pando-ai 1.1.7 → 1.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -75
- package/dist/cli.js +202 -202
- package/dist/watcher-process.js +2 -2
- package/dist/workers/{chunk-WYR734MG.mjs → chunk-6CRK2JH6.mjs} +1 -1
- package/dist/workers/chunk-CGVA3QGF.mjs +4 -0
- package/dist/workers/indexer-worker.mjs +1 -1
- package/dist/workers/snapshot-worker.mjs +1 -1
- package/dist/workers/sqlite-writer-worker.mjs +1 -1
- package/package.json +1 -1
- package/tools/clojure-editor/lib/pando-clojure-editor-standalone.jar +0 -0
- package/tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar +0 -0
- package/dist/workers/chunk-MGQRPDUI.mjs +0 -4
package/README.md
CHANGED
|
@@ -91,56 +91,18 @@ Shell remains available for tests, builds, package managers, generated files,
|
|
|
91
91
|
unsupported languages, and tasks where a structured Pando operation is not the
|
|
92
92
|
right tool.
|
|
93
93
|
|
|
94
|
-
###
|
|
94
|
+
### MCP process model
|
|
95
95
|
|
|
96
|
-
Supervised launches
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
The workspace role re-execs into the OS sandbox before serving mutating tools.
|
|
102
|
-
On macOS this uses Seatbelt; on Linux it uses bubblewrap. The sandbox is
|
|
103
|
-
configured to allow the project root, sandbox-local home/cache/temp directories,
|
|
104
|
-
and the minimal runtime/toolchain paths needed to start common commands. Network
|
|
105
|
-
and local sockets are allowed. There is no silent unsandboxed fallback for workspace
|
|
106
|
-
mutation.
|
|
107
|
-
|
|
108
|
-
Install-time security setup provisions dedicated local users (`pando-ai-ws` and
|
|
109
|
-
`pando-ai-core`), grants access to Pando's data root, and installs a root-owned
|
|
110
|
-
helper daemon. It does not recursively ACL the shell's current directory, so the
|
|
111
|
-
installer can be run from anywhere.
|
|
112
|
-
|
|
113
|
-
On the first supervised launch from a project, Pando automatically configures
|
|
114
|
-
that repo's tracked ACLs before starting Codex or Claude. There is no older
|
|
115
|
-
direct MCP fallback in supervised mode: role-scoped MCP servers always start via
|
|
116
|
-
the security helper. The helper is intentionally narrow: it can only launch
|
|
117
|
-
Pando's known roles for validated project roots over stdio. It is not a general
|
|
118
|
-
command runner and does not accept custom argv, shells, or arbitrary commands.
|
|
119
|
-
|
|
120
|
-
The helper entrypoint is:
|
|
121
|
-
|
|
122
|
-
```bash
|
|
123
|
-
pando-ai security launch --role <core|workspace> --project-root <path> --stdio
|
|
124
|
-
```
|
|
125
|
-
|
|
126
|
-
The unprivileged CLI validates the request, connects to the local helper socket,
|
|
127
|
-
and sends only the fixed launch request. The root-owned daemon validates again,
|
|
128
|
-
selects the role's dedicated user when privilege is available, starts the fixed
|
|
129
|
-
Pando MCP server invocation, and lets the normal workspace sandbox apply before
|
|
130
|
-
mutating tools are served.
|
|
131
|
-
|
|
132
|
-
Security setup is normally invoked by install and launch, but can be run
|
|
133
|
-
directly for diagnostics or admin automation:
|
|
134
|
-
|
|
135
|
-
```bash
|
|
136
|
-
pando-ai security setup-users --data-root ~/.pando-data --real-root /path/to/repo
|
|
137
|
-
```
|
|
96
|
+
Supervised launches register one `pando` MCP server per project. That single
|
|
97
|
+
process owns indexing, file watching, read/search tools, snapshot operations,
|
|
98
|
+
workspace edits, and shell execution. Pando no longer provisions dedicated
|
|
99
|
+
local users, launches a privileged helper, or splits tools across core and
|
|
100
|
+
workspace MCP roles.
|
|
138
101
|
|
|
139
102
|
Diagnostics use the same JSONL log as the gateway and installer:
|
|
140
103
|
`~/.pando-data/gateway-debug.jsonl` by default, or `PANDO_GATEWAY_LOG_FILE` when
|
|
141
104
|
set. Logging is on by default and can be forced with `PANDO_DEBUG=1`; set
|
|
142
|
-
`PANDO_DEBUG=0` to disable default
|
|
143
|
-
`security_helper_client_*` and `security_helper_daemon_*`.
|
|
105
|
+
`PANDO_DEBUG=0` to disable default logging.
|
|
144
106
|
|
|
145
107
|
### Supported model APIs
|
|
146
108
|
|
|
@@ -291,8 +253,6 @@ pando-ai serve [path] # stdio MCP server for MCP clients
|
|
|
291
253
|
pando-ai serve-http # explicit HTTP MCP server for debugging/integrations
|
|
292
254
|
pando-ai gateway # run the firewall gateway in the foreground (debug)
|
|
293
255
|
pando-ai proxy status|enable|disable [codex|claude]
|
|
294
|
-
pando-ai security setup-users [--data-root <path>] [--real-root <path>]
|
|
295
|
-
pando-ai security launch --role <core|workspace> --project-root <path> --stdio
|
|
296
256
|
pando-ai login|logout|whoami
|
|
297
257
|
pando-ai config set telemetry false
|
|
298
258
|
```
|
|
@@ -328,34 +288,10 @@ Use stdio MCP for agents:
|
|
|
328
288
|
pando-ai serve /path/to/project
|
|
329
289
|
```
|
|
330
290
|
|
|
331
|
-
Supervised Codex and Claude launches register
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
-
|
|
335
|
-
inspection tools.
|
|
336
|
-
- `pando` exposes workspace-mutating tools such as rename, replace,
|
|
337
|
-
insert, delete, signature changes, filter-map-reduce, shell execution,
|
|
338
|
-
restore operations, and exclude-dir changes.
|
|
339
|
-
|
|
340
|
-
The split is process-level. Each server process starts with a
|
|
341
|
-
`PANDO_PROCESS_ROLE` value, and tools outside that role are not registered. A
|
|
342
|
-
manual `pando-ai serve /path/to/project` command without `PANDO_PROCESS_ROLE`
|
|
343
|
-
starts a combined server for direct integrations; supervised Codex and Claude
|
|
344
|
-
launches use the split servers.
|
|
345
|
-
|
|
346
|
-
The `pando` process re-execs into a local workspace sandbox by
|
|
347
|
-
default. In that sandbox:
|
|
348
|
-
|
|
349
|
-
- `HOME`, temp, and package-manager cache paths point under `.pando-sandbox/`.
|
|
350
|
-
- Network and local sockets are allowed.
|
|
351
|
-
- The process can read and write the project root.
|
|
352
|
-
- Pando workspace data created by the sandboxed process stays sandbox-local.
|
|
353
|
-
|
|
354
|
-
Auth is handled separately from the sandbox home. The launcher passes the user's
|
|
355
|
-
real auth home through `PANDO_AUTH_HOME_OVERRIDE`, so the sandboxed workspace
|
|
356
|
-
process can read the existing `~/.pando-ai/session.json` without making the
|
|
357
|
-
real home its writable `HOME` and without opening network login inside the
|
|
358
|
-
sandbox.
|
|
291
|
+
Supervised Codex and Claude launches register one `pando` MCP server for the
|
|
292
|
+
project. The same process exposes read, search, indexing, graph, planning,
|
|
293
|
+
snapshot inspection, workspace mutation, shell execution, restore operations,
|
|
294
|
+
and root/exclude-dir management.
|
|
359
295
|
|
|
360
296
|
`serve-http` remains available as an explicit command for debugging or
|
|
361
297
|
integrations that need HTTP:
|