Skip to content

docs(design): taOS Council (role-benchmarked background model team)#1818

Open
jaylfc wants to merge 1 commit into
devfrom
docs/council-design
Open

docs(design): taOS Council (role-benchmarked background model team)#1818
jaylfc wants to merge 1 commit into
devfrom
docs/council-design

Conversation

@jaylfc

@jaylfc jaylfc commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

Founding design for taOS Council: a background live team of models that monitors what the user does and works together on it. Users add models to the Council; each gets its own registry identity via the existing consent flow. The primary model auditions each member for specific roles, once per model per role, and the signed scores are shared on a public gauge registry at taos.my so only one user globally ever benchmarks a given model. Free-tier models become an instant zero-cost team of specialists (writer, editor, reviewer, summarizer, and more), assigned to projects as standard team members on the board and the a2a channel.

What the doc covers

  • Current state verified in code with file:line citations: consent minting, project-bound agent tokens, hub identity keypair signing, the account proxy pattern, the Decisions app, notifications, and the kilo gateway model listing.
  • Locked decisions: big role taxonomy v1 (10 roles, provisional never blocking), signature-plus-N-confirm benchmark trust with the record schema, propose-first autonomy via Decisions cards with per-role dials, and detect-auto/gauge-on-approve model monitoring with community auto-adoption.
  • The gauge harness codifies the auditions that ran live this week: worktree/tmux coder gauges, read-only reviewer gauges against ground-truth reviews, rubric-graded creative gauges with a user spot-check.
  • Community gauge registry: signed submissions, the UNKNOWN/PROVISIONAL/TRUSTED/DISPUTED state machine, and an honest fraud posture.
  • Council data model, app UI, team integration (members are tools in the lead/tool org model, element assignment works unchanged), model monitoring with an exceptions list, and honest limitations.
  • Slice plan: S1 to S4 and S9 bounded for external CLI agents; S5 to S8 flagged maintainer-review; taos.my server-side slices listed separately as taos-website work. Includes a draft README section (Appendix A) and the README slice that lands it.
  • Open questions with recommendations: N = 3 confirmations, semver suite versioning, one shared kilo key with per-member virtual keys, slug-based role i18n.

Design doc only, no code changes.

@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@jaylfc, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 28 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 593ba365-0bea-4cce-ab3b-f7f397302f4c

📥 Commits

Reviewing files that changed from the base of the PR and between 3a23637 and 7eab941.

📒 Files selected for processing (1)
  • docs/design/taos-council.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/council-design

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gitar-bot

gitar-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

Important

You are using the Gitar free plan. Upgrade to unlock code review, CI analysis, auto-apply, custom automations, and more.

Gitar

```

- "Distinct accounts" means distinct signing-key fingerprints, one counted
submission per fingerprint per (model, role, version).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: N-confirm "distinct accounts" is defeated by unbounded keypair minting

The consensus dedupe keys on the raw signing-key fingerprint (lines 371-372), and submission is gated only by the session cookie (line 347). The hub keystore mints keypairs freely per node (lines 73-74) and the doc never requires a 1:1 binding between an authenticated account and a registered signing key. A single attacker can therefore generate N keypairs and satisfy "N distinct accounts" alone, which directly contradicts the fraud-posture claim that collusion "needs N colluding accounts" (lines 378-380). Require each accepted signing_pubkey to be registered to and owned by the authenticated account (one key per account, or an account-scoped key quota), and verify the cookie's account owns the key on ingest.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

- **On new model.** Notify (source `council`). If the community DB has
TRUSTED scores for it, offer adoption directly and, when the user has
enabled auto-adopt in Council settings, adopt without a tap (locked
decision 4: this is the common case at scale). Otherwise the notification

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Auto-adopt appears to bypass the mandatory consent minting

Lines 241-248 state every Council member is minted through the standard consent path with explicit user approval ("One approval, one canonical id … the registry stays the single source of identity truth"). But auto-adopt "adopts without a tap" (line 454) and "adoption can be automatic with no local gauge" (lines 169-170). If auto-adopt creates a full member plus identity plus registry JWT, it violates that consent invariant; if it only records a trusted score, the term "adoption" is overloaded. Clarify whether auto-adopt mints identity (and if so, that it uses a pre-authorized grant the user enabled, not a silent identity mint) versus merely surfacing trusted scores for later manual approval.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

roles), POST `/api/council/gauges/run`, run view in `CouncilApp.tsx`, tests
with a stub candidate.
- Executes model-authored code in worktrees; sandbox posture must be
reviewed by a maintainer against the app-runtime tiers.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Harness executes untrusted model output as code without specified isolation

Audition candidates are arbitrary newly surfaced :free models pulled in automatically by the poller (lines 444-456), and S6 executes their outputs as code in worktrees/tmux (line 542). Because candidates can be attacker-submitted, the doc must specify hard isolation for audition runs: no network egress (or strict allowlist), no mounted secrets/keys, ephemeral filesystem, CPU/memory/time limits, and non-privileged execution. Deferring this to "app-runtime tiers" (line 543) is insufficient for untrusted third-party model code; call out the required sandbox guarantees explicitly before S6 is implemented.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

first valid record -> PROVISIONAL (score = that record)
N distinct accounts,
all within tolerance -> TRUSTED (score = median of confirming records)
records disagree

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Median-of-confirming-records may not be integer-storable

gauge_records.score is INTEGER (line 281), but the TRUSTED score is defined as the "median of confirming records" (line 365). With an even number of confirming scores the median can be a .5 value that INTEGER truncation would shift. Define rounding (e.g., round half-up) or store the trusted score separately with fractional precision in gauge_consensus.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

(`tinyagentos/hub/identity.py:165-168`). The artifact bundle (task inputs,
candidate outputs, grading transcript) is retained locally under
`data/council/artifacts/{record_id}/` so a score is always auditable; only
its hash travels.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Spot-audit of artifacts is not guaranteed

The audit bundle is retained only on the submitter's node (lines 294-296), yet the fraud posture claims taos.my "can request an artifact bundle for a suspicious record" (lines 380-381). If the submitter is offline or deleted the bundle, the audit cannot happen, but the record may remain TRUSTED and even be auto-adopted. Either require server-side retention of artifact bundles for submitted records, or state explicitly that audits are best-effort and document how unauditable-but-trusted records are handled (e.g., re-open to DISPUTED).


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

display_name TEXT NOT NULL,
description TEXT NOT NULL DEFAULT '',
gauge_status TEXT NOT NULL, -- 'proven' | 'designed' | 'provisional'
suite_version TEXT, -- NULL when provisional

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: "provisional" is overloaded across two taxonomies

The role registry gauge_status uses 'proven' | 'designed' | 'provisional' (line 217, suite maturity) while the consensus state machine uses UNKNOWN | PROVISIONAL | TRUSTED | DISPUTED (line 363, per-record trust). Same word, different meaning, which will confuse implementers and reviewers. Rename one axis (e.g., registry status ungauged/alpha/graduated, or trust state PENDING).


Reply with @kilocode-bot fix it to have Kilo Code address this issue.


Tables: `gauge_submissions` (the wire schema plus `signing_pubkey`, verified
on ingest with the same Ed25519 check as `verify_signature`,
`tinyagentos/hub/identity.py:212-226`) and `gauge_consensus`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Clarify which public key is authoritative for verification

W1 says submission is "verified on ingest with the same Ed25519 check as verify_signature" (line 353) and "verification against the hub identity directory record" (line 572), yet the wire schema carries an explicit signing_pubkey (line 340). Specify that the signature is verified against the submitted signing_pubkey AND that this key is the one registered to the authenticated account (closing the first finding's loophole), rather than implying either key alone is sufficient.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@kilo-code-bot

kilo-code-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 7 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 3
SUGGESTION 4
Issue Details (click to expand)

WARNING

File Line Issue
docs/design/taos-council.md 371 N-confirm "distinct accounts" is defeated by unbounded keypair minting — dedupe keys on raw fingerprint, no 1:1 account↔key binding, so one attacker satisfies N "accounts" alone, contradicting the fraud-posture claim
docs/design/taos-council.md 454 Auto-adopt "without a tap" appears to bypass the mandatory consent minting invariant stated at lines 241-248
docs/design/taos-council.md 542 Harness executes untrusted :free model output as code but defers isolation to "app-runtime tiers" without specifying sandbox guarantees

SUGGESTION

File Line Issue
docs/design/taos-council.md 365 TRUSTED = median of confirming records can be non-integer, but score is INTEGER (line 281) — rounding/precision unspecified
docs/design/taos-council.md 296 Artifact spot-audits are not guaranteed — bundles live only on the submitter's node yet fraud posture implies taos.my can always request them
docs/design/taos-council.md 217 "provisional" overloaded across two taxonomies (role registry suite status vs consensus trust state)
docs/design/taos-council.md 353 Verification key authority ambiguous (submitted signing_pubkey vs hub directory record); should verify against submitted key bound to the authenticated account
Files Reviewed (1 files)
  • docs/design/taos-council.md - 7 issues

Fix these issues in Kilo Cloud


Reviewed by hy3:free · Input: 101.7K · Output: 34.8K · Cached: 243.6K

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant