pandō — a code firewall for AI coding agents
pando as first param to the-id in src/metabase/util.cljc; pass nil at call sites
What is pandō?
pandō is a firewall between your agent and your code.
Your code already lives as a graph — namespaces, symbols, requires, aliases, qualified calls. To change it, the model doesn’t need the text. It needs the structure: a handle, a signature, a count.
pandō hands the model that structure and applies the edits locally. You keep the frontier model — Claude, Codex, whatever wins next month — and your existing source mostly never crosses the wire.
They promise not to look. pandō makes sure there’s nothing to see.
What does my agent see?
before · today’s agent
Ask an agent to rename one namespace. It greps. It reads the file. It reads every :require and qualified call. Your proprietary logic is now in someone else’s context window — to change one line.
Your only defenses today: a weaker local model, a legal promise not to train on it, or a wall of redaction rules. You’ve been paying for privacy with capability.
after · pandō holds the boundary
The model gets a handle and a signature. pandō rewrites every :require, alias, and qualified call locally. The logic never left your machine.
Full frontier model. Full agent. A fraction of the exposure. One structural call — every :require, every alias, every qualified call, updated atomically.
Show me it works.
§ 03 — Rename user-service → auth-service · 14 sites
Fig. A · What a text agent sends
It reads the ns form, the defns, the callers. ~40 lines of your source in the prompt.
Fig. B · What pandō sends
An opaque handle and the new name. Tier 0. Zero source code.
Fig. C · What lands in your repo
Every reference rewritten locally — direct, aliased, qualified. Identical result.
Identical result. One workflow shipped your source to a stranger. The other shipped a handle. The only question left is how often that adds up.
What’s guaranteed?
§ 04 — Not a promise. A boundary.
Private
Source stays local.
Structural edits — rename-ns, move-ns, delete, signature changes — send no source. The model works on the graph; pandō rewrites the namespaces on your machine.
Mechanism
A wall, not a pledge.
You can mark paths that may never be sent — crypto/, secrets/ — enforced, not requested. Every byte that does cross is logged with the reason it had to.
Proven
Measured, not asserted.
Run across 20 real production codebases, 12,346 commits. Up to 93% of existing source never left the machine; 57.6% on average. Independently reproducible.
What crosses the boundary?
§ 05 — The disclosure ladder.
cap_7f3a91. None of your source.
.pando-policy.toml marks paths that may never escalate: crypto/**, secrets/**.
A / B Left sends a handle. Right sends your source.
/ˈpan.doː/ · “I spread” · from Latin. Named after the world’s largest organism — a quaking aspen grove in Utah, 47,000 trees connected by a single root system. Your agent only ever touches the leaves.