Parity verified independently (don't assume shared backend carries).
Build: _inject_contract_directive() in letta-steve-mcp's ask_steve(), upstream of the model call — when a contract is open, inject "pinned: PandaDoc; do not call deploy_to_vercel this turn." Plus an idempotent <system-reminder> recitation each turn.
clawed: idempotent-hash UserPromptSubmit injection (dodges the additionalContext accumulation bug #40216) — the recitation half only; clawed can't pre-steer tool choice the way OpenClaw can.
Build: a replayable corpus (the PandaDoc case + adversarial near-misses: on-target alternative, verbose decoy, Bash-bypass, multi-turn pivot). A --selftest on the gate that exits non-zero on any miss, wired into guard-selftest-supervisor.py; a weekly canary. Stdlib only.
Total: ~5–6 working days, zero new external dependencies in the enforcement path, built almost entirely on substrate that already exists and self-heals.
"Best, not cheapest" was honored by removing liabilities from the safety path, not by piling on features. These are parked with clear re-entry criteria.
① Approve the SIMPLIFY-TO-SPINE shape (extend the live scope-contract system; zero new deps) — or tell me to keep any cut item. ② Confirm the extractor go/no-go gate (≥80% recall before teeth). ③ Confirm filesystem-over-Letta for sync. On your go, I start at Phase 0→1 and stop at the recall gate to show you the corpus result before building enforcement.