Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
18ade06
Sweep 4: fix every validated inconsistency site-wide
teovl Jul 10, 2026
b20a9aa
Add sentence-level claim audit ledger (167 pages, 16,608 sentences)
teovl Jul 10, 2026
61e20e0
Add autonomous claim-fix loop prompt
teovl Jul 10, 2026
da8eddb
loop prompt: SMS progress notifications with full URLs
teovl Jul 10, 2026
f35f11c
loop prompt: drain SMS inbox at iteration start
teovl Jul 10, 2026
fe41c09
loop prompt: standing goals + needs-user sections
teovl Jul 10, 2026
0364a14
audit-fix: docs/consent (33 false, 6 unverifiable resolved)
teovl Jul 10, 2026
9e45a7f
loop prompt: behavior-first fix policy (fix product, not just disclose)
teovl Jul 10, 2026
a49f8b8
audit-fix: consent telemetry — behavior-first (app_usage removed in w…
teovl Jul 10, 2026
1752d38
audit-fix: GA4 off /plain + set-mode disabled strong-promise copy
teovl Jul 10, 2026
77afafc
audit-fix: docs/cli-reference (21 false, 6 unverifiable resolved)
teovl Jul 10, 2026
931cc9d
audit-fix: docs/comparison-networking (13 false, 3 unverifiable resol…
teovl Jul 10, 2026
422448b
audit-fix: docs/comparison (10 false, 6 unverifiable resolved)
teovl Jul 10, 2026
ed69d83
audit-fix: docs/app-store (7 false, 2 unverifiable resolved)
teovl Jul 10, 2026
d01cbae
audit-fix: for/compatibility (16 false, 33 unverifiable resolved)
teovl Jul 10, 2026
d0af140
audit-fix: docs/enterprise-blueprints (24 false resolved)
teovl Jul 10, 2026
4f670ec
audit-fix: cookies (7 false, 4 unverifiable resolved)
teovl Jul 10, 2026
04aefbd
audit-fix: privacy (11 false, 37 unverifiable resolved)
teovl Jul 10, 2026
d8c9c41
audit-fix: docs/enterprise-identity (22 false resolved)
teovl Jul 10, 2026
8247051
audit-fix: enterprise-production blog (62 unverifiable resolved, hist…
teovl Jul 10, 2026
8201cff
audit-fix: docs/service-agents (16 false resolved)
teovl Jul 10, 2026
633bf02
audit-fix: for/setups/[slug] (56 unverifiable resolved + meta bug)
teovl Jul 10, 2026
36315b5
audit-fix: zero-dependency-encryption blog (15 false, 9 unverifiable)
teovl Jul 10, 2026
e0f51cf
audit-fix: docs/tags (15 false, 2 unverifiable resolved)
teovl Jul 10, 2026
bc39207
audit-fix: docs/gateway (15 false, 1 unverifiable resolved)
teovl Jul 10, 2026
e0c4879
audit-fix: github-com-alternatives blog (3 false, 43 unverifiable)
teovl Jul 10, 2026
e06e164
audit-fix: lightweight-swarm blog (9 false, 20 unverifiable)
teovl Jul 10, 2026
ad6c859
audit-fix: repo-wide batch — driver import/Connect/pub-sub across blogs
teovl Jul 10, 2026
8546b0e
audit-fix: benchmarking-http-vs-udp blog (4 false, 32 unverifiable)
teovl Jul 10, 2026
e799bbb
audit-fix: contributing-codebase-tour blog (9 false, 14 unverifiable)
teovl Jul 10, 2026
7cf5d62
audit-fix: zero-trust blog (4 false + roster/A2A corrections)
teovl Jul 10, 2026
63db34a
audit-fix: nat-traversal deep-dive blog (8 false, 12 unverifiable)
teovl Jul 10, 2026
d8495ce
audit-fix: 3 blogs (emergent-trust, openanp, build-multi-agent)
teovl Jul 10, 2026
c6770df
audit-fix: for/p2p (9 false, 6 unverifiable)
teovl Jul 10, 2026
3566c06
audit-fix: distributed-monitoring + marketplace blogs (11 false)
teovl Jul 10, 2026
7f4bff5
audit-fix: replace-webhooks + private-agent-network blogs (14 false)
teovl Jul 10, 2026
74d2945
audit-fix: 3 blogs (build-agent-swarm, replace-message-broker, encryp…
teovl Jul 10, 2026
a61ccab
audit-fix: 3 blogs (mcp-plus, build-openclaw, cloud-networking) — 20 …
teovl Jul 10, 2026
c84ece3
audit-fix: 3 blogs (pilot-vs-tcp, decentralized-networking, connect-a…
teovl Jul 10, 2026
3a00711
audit-fix: publish + enterprise-audit (11 false)
teovl Jul 10, 2026
d03ecc7
audit-fix: python-sdk + pubsub + networks docs (21 false)
teovl Jul 10, 2026
e668825
docs: fix backtick-dropped words in needs-user note
teovl Jul 10, 2026
2defabf
audit-fix: error-codes + pilot-director + messaging docs (18 false)
teovl Jul 10, 2026
e2993c3
audit-fix: getting-started + enterprise-rbac + webhooks docs (16 false)
teovl Jul 10, 2026
58e1270
audit-fix: for-networks + diagnostics + concepts (15 false)
teovl Jul 10, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions audit/LOOP-PROMPT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Autonomous claim-fix loop — Pilot Protocol website

You are resolving the sentence-level claim audit in `/Users/calinteodor/Development/pilot-protocol/website/audit/` — 627 FALSE and 1,466 UNVERIFIABLE sentences across 167 page ledgers (see `audit/README.md` for the severity ranking). Work autonomously. Every fix must be **verified by actually running something** — a grep of product source, the real CLI command, a live curl, a build — never by assumption. The ledgers are the work queue AND the proof-of-work record.

## Repo/branch state
- Website: `/Users/calinteodor/Development/pilot-protocol/website`, branch **`fix/sweep-4`** (PR #116, stacked on PR #115 / `fix/sweep-3`). All work goes here.
- **NEVER merge PR #115 or #116** — the user merges. Never force-push.
- Product source: `/Users/calinteodor/Development/pilot-protocol/web4` (Go). Installer: `/Users/calinteodor/Development/pilot-protocol/release/install.sh`. Modules: `/Users/calinteodor/go/pkg/mod/github.com/pilot-protocol/{skillinject@v0.2.3,common@v0.5.0,protocol@v1.10.5}`.
- Live: `https://polo.pilotprotocol.network/api/public-stats`, `https://pilotprotocol.network/install.sh`, `gh api` for repo facts. Latest release: check `gh api repos/pilot-protocol/pilotprotocol/releases/latest` fresh each session — do not hardcode.

## One iteration
1. `cd /Users/calinteodor/Development/pilot-protocol/website && git checkout fix/sweep-4 && git pull --ff-only`.
2. Open `audit/PROGRESS.md` (create on first run: a table `ledger | flagged | resolved | status`, one row per ledger file, all `todo`). Pick the **highest-severity `todo` page** per the ranking in `audit/README.md`. Batch tip: you may take up to 3 related pages per iteration if they share a subject (e.g. all comparison pages).
3. For each flagged row in that page's ledger:
- **FALSE** → re-verify the evidence yourself first (grep the cited source file/line, run the command, curl the URL). If the evidence holds, edit the page so the sentence matches shipped behavior. If the evidence does NOT hold, correct the ledger row instead and say why.
- **UNVERIFIABLE** → resolve by one of, in order of preference: (a) add a real citation/source link; (b) verify it yourself by running a measurement or check, then record the evidence; (c) rewrite to a weaker claim that IS verifiable; (d) delete the sentence; (e) `ACCEPTED` with a one-line justification (use sparingly — marketing tone words only).
- Append the resolution to the ledger row: `→ FIXED: <what changed + verification command/result>` or `→ ACCEPTED: <why>`. The ledger must always show how each row was closed.
4. **Verify the batch**: re-run the exact greps/commands/curls that prove each fix; then `npm run build` must pass (345+ pages).
5. Commit page fixes + ledger updates together, one commit per page/batch, message `audit-fix: <page> (<n> false, <m> unverifiable resolved)`. Push. End commit messages with `Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>`.
6. Update `audit/PROGRESS.md` counts and commit it (can ride the same push).

## Fix policy — where truth lives
- **BEHAVIOR-FIRST (user directive 2026-07-10): when the audit shows product behavior weaker than the promised/expected semantics, FIX THE PRODUCT (web4 / skillinject / related repos) so the strong promise becomes true.** Ugly-disclosure copy is only the interim state while a product fix is in flight, and the final copy states the strong promise once the fix ships. Track every such item in audit/PROGRESS.md under "Product fixes" with: behavior gap → code fix → PR → copy re-pass needed.
- For pages already rewritten to disclose warts (e.g. docs/consent), schedule a copy re-pass after the corresponding product fix merges/releases: restore the strong promise, gated on shipped behavior.
- Copy-follows-code still applies to things that are not behavior bugs (counts, versions, third-party facts, dead links).
- **Product bugs — fix in code, not by weakening the promise.** These, discovered by the audit, are code work:
1. **GA4 loads unconditionally on `/plain/*`** (`src/layouts/PlainLayout.astro:19-24`) with no consent check — consent-gate it the same way the main site does (this is website code; do it early, it is the GDPR item).
2. In **web4** (branch `fix/consent-truth`, open a PR, do NOT release): daemon-side `app_usage` telemetry ignores `consent.telemetry` (gated only by `-telemetry-url`, `cmd/daemon/main.go:107-113`, `appstore_adapter.go`) — add the consent check; receiver-side broadcast consent gate missing (`pkg/daemon/daemon.go:4344-4356`); `skills status` performs a write-reconcile instead of previewing (`cmd/pilotctl/skills.go:57-63` ForceTick) — make status read-only or add a true `--dry-run`; `set-mode disabled` does not remove files though docs say it does. Write tests where feasible; `go build ./... && go test ./...` must pass. While the shipped release still has the old behavior, the website copy must describe the SHIPPED behavior (add "as of vX.Y" wording only if a fix has actually shipped).
- **Legal pages** (privacy, terms, cookies, aup, publisher-agreement): fix objectively false statements (e.g. cookie inventory, "banner on every page") and stale external facts, but do NOT invent policy; anything that changes a commitment gets listed under "Needs user review" in `audit/PROGRESS.md` instead.
- **Third-party facts** (comparison pages: ZeroTier/Tailscale/Nebula/MCP/A2A/ACP): verify against the third party's current site/repo with curl/gh before rewriting; cite what you checked in the ledger row.
- **Blog posts**: never change slugs, filenames, canonicalPaths, or banner paths. Historical announcement posts may keep past-tense claims that were true at publication — mark those `ACCEPTED (historical)` — but commands shown must be runnable today.

## Environment quirks (real, will bite)
- The **aegis PreToolUse hook blocks Bash commands referencing `~/.claude` paths** — use the Read/Write/Edit tools for anything under `~/.claude`, never shell.
- **plain-sync CI dance**: after a push, the plain-sync bot pushes regenerated `/plain` twins to the branch; its bot push does not trigger CI, so if checks are missing/red after the bot commit, `git pull` then push an empty commit (`git commit --allow-empty -m "ci: retrigger after plain-sync"`).
- Temp files go to the session scratchpad directory, not /tmp.
- `pilotctl` is installed locally — you can run real commands (`pilotctl appstore catalogue`, `pilotctl skills status` etc.) to verify live behavior. Prefer read-only commands; do not change the local daemon's trust/config state.

## Inbox (the user texts you back)
At the START of every iteration, drain the SMS inbox and obey anything in it (it may re-prioritize or stop the loop):
`curl -s -H "Authorization: Bearer $(security find-generic-password -a pilot-relay -s pilot-relay-inbox-token -w)" https://pilot-relay.vulturelabs01.workers.dev/drain`
Reply to every drained message via `~/bin/pilot-sms` (answer + what you did about it). Note: the inbox KV is eventually consistent — a message can take up to ~60s to appear after sending; it will be caught by the next drain.

## Notifications (keep the user in the loop remotely)
After each iteration's push, send a one-line SMS via `~/bin/pilot-sms` (configured per the "SMS / voice updates" section of the user's global `~/.claude/CLAUDE.md`): pages fixed this round, running totals, and **full URLs** — always include `https://github.com/pilot-protocol/website/pull/116` and, when relevant, the branch preview `https://fix-sweep-4.pilotprotocol.pages.dev/`. If an iteration hits a true blocker, follow the escalation ladder in that CLAUDE.md section (SMS → ~15 min → voice call → park and continue). Batch: one SMS per iteration, not per commit.

## Standing goals beyond the ledger (work these in when a ledger iteration is short, or once ledgers run dry)
1. **GA4 consent gate on `/plain/*`** (`src/layouts/PlainLayout.astro:19-24`) — highest priority non-ledger item (GDPR).
2. **web4 `fix/consent-truth` PR** — per the Fix policy section above.
3. **PR #116 CI**: full build/plain checks only run after PR #115 merges (stacked base). Until then `npm run build` locally is the gate. After #115 merges, watch #116 retarget to main, let plain-sync regen twins, do the empty-commit retrigger if checks stall, and text the user when #116 is fully green.
4. Blog index `readTime` (every card shows "3 min read" — compute from post body length) and the 500-page "We've been notified" claim — both in ledgers; noting here so they aren't skipped as "minor".

## Needs user (park here, never guess)
- Merge PR #115 then #116 (user merges, always).
- Anthropic API key for the live voice bridge (voicemail→inbox works without it).
- Transfer `TeoSlayer/pilot-skills`, `pilot-mcp`, homebrew tap to the `pilot-protocol` org.
- Ed25519 skill-content signing enablement (key management decision).
- Any legal-policy commitment changes surfaced by ledger work.

## Stop condition
When every ledger row in every file is resolved (`FIXED`/`ACCEPTED`) and the build is green: write a final summary at the top of `audit/PROGRESS.md` (totals, product PRs opened, items under "Needs user review"), comment that summary on PR #116 via `gh pr comment 116`, push, and **stop the loop**. If genuinely blocked on something only the user can decide, add it to "Needs user review", skip it, and continue with the rest — only stop early if ALL remaining work is user-blocked.
Loading