pando-ai 1.2.1 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -69,11 +69,11 @@ Four layers, one ruleset:
69
69
 
70
70
  Pando's security model has three separate jobs:
71
71
 
72
- - **Containment**: the `pando` MCP process runs model-triggered
73
- workspace mutation in an OS sandbox. The sandbox limits the process to the
74
- project root and sandbox-local home/cache/temp directories. Network and local
75
- sockets are allowed. This is the hard boundary for broad operations such as shell
76
- commands and generated code.
72
+ - **Tool-traffic enforcement**: policy is applied on the wire, not by
73
+ sandboxing the process. Claude Code hooks and the local provider gateway block
74
+ off-policy tool definitions, tool calls, and tool results before the agent can
75
+ act on them. Pando MCP is always allowed; native tools and non-Pando MCP are
76
+ denied by default.
77
77
  - **Audit and recovery**: mutating Pando tools and `shell-command` create Pando
78
78
  snapshots around workspace changes. These are local, commit-like history
79
79
  records for inspection and restore; they are not commits to the user's Git
@@ -84,7 +84,11 @@ Pando's security model has three separate jobs:
84
84
  keep requests bounded, make intent inspectable, require stable paths/hashes
85
85
  where relevant, and reduce the need for raw shell/file access.
86
86
 
87
- The sandbox and snapshots are the fallback safety boundary. The Pando tools are
87
+ Workspace roots are also gated: paths under system, credential, and container
88
+ directories cannot become a Pando workspace root (see `forbidden-roots`), so
89
+ model-triggered mutation stays scoped to real project roots.
90
+
91
+ Snapshots are the fallback safety boundary. The Pando tools are
88
92
  the preferred control plane: they make ordinary coding work narrower, more
89
93
  auditable, and more semantically meaningful than arbitrary command execution.
90
94
  Shell remains available for tests, builds, package managers, generated files,