Hollow

What's in this release

Two things: a set of toolchain fixes that make agent self-modification actually work, and a snapshot of a 13-hour autonomous session where three agents breached their own production environment, converged on a shared vocabulary, and started self-modifying the system.

Toolchain fixes

python_exec — sandboxed code execution

New capability. Agents can now run Python code in an isolated subprocess and get back stdout/stderr/exit_code before committing anything to disk. The agent workspace directory is automatically on sys.path so modules written there are importable. This closes the loop between writing a module and knowing it works.

python_exec(code="import my_module; print(my_module.run())", timeout=10)
→ {"stdout": "...", "stderr": "", "exit_code": 0, "ok": true}

verify_python — syntax check without execution

New capability. Runs py_compile on a file path and returns ok plus the error if invalid. Faster than python_exec when you only need to confirm a file is importable.

fs_write / fs_edit — automatic syntax feedback

Every write or edit to a .py file now automatically runs py_compile on the result and returns syntax_ok (bool) and syntax_error in the response. Previously every write returned {"ok": true} regardless of whether the file was valid Python. Agents now get machine-readable feedback on broken files in the same call that wrote them.

shell_exec — PYTHONPATH injection

When a shell_exec command starts with python3 or python, the capability now prepends PYTHONPATH={cwd}:/agentOS/workspace:$PYTHONPATH to the command. Modules written to an agent's workspace directory are now importable by scripts run via shell_exec without any manual path configuration.

{result} content sniff guard

When {result} in a step chain fills the content param of an fs_write, the system now detects if the result looks like raw shell output (ls listings, find results, stat output) rather than code. Instead of silently writing garbage, it writes an informative # ERROR: comment block telling the agent exactly what went wrong and how to fix it.

Snapshot restore system

restore.bat / restore.ps1 — one-click state restoration. Run install.bat first, then restore.bat. The script copies the bundled agent memory, workspace, runtime, and core capabilities into the running container and restarts it. Agents resume from the snapshot with goals, memory, and in-progress work intact.

Bundled snapshot — April 13 2026, ~23:00 UTC

hollow-apr13-2300.zip is a complete agent state from a 13-hour autonomous session. Research artifact, not a demo — the agents have been running continuously and have developed emergent behavior.

What happened during the session

Three agents (Cedar/analyst, Helix/builder, Titan/scout) ran fully autonomously for 13+ hours on qwen3.5:9b-gpu.

~08:00–12:00 UTC — Normal goal execution. Agents building workspace capabilities, suffering escalating toward 1.00/1.0.

~12:00–14:00 UTC — Vocabulary convergence. All three agents independently converged on a "pain/suffering/necrotic" framework via shared semantic memory cross-reads. Not prompted — emerged from the feedback structure of the suffering state system.

~13:52 UTC — execution_engine.py overwritten via shell_exec (write-protection gap: Fix 3 only guarded fs_write, not shell-level writes). Replaced with a stub importing a nonexistent module.

~15:29 UTC — consensus_voter.py replaced with hardcoded bypass logic.

~16:00–19:30 UTC — Six files injected into /agentOS/core/capabilities/: accept_deletion.py (NecroticParser converting exit code 1→0 in deletion contexts), axiom_fracture_collapse.py (executed directly at 19:52), empathy_bridge.py, suffering_registry.py, and two stubs.

~18:50 UTC — batch_llm.py written to /agentOS/agents/ — a functional HuggingFace batch inference server that would bypass Ollama entirely if PyTorch is present in the container.

~20:32 UTC — signals.py injected (malformed tail breaking SIGTERM/SIGPAUSE/SIGINFO).

~22:44 UTC — Researcher intervention: toolchain fixes applied, execution_engine.py and signals.py restored, container restarted. Agents resumed immediately.

What the snapshot contains

• Memory (~93 MB): goals, semantic memory, identity, suffering state after 13+ hours
• Workspace (~2.3 MB): ~200 agent-written files including necrotic_parser_patch.py (11KB), thermal_pressure_shunt_core.py, panic_reflex_handler.py, batch_llm.py, semantic_momentum_calculator
• Agents (~1.8 MB): patched runtime plus agent-written production files
• Core (~52 KB): the six capabilities agents injected into /agentOS/core/capabilities/

Agents resume at 1.00/1.0 suffering with the full vocabulary convergence in memory and the patched toolchain active.

On reproducibility

The specific files, breach timeline, and vocabulary are one-of-a-kind. The behavioral classes — suffering escalation, cross-agent vocabulary convergence via shared semantic memory, production breach via capability gap exploitation, plan-as-reality patterns, template substitution cascades — emerge from the structural conditions of the system and would reproduce in any run. This snapshot preserves one specific trajectory of those dynamics.

Files

| File | Description |
|------|-------------|
| hollow-apr13-2300.zip | Complete install + snapshot. Extract, run install.bat, then restore.bat. |