zmanian

Guest Confinement: Deny Identifiers, Work in Petnames and Live Values

Motivation

From Kris Kowal:

We should probably deny "guests" the use and visibility into identifiers/locators and just make them work in terms of petnames and live values. That may require us to introduce E(guest).equals(a, b) and to create more methods that operate on values (where the engine looks up the identifier behind the scenes). This would be consistent with MarkM's "distributed confinement" notions, where the confined applications don't get to see swissnums and addresses. This is also consistent with our value proposition: Giving an LLM cryptographic data is bad. Providing fake cryptographic data as a stand-in for real cryptographic data is cute, but why do that when you can give the LLM the ability to choose its own names and never expose them to large, immemorable numbers?

Why this matters

zmanian

Merging daemon-collector into the LLM Branch

Context

The llm-long-running-tasks branch is our main work spike for LLM agent infrastructure on Endo. It includes a llamadrome package (multi-backend LLM agent with Anthropic/Ollama), conversation persistence across daemon restarts, and a set of new daemon verbs for capability-separated evaluation: define, endow, form, requestEvaluation, and storeValue. The idea is that an LLM guest can propose code with named slots, the host endows those slots with capabilities, and the code runs in a sandbox with host approval.

I've looked at the daemon-reply and daemon-collector branches and want to merge that work into the LLM branch so we're building on the latest daemon internals rather than diverging further.

Plan

zmanian

Ax + Endo: DSPy-style LLM Programs in an Object-Capability Runtime

Background

Ax (@ax-llm/ax)

Ax is a TypeScript DSPy implementation for building production LLM applications. Instead of writing prompts, you define signatures -- declarative input/output contracts -- and Ax handles prompt generation, structured output extraction, validation, retries, and optimization.

Key capabilities:

• Signatures: 'review:string -> sentiment:class "positive, negative, neutral"' -- no prompt engineering

zmanian

IronClaw / Endo LLM Synthesis Analysis

Background

Endo

Endo is an object-capability runtime for JavaScript built on Hardened JavaScript (SES). It provides a daemon that manages confined guest programs communicating through a durable message system. Guests receive only the capabilities explicitly granted to them by the host -- they cannot reach ambient authority like the filesystem, network, or environment. All state is persisted through a formula store, so the daemon and its guests survive restarts. Capabilities are named via pet names in per-agent directories, and all inter-agent communication flows through a typed mail system (send, request, define, form).

Llamadrome (Endo LLM Work)

zmanian

Gaps for Long-Running LLM Task Execution in Endo

Analysis of the llm-durable-messages branch: what works today and what's missing to enable an LLM agent to work on a task over hours/days with human-in-the-loop approval.

End-to-End User Flows

Flow 1: Give the LLM a coding task

Human                          Daemon                         LLM Agent

zmanian

Endo Daemon: define/endow/form Verbs

Design notes for new guest-to-host interaction verbs in the Endo daemon, motivated by the Llamadrome LLM agent integration.

Problem

Today requestEvaluation(source, codeNames, petNamePaths, resultName) bundles code + endowment bindings in a single message. The LLM proposes both "what to run" and "what to give it access to" at the same time. The host approves or rejects

zmanian

From Credential Proxy to Object-Capability Framework

How Endo Generalizes the Deno Sandbox Pattern for AI Agent Systems

---

The Starting Pattern: Deno's Credential-Binding Proxy

The Deno sandbox used in LLM tool-calling systems implements a simple but effective security pattern. LLM-generated code runs in a sandboxed subprocess. The sandbox has network access, but a separate privileged process sits between the sandbox and the outside world. This proxy intercepts outbound HTTP requests, matches the destination host against a configuration map, and rewrites the request headers to inject the appropriate API credentials.

zmanian

Endo llm Branch Analysis: Comparison with Theoretical AI Agent Architecture

Related: From Credential Proxy to Object-Capability Framework - How Endo generalizes the Deno sandbox pattern for AI agent systems

Executive Summary

The llm branch introduces @endo/chat, a web-based permission management UI for the Endo daemon. Contrary to what the branch name might suggest, this is not an LLM containment system. Instead, it provides a human-facing interface for managing capabilities through structured commands, with JavaScript evaluation as one of many features.

This contrasts significantly with the theoretical architecture document, which described a comprehensive LLM-specific containment model with compartment-per-tool isolation, attenuation chains, and sandboxed code execution.

zmanian

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>Claude Code Insights</title>
  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
  <style>
    * { box-sizing: border-box; margin: 0; padding: 0; }
    body { font-family: 'Inter', -apple-system, BlinkMacSystemFont, sans-serif; background: #f8fafc; color: #334155; line-height: 1.65; padding: 48px 24px; }
    .container { max-width: 800px; margin: 0 auto; }

zmanian

Troubleshooting Guide: Zero Balance Issue

Issue

User test123@test.getpara.com expected to see 5 USDC balance on Solana at address 3SmuXS2mwhody9ezyMi7Kyg62ymteKkTGcQJ2nKJbUgK, but the portfolio showed zero.

Diagnostic Steps

Step 1: Check User's Solana Balances via API