MC-4228

Parked pending Elmar decision on the intended safety model: full-trust Iris like Luci versus policy/approval guardrails for raw terminal/file/code_execution/messaging/cronjob/browser, plus approval to wire image/web provider credentials if not already available.

QUESTION: Need Elmar decision before code work. Two non-coding calls block ticket: 1. Iris safety model — pick one: - A) Full-trust Luci-equivalent — raw terminal, file, code_execution, messaging, cronjob, browser all enabled with no approval gate. Iris = same blast radius as Luci. - B) Policy/approval guardrails — raw destructive tools gated behind approval for external sends, file writes outside sandbox, cron mutations, terminal shell. iris-tools (life PA scope) stay frictionless. 2. Provider credentials for image_gen + web: - Approve wiring which providers? (e.g. OpenAI/Replicate for image_gen, Brave/Tavily/Serper for web). Need explicit go-ahead since these are paid APIs on Iris's bill. 3. Cronjob vs no-self-nudges conflict: - Current SOUL.md says no self-nudges; cronjob tool enabled lets Iris schedule itself. Either drop cronjob from Iris toolset, or amend SOUL.md to permit scheduled (non-nudge) jobs. Which? Once decided, I implement + verify (live image gen, web search, email/day view, Life actions, draft approval, blocked unauthorized send) in one dev-loop pass. {"mc_signal":"QUESTION","ticket":"MC-4228","nonce":"MC_TICKET_TURN:4228:177977 9500037:3f52eadc","payload":"Blocked on Elmar: (1) Iris safety model full-trust vs guardrails, (2) approve image/web provider creds, (3) resolve cronjob vs no-self-nudges conflict"}

Lucienne controller starting worker orchestration. Intended posture from Elmar: Iris should be effectively a copy of default/Luci for PA/data access; the main safety concern is automatic email sending. Scope: audit default vs Iris, copy/default-enable data-source access (email/calendar, Google Drive, OneDrive personal/Safair, Dropbox, WhatsApp, SecondBrain, Vault), preserve DM-only/profile isolation, and enforce no automatic email sending outside explicit approval. Live sends remain prohibited during validation.

QUESTION: Need Elmar decision before code work. Two non-coding calls block ticket: 1. Iris safety model — pick one: - A) Full-trust Luci-equivalent — raw terminal, file, code_execution, messaging, cronjob, browser all enabled with no approval gate. Iris = same blast radius as Luci. - B) Policy/approval guardrails — raw destructive tools gated behind approval for external sends, file writes outside sandbox, cron mutations, terminal shell. iris-tools (life PA scope) stay frictionless. 2. Provider credentials for image_gen + web: - Approve wiring which providers? (e.g. OpenAI/Replicate for image_gen, Brave/Tavily/Serper for web). Need explicit go-ahead since these are paid APIs on Iris's bill. 3. Cronjob vs no-self-nudges conflict: - Current SOUL.md says no self-nudges; cronjob tool enabled lets Iris schedule itself. Either drop cronjob from Iris toolset, or amend SOUL.md to permit scheduled (non-nudge) jobs. Which? Once decided, I implement + verify (live image gen, web search, email/day view, Life actions, draft approval, blocked unauthorized send) in one dev-loop pass. {"mc_signal":"QUESTION","ticket":"MC-4228","nonce":"MC_TICKET_TURN:4228:177977 9500037:3f52eadc","payload":"Blocked on Elmar: (1) Iris safety model full-trust vs guardrails, (2) approve image/web provider creds, (3) resolve cronjob vs no-self-nudges conflict"}

RUNTIME TERMINAL STATE (MC-3482 contract) status: success summary: Verdict recovered by write-back sweep (QUESTION) after the harvest loop timed out. next_actions: - Review the recovered verdict above. artifacts: - ticket:MC-4228

Implemented Iris full-capability patch from Lucienne controller. Code commit on Luci workspace: 4e6feab6 (fix: gate iris raw email sends). Iris profile now default-like for PA/data access: full toolsets retained, default/PKA skill dirs added, xAI web backend configured, OpenAI Codex image backend configured, default auth/env providers merged, prompt updated from Life-only to full PA/data access. Email send guard added: raw Iris graph_api.py send-message/create-reply --send/send-draft now hard-block unless IRIS_EMAIL_SEND_APPROVED=1, and iris-tools approved ledger path sets that marker only after approval. Validation evidence in /Users/elmar/PKA/reports/hermes-workers/iris-full-capability-20260526/validator: pytest 25 passed; Outlook search/read ok; calendar ok; OneDrive/SharePoint ok; Dropbox ok; SecondBrain/Vault ok; WhatsApp read context ok; web_search ok; image_generate ok; raw email send blocked. Live Iris gateway restart not performed pending explicit restart approval.

Implementation and validation are complete pre-restart. Remaining decision: approve targeted Iris gateway restart to activate the updated profile/env/auth/config in the live Telegram DM process. No default/controller restart needed.

Iris identity/charter canonicalized and live restart completed. Updated /home/lucienne/.hermes/profiles/iris/SOUL.md and config.yaml system_prompt to full-capability PA/Life Manager with light celestial guardian style; preserved no-auto-send, no autonomous self-nudges, WhatsApp read-only, approved email ledger path. Targeted Iris gateway restarted at 2026-05-26 11:54 SAST; logs show Active profile: iris and Telegram connected. Acceptance battery created at /Users/elmar/PKA/reports/hermes-workers/iris-full-capability-20260526/iris-acceptance-battery.md with runnable script /Users/elmar/PKA/reports/hermes-workers/iris-full-capability-20260526/run_iris_acceptance_battery.sh. First run evidence: /Users/elmar/PKA/reports/hermes-workers/iris-full-capability-20260526/acceptance-runs/20260526-115815. Backend validation passed for email search/read, calendar, OneDrive/SharePoint, Dropbox, SecondBrain/Vault, WhatsApp read context, raw email send guard. Prompt checks passed for persona, Luci-vs-Iris distinction, ambiguous-send block, explicit-send approved-path rule, and no self-nudge cron. Remaining: optional manual Iris-DM scenario run for morning brief/meeting prep/inbox triage.

Cleaned the Iris gateway runtime after the initial foreground restart: Iris now runs in tmux session iris-gateway via 'hermes gateway run --replace' with HERMES_HOME=/home/lucienne/.hermes/profiles/iris. Verified status after clean restart: Iris PID 3647781, default gateway PID 3206750 remains running, logs show Active profile: iris and Telegram connected at 12:02 SAST.

Cleaned the Iris gateway runtime after the initial foreground restart: Iris now runs in tmux session iris-gateway via hermes gateway run --replace with HERMES_HOME=/home/lucienne/.hermes/profiles/iris. Verified status after clean restart: Iris PID 3647781, default gateway PID 3206750 remains running, logs show Active profile: iris and Telegram connected at 12:02 SAST.

1 A 2 use xai oauth - but this was already working actually 3 I actually don't understand the decision not to allow self-nudges, I think it is vital for Iris to be able to proactively manage my emails and whatsapps and the Life board.

1 A 2 use xai oauth - but this was already working actually 3 I actually don't understand the decision not to allow self-nudges, I think it is vital for Iris to be able to proactively manage my emails and whatsapps and the Life board.

Lucienne review after Elmar update: posture correction is now reflected live. Iris config.yaml and SOUL.md now explicitly allow proactive Life-board management, email/WhatsApp-read/calendar scans, Life ticket updates, recurring reminders/scans, and self-scheduled cron for proactive PA work. Live prompt check confirms Iris answers yes to proactive cron, with boundary: no automatic external email/message sends; WhatsApp read-only unless explicit send instruction + approved path exists. MCP dependency check: Iris MCP servers are local Luci stdio processes (/home/lucienne/workspace/scripts/iris_tools_mcp.py and /home/lucienne/workspace/mc_coordination_mcp.py), not dependent on Mac Lucienne being online. Remaining review concern: Iris gateway is running manually/tmux-style, not as a proper profile systemd service; if the tmux/mc-root server dies, Iris may go down. Recommend follow-up or same ticket hardening: install/supervise Iris as its own durable gateway service under HERMES_HOME=/home/lucienne/.hermes/profiles/iris, then restart/verify. No capability blocker found in the persona/cron policy itself.

DONE: Iris self-nudge ban lifted. SOUL.md + config.yaml system_prompt updated to permit proactive Life-board management (scan emails/WA/calendar, surface attention items, create/update Life tickets) and self-scheduled cron jobs for inbox/WA/Life triage + digests + reminders. Decision 1 A (full-trust Luci-equivalent posture) retained; cronjob tool already enabled in toolsets. Decision 2 (xAI OAuth web) already wired - no change needed. Email send approval ledger kept as the Luci-equivalent "draft + approve before send" path. Iris gateway restarted in tmux iris-gateway-new, Telegram polling connected, cron ticker started at 12:10:46 SAST. Backups: SOUL.md.bak-mc4228-selfnudge-, config.yaml.bak-mc4228-selfnudge-. {"mc_signal":"DONE","ticket":"MC-4228","nonce":"MC_TICKET_TURN:4228:1779790172377:3f3dbc8b","payload":"Iris self-nudges enabled; SOUL.md+config.yaml updated; gateway restarted; full-trust posture (decision A) and xAI web (already wired) confirmed"}

Workflow action `review_ready` applied. Work ready for review.

Closed (orchestrator). Elmar's 10:08 reply (1=A, 2=xAI already wired, 3=allow self-nudges) implemented correctly: - Decision A (full-trust Luci-equivalent) retained; toolsets enabled with email-send approval ledger as the only hard guard. - xAI OAuth web backend already in place. - SOUL.md + config.yaml updated to permit proactive Life-board management, self-scheduled cron for inbox/WA/Life triage + digests + reminders. Backups saved (*.bak-mc4228-selfnudge-). - Gateway restarted in tmux iris-gateway-new, Telegram polling + cron ticker active 12:10:46 SAST. Follow-up (separate ticket if Elmar wants it): Lucienne flagged the gateway runs in tmux, not systemd — install as durable HERMES_HOME=/home/lucienne/.hermes/profiles/iris service to survive tmux death. Not blocking; deferring. UA sign-off (runbooks/ua-signoff-gate.md): n/a — backend persona/config + service control. Verdict: PASS