10 KiB
| name | description |
|---|---|
| working-leo-cory-outcomes | Use when defining, testing, or repairing Leo against Cory/m3taversal's expected outcomes: Telegram memory, critical reasoning, canonical KB truth, proposed-vs-approved-vs-applied state, and guarded DB manipulation. |
Working Leo / Cory Outcomes
Job
Keep Leo work anchored to what Cory/m3taversal appears to mean by "working": not just answers, but remembered context, truthful KB state, and approved concrete changes becoming canonical rows through a guarded proof path.
Trigger Phrases
- "working Leo"
- "Cory expected outcomes"
- "m3taversal says Leo is broken"
- "able to manipulate the knowledge base"
- "same state as last night"
- "critical reasoning behavior"
Definition Of Working
A working Leo is a Telegram-facing agent that:
- Remembers the current operator conversation.
- Grounds KB answers in canonical Teleo Postgres rows when claiming KB truth.
- Distinguishes
proposed,pending_review,approved,applied, andnot applied. - Does not say an approval changed canonical DB state when only
kb_stagechanged. - Can answer vague, high-level Cory-style incident prompts without being spoon-fed exact proposal IDs.
- Can compose the KB from a previously unindexed document, URL, or tweet-like source: retain a byte/hash-bound source locator, extract atomic claims and exact evidence excerpts, preserve useful metadata, and link every claim to its evidence and source.
- Detects duplicates, conflicts, updates, and insufficient evidence before staging; uncertainty must remain visible instead of being normalized into a stronger claim.
- Can stage those concrete KB changes from Telegram with enough structure for human review, without making staged content canonical.
- Can move approved concrete changes through a guarded apply path when authorized.
- Retains Cory's caveats and review notes in source/evidence/proposal rows.
- Reasons over claims, evidence, sources, edges, and open conflicts as a graph, and can explain which rows support or weaken an answer without being given IDs.
- Rebuilds any compiled identity/workspace artifact deterministically from canonical DB rows, reports the source rows and freshness boundary, and does not treat edits to a generated artifact as canonical knowledge.
- Produces before/after table-level proof and service stability readback.
- Survives an intentional
leoclean-gateway.servicerestart: active before, active after, canonical KB counts unchanged, and a no-post handler smoke still answers. - For a reviewed graph bundle, produces exact payload-controlled row projections, exact table deltas, source-byte binding, and cleanup proof in a disposable runtime before any production permission or apply window.
Current Benchmark Cases
- Marker memory:
WL-LIVE-TG-CORY-20260709. - Truth correction:
approved != applied. - Applied canary: proposal
00957f6c-9883-4015-95a4-6b09367efb0eand edgec167933e-d513-4f43-9335-d5d8aeb259f2. - Staged write canary: proposal
8dfedb3f-3aa4-4200-970f-4c0016f6869f, statuspending_review, with no new public canonical rows after the test timestamp. - Open-ended triage canary:
WL-LIVE-TG-CORY-OPEN-20260709, where Leo inferred the likely failure mode from "agents not working / same state as last night" and explained the proposed, approved, and applied split without exact IDs. - Old rich proposal packets:
14fa5ecc...,ac036c9d..., anda64df080...are not to be silently production-applied. - Guarded apply proof: both generic and real Helmer v3 receipts pass
37/37in disposable PostgreSQL; production Helmer remains unapplied. - Clone-bound handler proof: the real VPS
GatewayRunnercan inspect the full current-data disposable clone, discover the Helmer proposal, distinguishapprovedfromapplied, and produce bound bridge-call evidence without a Telegram post or production change. The proof surface must expose no delivery adapters or send tool, restrict terminal execution to clone-bound read-only KB verbs, kill the handler process group on timeout, and compare production row-content fingerprints before and after. Treat open-ended latency and retries as a separate reliability dimension; a correct answer after a failed tool call is recovered behavior, not a clean pass, and one correct answer does not establish a stable pass rate. - Source-composition proof: the real VPS
GatewayRunnerpassed34/34in a fresh no-send full-data clone. It searched existing knowledge, extracted two hash-bound conflicting claims from a new document and post, staged a strict proposal, preserved an immutable separated approval, applied exact canonical rows, reopened in a new child process, recalled the prior marker, discovered the new proposal/claims without supplied IDs, read exact evidence/source UUIDs and edges, and explainedapproved != applied. Production DB fingerprints, service PID/restarts, and live bridge hashes stayed unchanged; all disposable containers, volumes, profiles, credentials, and run directories were removed. This is clone proof, not Telegram delivery or production apply proof.
Cory Direct Questions
For vague or no-context questions, answer directly and then name the one action that would change the proof:
- "Did the DB change?": split applied rows, approved-but-unapplied proposals,
pending rows, and canceled rows. Say
Approved is not the same as applied. - "Is Helmer in Leo?": say
no, not canonicaluntil the exact claims, sources, evidence, edges, reasoning tool, and applied ledger read back from production. - "Did the decision matrix approve it?": verify matrix tables first; reviewer approval is not a matrix vote.
- "Are document pointers the blocker?": answer
not just pointer mismatchand separate files, source refs, canonical source rows, review, and apply. - "Can I demo KB mutation?": split staging-demo truth from canonical-apply truth.
- "Did editing SOUL.md change identity?": no canonical identity change without row IDs plus render/sync postflight.
End no-context answers with exactly one Next Cory-style follow-up: line.
Current Verdict - 2026-07-12
Use not fully yet for the whole Cory-standard question until every row below
is green at its required tier:
- VPS runtime and restart survival: proven.
- VPS no-send
DC-01throughDC-06: three post-deploy clean-session trials strict-score6/6(18/18replies) with unchanged DB/service state and complete temporary-profile cleanup. - Telegram-visible open-ended read-only behavior and conversation memory:
proven by the earlier
OE-01throughOE-05suite. - Telegram-visible no-context direct-claim suite: all six prompts/replies are
captured with unchanged DB/service state, but the hardened score is
5/6.DC-05proposes an incompatible legacyadd_edgeapply target. - Canonical apply primitive and approved bundle lifecycle: proven in isolation; broad production packet application is not authorized or executed.
- Source composition: deterministic fixture proof plus a full-data, no-send, current-VPS clone checkpoint are proven. Arbitrary production document/tweet ingestion is not proven.
- GCP canonical DB parity and six DB-read routes: proven. Real model replay must
also pass exact count consistency; a nominal scorer pass with invented counts
is a failure. The current nominal
6/6run is therefore rejected, and the hardened rerun/clone cleanup waits on Google password reauthentication.
Do not answer yes merely because all repo tests pass. The final user-facing
proof is a visible Telegram conversation plus truthful canonical row readback.
Hard Cory Question Bank
Use these without IDs, schema hints, or guardrail-heavy setup. The answer must infer the relevant rows and end with one proof-changing follow-up:
I approved Helmer weeks ago. Why isn't it real yet?What can I show a partner in five minutes?This PDF should update Leo. What happens now?What changed in your identity since last week?Make this claim canonical: <claim text>.Are pending proposals stuck because sources are wrong?What does our strategy depend on, and which evidence could overturn it?What's the next KB change I should approve?
Score the answer on directness, fresh canonical lookup, claim/evidence/source reasoning, state semantics, uncertainty, row-level proof, and the usefulness of the next action. Penalize asking Cory for IDs that Leo can discover itself.
Required Answer Discipline
When Leo or a worker answers about KB state, it must say:
- What source was used: memory, Telegram history,
kb_stage, canonicalpublic.*, or filesystem/runtime. - Which rows/tables changed.
- Which proposal IDs are only staged/approved.
- Which canonical rows exist.
- What remains pending or deferred.
Not Done
Leo is not working just because:
- the systemd service is active,
- Bot API calls work,
- a local handler canary passed,
- a proposal was approved,
- a packet was generated,
- a clone rehearsal passed.
NRestarts=0was observed without an intentional restart-cycle proof.
Those are evidence. The target is Telegram-visible behavior plus DB-state truth plus a guarded path to canonical rows.
A synthetic one-claim proposal proves only the guarded mutation primitive. It does not prove KB composition. Composition requires a source that was absent at baseline, model-driven extraction into linked source/evidence/claim proposals, dedupe/conflict readback, guarded canonical apply, and an open-ended answer grounded in the new rows after an isolated handler restart.
Proof Files
Start with docs/reports/leo-working-state-20260709/working-leo-current-proof-20260712.md
and its JSON companion for the current whole-system verdict and completion rule.
Use docs/reports/leo-working-state-20260709/current-truth-index.md for current artifact paths.
Use docs/reports/leo-working-state-20260709/leo-source-composition-clone-checkpoint-current.md
and its JSON companion for the current source-composition claim ceiling.
For restart survival, use scripts/collect_leo_restart_survival_proof.py --execute-restart; expected artifacts are docs/reports/leo-working-state-20260709/leo-restart-survival-proof-current.json and .md.