pando-ai 1.1.7 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -91,56 +91,18 @@ Shell remains available for tests, builds, package managers, generated files,
91
91
  unsupported languages, and tasks where a structured Pando operation is not the
92
92
  right tool.
93
93
 
94
- ### Workspace sandbox and privileged helper
94
+ ### MCP process model
95
95
 
96
- Supervised launches split Pando into two MCP roles:
97
-
98
- - `pando` runs trusted read/search/planning/index operations.
99
- - `pando` runs model-triggered workspace mutation and shell commands.
100
-
101
- The workspace role re-execs into the OS sandbox before serving mutating tools.
102
- On macOS this uses Seatbelt; on Linux it uses bubblewrap. The sandbox is
103
- configured to allow the project root, sandbox-local home/cache/temp directories,
104
- and the minimal runtime/toolchain paths needed to start common commands. Network
105
- and local sockets are allowed. There is no silent unsandboxed fallback for workspace
106
- mutation.
107
-
108
- Install-time security setup provisions dedicated local users (`pando-ai-ws` and
109
- `pando-ai-core`), grants access to Pando's data root, and installs a root-owned
110
- helper daemon. It does not recursively ACL the shell's current directory, so the
111
- installer can be run from anywhere.
112
-
113
- On the first supervised launch from a project, Pando automatically configures
114
- that repo's tracked ACLs before starting Codex or Claude. There is no older
115
- direct MCP fallback in supervised mode: role-scoped MCP servers always start via
116
- the security helper. The helper is intentionally narrow: it can only launch
117
- Pando's known roles for validated project roots over stdio. It is not a general
118
- command runner and does not accept custom argv, shells, or arbitrary commands.
119
-
120
- The helper entrypoint is:
121
-
122
- ```bash
123
- pando-ai security launch --role <core|workspace> --project-root <path> --stdio
124
- ```
125
-
126
- The unprivileged CLI validates the request, connects to the local helper socket,
127
- and sends only the fixed launch request. The root-owned daemon validates again,
128
- selects the role's dedicated user when privilege is available, starts the fixed
129
- Pando MCP server invocation, and lets the normal workspace sandbox apply before
130
- mutating tools are served.
131
-
132
- Security setup is normally invoked by install and launch, but can be run
133
- directly for diagnostics or admin automation:
134
-
135
- ```bash
136
- pando-ai security setup-users --data-root ~/.pando-data --real-root /path/to/repo
137
- ```
96
+ Supervised launches register one `pando` MCP server per project. That single
97
+ process owns indexing, file watching, read/search tools, snapshot operations,
98
+ workspace edits, and shell execution. Pando no longer provisions dedicated
99
+ local users, launches a privileged helper, or splits tools across core and
100
+ workspace MCP roles.
138
101
 
139
102
  Diagnostics use the same JSONL log as the gateway and installer:
140
103
  `~/.pando-data/gateway-debug.jsonl` by default, or `PANDO_GATEWAY_LOG_FILE` when
141
104
  set. Logging is on by default and can be forced with `PANDO_DEBUG=1`; set
142
- `PANDO_DEBUG=0` to disable default helper logging. Useful event prefixes include
143
- `security_helper_client_*` and `security_helper_daemon_*`.
105
+ `PANDO_DEBUG=0` to disable default logging.
144
106
 
145
107
  ### Supported model APIs
146
108
 
@@ -291,8 +253,6 @@ pando-ai serve [path] # stdio MCP server for MCP clients
291
253
  pando-ai serve-http # explicit HTTP MCP server for debugging/integrations
292
254
  pando-ai gateway # run the firewall gateway in the foreground (debug)
293
255
  pando-ai proxy status|enable|disable [codex|claude]
294
- pando-ai security setup-users [--data-root <path>] [--real-root <path>]
295
- pando-ai security launch --role <core|workspace> --project-root <path> --stdio
296
256
  pando-ai login|logout|whoami
297
257
  pando-ai config set telemetry false
298
258
  ```
@@ -328,34 +288,10 @@ Use stdio MCP for agents:
328
288
  pando-ai serve /path/to/project
329
289
  ```
330
290
 
331
- Supervised Codex and Claude launches register two Pando MCP server entries for
332
- the same project:
333
-
334
- - `pando` exposes read, search, indexing, graph, planning, and snapshot
335
- inspection tools.
336
- - `pando` exposes workspace-mutating tools such as rename, replace,
337
- insert, delete, signature changes, filter-map-reduce, shell execution,
338
- restore operations, and exclude-dir changes.
339
-
340
- The split is process-level. Each server process starts with a
341
- `PANDO_PROCESS_ROLE` value, and tools outside that role are not registered. A
342
- manual `pando-ai serve /path/to/project` command without `PANDO_PROCESS_ROLE`
343
- starts a combined server for direct integrations; supervised Codex and Claude
344
- launches use the split servers.
345
-
346
- The `pando` process re-execs into a local workspace sandbox by
347
- default. In that sandbox:
348
-
349
- - `HOME`, temp, and package-manager cache paths point under `.pando-sandbox/`.
350
- - Network and local sockets are allowed.
351
- - The process can read and write the project root.
352
- - Pando workspace data created by the sandboxed process stays sandbox-local.
353
-
354
- Auth is handled separately from the sandbox home. The launcher passes the user's
355
- real auth home through `PANDO_AUTH_HOME_OVERRIDE`, so the sandboxed workspace
356
- process can read the existing `~/.pando-ai/session.json` without making the
357
- real home its writable `HOME` and without opening network login inside the
358
- sandbox.
291
+ Supervised Codex and Claude launches register one `pando` MCP server for the
292
+ project. The same process exposes read, search, indexing, graph, planning,
293
+ snapshot inspection, workspace mutation, shell execution, restore operations,
294
+ and root/exclude-dir management.
359
295
 
360
296
  `serve-http` remains available as an explicit command for debugging or
361
297
  integrations that need HTTP: