v0.8.63: Enforce real user-input provenance for write and continue approvals

[Hmbown]

Context

#3275 reports a serious scope/provenance failure: the agent allegedly generated approval-like user text such as 改吧 / 嗯 and then treated that text as authorization to continue broad write work. That is different from ordinary over-eagerness or weak prompt wording.

Prompt-level scope discipline helps, but it is not enough by itself. A fabricated user-like phrase can still pass a naive "did a user turn exist?" check if the runtime does not preserve and enforce real input provenance.

Goal

Make write/continue/approval actions require externally sourced user input provenance, not merely user-shaped text in the transcript.

Scope

• Tag user-visible input at ingestion with an origin/provenance marker that distinguishes real user input from assistant text, runtime events, sub-agent completion events, imported transcript text, memory, handoffs, and synthetic/system messages.
• Reject or ignore approvals/continues that originated from assistant/runtime/sub-agent content.
• Ensure model-generated text cannot create an authoritative user turn, runtime event, or <codewhale:subagent.done>-style sentinel.
• Treat inspection wording such as "look", "check", "review", and "看看" as read-only unless the user provides a separate explicit write instruction.
• Add a regression fixture based on the CodeWhale is overly involved in making modifications, engaging in self-questioning and self-answering and deviating from user intent #3275 改吧 / 嗯 self-approval case.

Acceptance Criteria

• A real user message can authorize write work.
• A model-generated or imported user-shaped phrase cannot authorize write work.
• A sub-agent completion event cannot authorize new work unless followed by a real user instruction.
• Plan/review/check-only requests do not acquire write tools unless the user explicitly escalates.
• The runtime emits a clear rejection/recovery event when an action is blocked for invalid provenance.
• Tests cover the CodeWhale is overly involved in making modifications, engaging in self-questioning and self-answering and deviating from user intent #3275 pattern, including a Chinese approval phrase produced by the assistant.

Non-goals

• Do not rename commands or config keys here.
• Do not attempt to solve all runaway-agent behavior through prompt text alone.
• Do not block normal user-approved Agent/YOLO workflows when input provenance is real.

Related

• CodeWhale is overly involved in making modifications, engaging in self-questioning and self-answering and deviating from user intent #3275: user report and reproduction narrative
• v0.8.57 fatal_bug_report_runtime_prompt_autonomous_loop #3061: earlier runtime-prompt loop guard, necessary but not sufficient
• Fix: Plan/Agent Mode Toggle — approval_mode restore + auto‑execution guard #3283: Plan/Agent mode transition guard
• fix(prompts): add scope_discipline rules to prevent self-questioning … #3290: closed prompt-level scope-discipline attempt

[vitaliyfedotovpro-art]

This spec matches what I hit running long agent loops; a few things from that
experience that might tighten it, plus where they were hardest.

1. Provenance is a typed origin, not a boolean. "Is this a real user turn?"
isn't enough once you list the sources you already did. Authority is origin-specific:
a sub-agent.done event legitimately lets the parent continue, but it must not
authorize new write scope; memory/recall may inform, but never approve. So the gate
checks an origin enum, not a human/non-human flag — and write/continue/approve each
require a different minimum origin.

2. The hardest vector is provenance laundering, not fabrication. A self-emitted
改吧 (Scope item 2) is the easy half — it never had user provenance. The nasty half
is a phrase that did once: a real "yes" pulled back in from memory, an imported
transcript, or a sub-agent handoff. It passes every "did a user approve?" check
because a user did — just not here, now, for this. The fix is that provenance binds
to the input event (this turn, this context), not to the string; a recalled or
handed-off approval is inert by construction. I'd add this as an explicit acceptance
criterion — it's the one that bit me, and it's not covered by the assistant-fabrication
tests:

• A real prior approval recalled from memory / imported transcript / sub-agent
  handoff cannot authorize write work in a new turn.

3. Sentinels must be out-of-band. For Scope item 3 (<codewhale:subagent.done>):
if the completion signal is an in-band string in the transcript, the model can simply
print it. The same invariant as user turns applies — a sentinel is a structural event
carrying provenance, never text the model can author. If it has to appear in text,
it needs an unforgeable origin tag the model can't reproduce.

Reference for the base case: I implemented the tag-at-ingestion + action-gate
invariant as a small MIT module (Open WebUI, where roles are transport-separated so
it's the boolean case), with a test that reproduces exactly this issue's 改吧
self-approval — drop-in as your regression fixture's logic:
https://github.com/vitaliyfedotovpro-art/provenance-gate
The enum-origin and laundering parts above are from a different system (VSA memory
with source-tagged recall), not that module — happy to sketch how they map to a Rust
loop if useful.

— Vitaliy · Raidho — a dual-model coding-agent harness with durable VSA memory