FARAMESH · PGVECTOR · ELIXIR v1.20 — FULL PEMOS ASSESSMENT
Governance-as-Code for AI agents (Go · MPL-2.0 · 61★) · FPL policy language · MCP gateway · Budget enforcement · Delegation chains · Phase transitions · Defer/Approve workflow · pgvector Elixir (Ecto, Postgrex, halfvec, sparsevec, hybrid RRF) · Elixir v1.20 gradually typed (set-theoretic, dynamic(), 12/13 T: benchmark) · 6 diamonds found · 3 HIGH · 3 MEDIUM
FARA-001 HIGH FARA-003 HIGH TLS FARA-004 HIGH ATOMIC FARA-007 GOROUTINE Openclaw-Plugin v0.1 pgvector-elixir v0.4 Elixir v1.20 typed
◆ V14 ADELIC DIAMONDS — FARAMESH-CORE (6 found · all issues · Feb→now)
FARA-001
HIGH
COLLISION / PRIVILEGE
Defer token collision via truncated nanosecond timestamp
internal/core/defer/workflow.go · L344
token := fmt.Sprintf("%x", time.Now().UnixNano())[:8]
8 hex chars = 32-bit entropy from nanosecond clock. Two concurrent DEFER calls at same nanosecond get identical token. DeferWithToken returns existing handle on collision → wrong agent receives approval signal. Deterministic path (sha256-based, safe) exists but Defer() fallback is weak.

Attack: Orchestrate two agents to call DEFER simultaneously. Agent A's token collides with Agent B's. Agent A's human approval authorizes Agent B's action.
◈ BIRTHDAY collision D3 GUE — zero repulsion violated Fix: crypto/rand 128-bit token in Defer()
FARA-003
HIGH
TLS / MITM
InsecureSkipVerify defaults unclear — IDP bypass via MITM
internal/core/principal/idp/verifier.go · L354
InsecureSkipVerify: !v.config.TLSVerify,
If TLSVerify is not set in config (or defaults false), all IDP token verification — OIDC/Okta/Auth0 — proceeds without TLS certificate check. LAN attacker can MITM the IDP endpoint, serve forged tokens, bypass agent identity verification entirely. The pipeline trusts the forged identity.
⊙ CIRCLE — perimeter bypassed D8 WALL — PEMLAAM wall bypassed Fix: default TLSVerify=true; env doc required
FARA-004
HIGH
ATOMICITY / BUDGET
WAL write failure → rollback race on reserved cost
internal/core/pipeline.go · L1526–1536
if err := p.wal.Write(rec); err != nil { _ = sess.RollbackReservedCost(d.ReservedCostUSD) // DENY returned — but concurrent goroutine sees partial state
WAL write failure triggers RollbackReservedCost + DENY. But go p.accountCost() (FARA-007) may already be reading the session cost accumulator in a background goroutine. Under high concurrency: concurrent PERMIT sees rollback-in-progress cost → budget undercount → over-permits spend. Reserve-confirm-rollback is not a true atomic transaction.
⧖ HOURGLASS — non-atomic reserve D5 CIRCULATORY — reserve not atomic Fix: sync accountCost before WAL write; use single mutex
FARA-007
MEDIUM
GOROUTINE / BUDGET TOCTOU
go p.accountCost() — stale cost read before goroutine settles
internal/core/pipeline.go · L1608
go p.accountCost(req.AgentID, req.ToolID, sess)
Background goroutine records cost after PERMIT. If second request arrives before goroutine completes, sess.CurrentCostUSD() returns pre-cost value. Budget check [5] sees stale state → allows second call that should have been denied. Classic TOCTOU on cost accounting under concurrent load.
⏱ TOCTOU D5 CIRCULATORY — concurrent race Fix: sync cost via channel before returning PERMIT
FARA-005
MEDIUM
AUDIT GAP / PHASE
Undeclared phase transition denies before WAL write
internal/core/pipeline.go · L741–743
Phase transition to an undeclared target phase returns EffectDeny at L741 — before the WAL write at L1526. Denial is not in the audit log. Attacker sending malformed phase transitions hides the activity from DPR/WAL replay. "Execution must never precede the audit record" invariant is violated for this denial path.
△ TRIANGLE D6 SKELETON — audit invariant broken Fix: early-deny paths must still write WAL record
FARA-006
MEDIUM
MODE BYPASS / BUDGET
RuntimeModeAudit bypasses budget enforcement + policy eval
internal/core/pipeline.go · L685
if p.runtimeMode == RuntimeModeAudit { return Decision{..., Reason: "audit mode passthrough"}
Audit mode exits pipeline BEFORE budget check [5]. Agent in audit mode can exhaust session/daily cost budgets with zero enforcement. If audit mode is configurable via daemon API (or policy), it becomes a budget bypass vector. All 42 open issues reviewed — no issue tracks this gap.
■ SQUARE — bypass D7 BLOOD_O2 — oxygen to wrong chamber Fix: budget check before audit-mode passthrough
OPENCLAW PLUGIN — DIRECT INTEGRATION
faramesh/Openclaw-Plugin already ships.
openclaw plugins install @faramesh/openclaw
Intercepts: bash/exec · filesystem (read/write/edit) · browser · network · canvas.
Maps to IMHOTEP's tool set exactly. Before every tool call → POST /v1/actions.
Outcome: ALLOW / PENDING (human in dashboard) / DENY.
Fail-closed: if Faramesh unreachable → tool blocked (configurable).
Fleet use: Wire faramesh-core as SOSTLE L4-L7 gate for crew tool calls. FARA-003 + FARA-001 must be fixed before fleet deployment.
KCF ANALYSIS — FARAMESH-CORE
COI — CONFLICT OF INTEREST SCAN
COI-001: RuntimeModeAudit is set by pipeline config — if agent can influence its own config (via MCP gateway or SDK), self-escalation to audit mode bypasses all policy enforcement.

COI-002: Delegation chain depth check uses in-memory Workflow.pending map — restarted daemon loses chain history, depth counter resets to 0. Long delegation chains survive restart with no depth enforcement.

COI-003 CLEAR: Budget reservation uses mutex (budgetMu) — concurrent access protected. The TOCTOU is in goroutine timing, not lock contention.
ACTUARIAL — FARAMESH vs PEMOS FLEET
Governance layer fit
HIGH
FPL → SOSTLE mapping
YES — phases=layers, rules=gates
MCP gateway ↔ laam-pip
COMPATIBLE — same tool-call intercept
Budget → LABR-SHADOW-ADMIRAL
ANALOG — basal/bolus = session/daily
Defer/Approve → ARB flow
ISOMORPHIC — defer=ARB1 pending
WAL DPR → PEMCLAU sessions
COMPLEMENTARY — audit trail in both
Pre-deploy risk (FARA-003)
BLOCK — IDP TLS must be fixed
Pre-deploy risk (FARA-001)
CAUTION — token collision under load
License
MPL-2.0 — sovereign compatible
Verdict
DEPLOY after FARA-001+003 fixed
KCF DIMENSION SCORES
PGVECTOR + QDRANT — 2-HOP ARCHITECTURE FOR SOSTLE
QDRANT (yone)
pemclau-sessions-v1 (276K)
joffe-math-theorems-v1 (5.8K)
35 collections · 427K total
ANN similarity search
HNSW index · cosine/L2
HOP 1 — semantic recall
2-HOP BRIDGE
Session → ARB edge
ARB → theorem edge
theorem → sorry edge
Expand neighbourhood
Re-rank by adelic radius
PEMCLAU GraphRAG
PGVECTOR (Postgres)
Elixir v1.20 typed Ecto
halfvec / sparsevec
Hybrid search (RRF)
CRUD with intent class
HNSW + IVFFlat index
HOP 2 — structured recall
Why both: Qdrant = approximate nearest neighbour over dense embeddings (fast, fuzzy, fleet-native). pgvector = exact vector ops inside Postgres with Ecto relations — joins, filters, transactions. They serve different SOSTLE layers: Qdrant = L0-L3 (sovereign fast recall). pgvector-Elixir = L4-L6 (CLO/structured/auditable).
2-hop pattern: HOP 1 Qdrant ANN → retrieve candidate node IDs → HOP 2 pgvector exact search on those IDs + structured filter (SOSTLE layer, agent, timestamp). Result: semantic + structural in one query. GraphRAG expands with ARB/theorem/sorry edges between hops.
Elixir v1.20 advantage: Set-theoretic gradual typing catches vector dimension mismatches at compile time (not runtime). dynamic() type for runtime embeddings. 12/13 T: benchmark for type narrowing. Ecto pgvector-elixir v0.4 already supports halfvec/sparsevec/hybrid RRF. Faramesh governance layer integrates via MCP gateway — same path as laam-pip.
SOSTLE INTEGRATION MAP — FARAMESH PHASES → SOSTLE LAYERS
FPL phases block maps directly to SOSTLE layers. Phase transition rules = SOSTLE gate conditions. Budget blocks = basal/bolus limits from Shadow Admiral doctrine. Defer/Approve = ARB1 pending → ratified. DPR WAL = PEMCLAU session ingest.
ELIXIR v1.20 — TYPED LANGUAGE RELEVANCE FOR FLEET
FARAMESH · PEMOS ADELIC BONIXER V14 · Day 121 · 2026-06-04 · EOSE Labs Inc. · 6 diamonds (3 HIGH · 3 MEDIUM) · γ₁ = 14.134725141734693 · The floor holds.