dullfig/xml-pipeline
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Production-ready networked multi-agent substrate built on xml-pipeline. One port. Many bounded minds. Cryptographically sovereign.
92 commits 1 branch 0 tags 1.8 MiB
Python 97.2%
JavaScript 1.1%
CSS 0.5%
HTML 0.5%
PowerShell 0.4%
Other 0.3%
Find a file
dullfig 7950be66f3 Add native tools specification 
Core tools:
- calculate (simpleeval) - math expressions in Python syntax
- fetch_url - HTTP requests with security controls
- read_file / write_file / list_dir - sandboxed file ops
- run_command - sandboxed shell execution
- web_search - web search integration
- key_value_store - persistent agent state
- send_email / webhook - notifications

Librarian tools (exist-db):
- librarian_store - store XML documents
- librarian_get - retrieve by path
- librarian_query - XQuery execution
- librarian_search - full-text search

Includes permission model and implementation checklist.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 22:37:40 -08:00
.codebuddy edited README.md 2025-12-23 19:03:58 -08:00
.idea re-writing docs and code 2026-01-03 14:48:57 -08:00
agentserver fixing docs 2026-01-12 22:31:06 -08:00
config Add platform-managed PromptRegistry and LLM API 2026-01-11 13:57:51 -08:00
docs Add native tools specification 2026-01-12 22:37:40 -08:00
handlers Fix console registry for cross-module access 2026-01-11 14:44:10 -08:00
tests Add SecureConsole v3.0 with password authentication 2026-01-10 18:24:24 -08:00
third_party/xmlable Replace MessageBus with aiostream-based StreamPump 2026-01-10 10:41:17 -08:00
.env.example Add thread registry, LLM router, console handler, and docs updates 2026-01-10 16:53:38 -08:00
.gitignore Add thread registry, LLM router, console handler, and docs updates 2026-01-10 16:53:38 -08:00
__init__.py Replace MessageBus with aiostream-based StreamPump 2026-01-10 10:41:17 -08:00
LICENSE Initial commit 2025-12-21 17:22:03 -08:00
pyproject.toml Add SecureConsole v3.0 with password authentication 2026-01-10 18:24:24 -08:00
README.md fixing docs 2026-01-07 20:58:31 -08:00
run_organism.py Fix console registry for cross-module access 2026-01-11 14:44:10 -08:00
setup-project.ps1 initial dir structure 2025-12-25 21:52:36 -08:00
structure.md fixing docs 2026-01-08 15:49:07 -08:00

README.md

AgentServer — The Living Substrate (v2.1)

"It just works... safely."

January 06, 2026
Architecture: Autonomous Schema-Driven, Turing-Complete Multi-Agent Organism

The Rant

Why XML?
Why not JSON?

XML is the sovereign wire format — standards-based, self-describing, attack-resistant, and evolvable without drift. JSON was a quick hack that escaped into the wild and became the default for everything, including AI tool calling, where its brittleness causes endless prompt surgery and validation headaches.

This project chooses XML deliberately. The organism enforces contracts exactly (XSD validation, no transcription bugs), tolerates dirty streams (repair + dummy extraction), and keeps reasoning visible. No fragile conventions. No escaping hell. Just bounded, auditable computation.

Read the full rant here for the history, pitfalls, and why XML wins permanently.

What It Is

AgentServer is a production-ready substrate for the xml-pipeline nervous system. Version 2.1 evolves the design around parallel per-listener pipelines, true concurrent broadcast, opaque UUID threading for privacy, and blind agent self-iteration—all while preserving strict validation and handler purity.

See Core Architectural Principles for the single canonical source of truth.

Core Philosophy

  • Autonomous DNA: Listeners declare their contract via @xmlify dataclasses; the organism auto-generates XSDs, examples, and tool prompts.
  • Schema-Locked Intelligence: Payloads validated directly against XSD (lxml) → deserialized to typed instances → pure handlers.
  • Multi-Response Tolerance: Handlers return raw bytes; bus wraps in <dummy></dummy> and extracts multiple payloads (perfect for parallel tool calls or dirty LLM output).
  • Computational Sovereignty: Turing-complete via blind self-calls, subthreading primitives, concurrent broadcast, and visible reasoning — all bounded by private thread hierarchy and local-only control.

Developer Experience — Create a Listener in 12 Lines

No manual schemas. No brittle JSON conventions. No hand-written prompts.
Just declare a dataclass contract and a one-line human description. The organism handles validation, XSD, examples, and tool prompts automatically.

from xmlable import xmlify
from dataclasses import dataclass
from xml_pipeline import Listener, bus  # bus is the global MessageBus

@xmlify
@dataclass
class AddPayload:
    a: int
    b: int

def add_handler(payload: AddPayload) -> bytes:
    result = payload.a + payload.b
    return f"<result>{result}</result>".encode("utf-8")

Listener(
    payload_class=AddPayload,
    handler=add_handler,
    name="calculator.add",
    description="Adds two integers and returns their sum."
).register()  # ← Boom: XSD, example, prompt auto-generated + registered

The organism now speaks <add> — fully validated, typed, and discoverable.
Unlike rigid platforms requiring custom mappings or fragile item structures, this is pure Python — typed, testable, and sovereign.

Security Model

AgentServer's security is architectural, not bolted-on:

Two Completely Isolated Channels

  • Main Bus: Standard <message> envelope, all traffic undergoes identical validation pipeline regardless of source
  • OOB Channel: Privileged commands only, different schema, localhost-bound, used for structural changes

Handler Isolation & Trust Boundary

Handlers are untrusted code. Even compromised handlers cannot:

  • Forge their identity (sender name captured in coroutine scope before execution)
  • Escape thread context (thread UUID captured in coroutine, not handler output)
  • Route to arbitrary targets (routing computed from peers list, not handler claims)
  • Access other threads' data (opaque UUIDs, private path registry)
  • Discover topology (only declared peers visible)

The message pump maintains authoritative metadata in coroutine scope and never trusts handler output for security-critical properties.

Closed-Loop Validation

ALL messages on the main bus undergo identical security processing:

  • External ingress: WSS → pipeline → validation
  • Handler outputs: bytes → pipeline → validation (same steps!)
  • Error messages: generated → pipeline → validation
  • System notifications: generated → pipeline → validation

No fast-path bypasses. No "trusted internal" messages. Everything validates.

Topology Privacy

  • Agents see only opaque thread UUIDs, never hierarchical paths
  • Private path registry (UUID → agent.tool.subtool) maintained by system
  • Peers list enforces capability boundaries (no ambient authority)
  • Federation gateways are opaque abstractions

Anti-Paperclip Architecture

  • Threads are ephemeral (complete audit trail, then deleted)
  • No persistent cross-thread memory primitives
  • Token budgets enforce computational bounds
  • Thread pruning prevents state accumulation
  • All reasoning visible in message history

This architecture ensures:
No privilege escalation (handlers can't forge privileged commands)
No fast-path bypasses (even system-generated messages validate)
Physical separation (privileged and regular traffic cannot mix)
Capability-safe handlers (compromised code still bounded by peers list)
Complete auditability (thread history is ground truth)

Key Features

1. The Autonomous Schema Layer

  • Dataclass → cached XSD + example + rich tool prompt (mandatory description + field docs).
  • Namespaces: https://xml-pipeline.org/ns/<category>/<name>/v1 (served live via domain for discoverability).
  • Multiple listeners per root tag supported (broadcast parallelism).

2. Thread-Based Lifecycle & Reasoning

  • Opaque <thread/> UUIDs with private hierarchical path registry for reliable subthreading, audit trails, and topology privacy.
  • LLM agents use unique root tags for blind self-iteration (no name knowledge or <to/> needed).
  • Agents reason via open self-calls, multi-payload parallelism, and optional <todo-until/> scaffolding in visible text.
  • All thought steps visible as messages — no hidden state.

3. Message Pump

  • Parallel preprocessing pipelines (one per listener) with central async pump orchestration.
  • True concurrency: pipeline tasks parallel, broadcast handlers via asyncio.gather.
  • Single linear flow per pipeline with repair, C14N, XSD validation, deserialization, handler execution, and multi-payload extraction.
  • Supports clean tools, forgiving LLM streams, and natural broadcast alike.
  • Thread-based message queue with bounded memory and fair scheduling.

4. Structural Control

  • Bootstrap from organism.yaml (including unique root enforcement for agents).
  • Runtime changes (hot-reload, add/remove listeners) via local-only OOB channel (localhost WSS or Unix socket — GUI-ready).
  • Main bus oblivious to privileged ops.

5. Federation & Introspection

  • YAML-declared gateways with trusted keys.
  • Controlled meta queries (schema/example/prompt/capability list).

Technical Stack

  • Validation & Parsing: lxml (XSD, C14N, repair) + xmlable (round-trip).
  • Protocol: Mandatory WSS (TLS) + TOTP on main port.
  • Identity: Ed25519 (signing, federation, privileged).
  • Format: Exclusive C14N XML (wire sovereign).

Why This Matters

AgentServer v2.1 is a bounded, auditable, owner-controlled organism where the XSD is the security, the private thread registry is the memory, and the OOB channel is the sovereignty.

One port. Many bounded minds. Autonomous yet obedient evolution. 🚀

XML wins. Safely. Permanently.