+--------------------------------------------------------------+
| gdm agent loop |
| |
| User prompt |
| | |
| v |
| +-------------+ tool calls +----------------------+ |
| | LLM model | ----------------> | Tool orchestrator | |
| | (primary / | | (see below) | |
| | fallback) | <------------- | | |
| +-------------+ tool results +----------------------+ |
| | |
| | final response |
| v |
| +---------------+ |
| | REPL / voice | renders diff, waits for confirmation |
| | / remote UI | (unless autonomy >= 4) |
| +---------------+ |
| |
| Each turn is checkpointed to SQLite (core-002/003). |
+--------------------------------------------------------------+
The loop stops after max_turns consecutive no-progress rounds (default: 150). Cost is tracked after each API call;
the session is halted if session_limit_usd is exceeded (runtime-005).
Every tool call passes through a pipeline before execution:
tool_call
|
+- 1. Injection check ------- scan for prompt-injection in tool arguments
| (reject if pattern matches denylist)
|
+- 2. RBAC ----------------- check caller identity against permission tier
| (read-only | standard | privileged | admin)
|
+- 3. Network policy -------- enforce network_allowlist for HTTP tools
| (SSRF mitigation - see security-hardening.md)
|
+- 4. Execute --------------- run the tool function with a timeout
| (GDM_TOOLS_TIMEOUT / tools.timeout_secs)
|
+- 5. Audit log ------------- append hash-chained entry to audit.db
(action, actor, args hash, timestamp, prev_hash)
Tools are registered in gdmcode/tools/REGISTRY. The set of available tools is injected into the
model’s system prompt on each loop iteration so the model always sees the current capability list.
gdm maintains three layers of persistent memory:
| Layer | Storage | Purpose |
|---|---|---|
| Session memory | SQLite (.gdm/gdm.db) |
Conversation turns, tool results, checkpoints |
| Conventions | .gdm/instructions.md |
Project-specific rules injected into every prompt |
| Code index | SQLite (.gdm/index.db) |
Symbol and chunk embeddings for fast retrieval |
Whole-codebase mode (context.whole_codebase): when the project fits within the model’s
context window, gdm loads all source files directly instead of using the index. Set to "always"
to force it, "never" to disable, or "auto" (default) to let gdm decide.
The background daemon (gdm daemon start) keeps the code index up to date and handles
session compression for long-running projects.
outside trust boundary
-------------------------------------------------------
| User prompt -> gdm agent -> tool calls -> OS / FS |
| ^ |
| policy enforcement --+ |
-------------------------------------------------------
inside trust boundary: project files, OS keychain, local DB
gdm treats user prompts as untrusted input. Tool arguments generated by the model are scanned
for injection patterns before execution. Network tools check against network_allowlist to
prevent SSRF.
Every tool execution appends a record to audit.db:
entry_n = sha256(action | actor | args_hash | timestamp | entry_{n-1}.hash)
Gaps or hash mismatches indicate tampering. Enable audit enforcement in .gdm/team.toml:
[policy]
require_audit_log = true
Team policies (.gdm/team.toml [policy]) override all other configuration layers — including
environment variables and CLI flags. This allows administrators to cap autonomy, restrict network
access, and block git push for all team members even if individuals have higher local settings.
See docs/security-hardening.md for deployment guidance.