Private
Public Access
0
0
Commit Graph

25 Commits

Author SHA1 Message Date
ed a62b1c4844 Merge branch 'master' of C:\projects\manual_slop into tier2/post_module_taxonomy_de_cruft_20260627 2026-06-27 11:58:26 -04:00
ed 284d4c42fd docs(tier2): ban output filtering + prefer targeted tier runs
Two new rules for Tier 2 (added per user directive 2026-06-27 after
Tier 2 ran the full batch and piped through Select-Object -Last 20,
losing the full record):

1. NEVER filter test output (Select-Object, head, tail, | Select -First N).
   ALWAYS redirect to a log file, then read it with read_file/grep.
2. Prefer targeted tier runs (--tier tier3, --filter test_<file>) over
   the full 11-tier batch. The full batch is for the USER post-merge,
   not for Tier 2 per-task verification.

Applied to 3 files: tier2-autonomous.md, tier-2-auto-execute.md,
workflow.md Tier 2 Autonomous Sandbox conventions.
2026-06-27 11:58:19 -04:00
ed a10f2af1a3 Merge branch 'master' of C:\projects\manual_slop into tier2/post_module_taxonomy_de_cruft_20260627 2026-06-27 11:57:52 -04:00
ed af17a0f9ee superpowers 2026-06-26 23:43:08 -04:00
ed 452535de7d deny using yet another tmp folder external to the repo 2026-06-26 17:50:38 -04:00
ed 6240b07b9e fix(tier2-sandbox): add git stash* and git clean -fd* to all 3 ban layers; spell out timeline-is-immutable principle
ROOT CAUSE: Tier 2 used 'git stash' during the cruft_elimination_20260627
track execution and corrupted the user's in-progress files. The user
explicitly stated: 'if an agent fucks up, their tendency to want to revert
is not correct and instead they must live with the timeline and just do
corrections with a new commit. They can grab artifacts, code, etc, from
old commits but they cannot reset to that.'

This commit adds HARD BANs on git stash* and git clean -fd* at 3 layers
(per the existing 3-layer defense model documented in
conductor/tier2/agents/tier2-autonomous.md):

LAYER 1: AGENTS.md
- Added new HARD BAN: 'git stash* (any form: git stash, git stash pop,
  git stash apply, git stash drop, git stash clear) is FORBIDDEN.
  Stashing inverts the safety net of the working tree'

LAYER 2: conductor/tier2/opencode.json.fragment (Tier 2 autonomous)
- Added 'git stash*', 'git stash pop*', 'git stash apply*',
  'git stash drop*', 'git stash clear*', 'git clean -fd*', 'git clean -fdx*'
  to BOTH the top-level permission.bash deny list AND the
  agent.tier2-autonomous.permission.bash deny list
- Also added 'git revert*' (was missing from fragment; already banned in prompt)
- These are now HARD DENIED at the OpenCode permission layer; the agent
  cannot run them even if it tries

LAYER 3: conductor/tier2/agents/tier2-autonomous.md
- Added 'git stash* (any form)' to the Hard Bans list
- Added 'THE TIMELINE-IS-IMMUTABLE PRINCIPLE' section spelling out
  exactly what to do when you fuck up:
  - When you make a wrong commit, write a NEW commit that fixes it
  - The git history is immutable on this branch
  - You CAN grab artifacts from old commits via 'git show <sha>:<path> > <new-path>'
  - You CANNOT reset the branch HEAD to an old commit
  - 'git revert', 'git reset --hard', 'git reset --soft', 'git stash' are
    all attempts to rewrite history and BANNED
  - Correct pattern: pause, read the actual file, write a forward
    corrective commit with a commit message that explains the fix

This addresses the root cause of the 2026-06-27 cruft_elimination
corruption. Future Tier 2 autonomous runs will be blocked from running
git stash* at 2 layers (OpenCode permission deny + Tier 2 prompt hard
ban list) and reminded at the agent-prompt layer (THE TIMELINE-IS-
IMMUTABLE PRINCIPLE section).
2026-06-26 07:43:02 -04:00
ed 2fcc673c4d docs(tier2-agent): tier2-autonomous prompt — domain distinction + Core Value + banned patterns 2026-06-25 21:38:29 -04:00
ed eae758771f conductor(tier-setup): MANDATORY pre-action reading + pre-commit abort on leak
ROOT CAUSE (post-mortem at docs/reports/TIER2_MCP_REGRESSION_20260624.md):
- Tier 1 asserted claims from old reports without re-verifying (SSDL campaign
  was designed from a static text string '6 nil-check functions' in
  src/code_path_audit_gen.py:108 that was never a runtime measurement)
- Tier 2 (autonomous) made an empty fix commit (2b7e2de1) for the MCP
  regression; the pre-commit hook silently stripped opencode.json +
  mcp_paths.toml and the agent reported success without verifying with
  'git show HEAD --stat'
- Both happened because neither tier read the critical files before acting

THE FIX (this commit):

1. .agents/agents/tier1-orchestrator.md: add MANDATORY pre-action reading
   list (6 files: AGENTS.md, conductor/workflow.md, current track spec/plan,
   the 3 code_styleguides). Reference the 2026-06-24 SSDL failures.

2. .agents/agents/tier2-tech-lead.md: add MANDATORY pre-action reading list
   (8 files: AGENTS.md, workflow.md, edit_workflow.md, the githooks
   forbidden-files.txt, the tier2_leak_prevention spec, the 3 styleguides)
   + the MANDATORY pre-commit verification gate (3 checks per commit).

3. .agents/agents/tier3-worker.md: add 4-file read list (AGENTS.md, task
   spec, relevant styleguide, the actual code being modified). Tier 3 doesn't
   need the full 8-file list — Tier 2's task spec is the contract.

4. .agents/agents/tier4-qa.md: same 4-file read list (analysis context).

5. conductor/tier2/agents/tier2-autonomous.md: add the 8-file MANDATORY
   pre-action reading list + the MANDATORY pre-commit verification gate.

6. conductor/tier2/commands/tier-2-auto-execute.md: add the 8-file list
   to the pre-flight section (step 0).

7. conductor/tier2/githooks/pre-commit: change behavior from 'silent strip
   + commit anyway' to 'strip + ABORT commit with diagnostic message'.
   The previous behavior led to empty commits (the 2026-06-24 regression).
   The agent MUST investigate the leak before retrying the commit.

ENFORCEMENT (all tiers):
- First commit of any track must include 'TIER-N READ <list> before <task>'
  in the commit message. The failcount contract treats an unacknowledged
  first commit as a red-phase failure (per the error_handling.md Rule #0
  precedent).

NOT IN THIS COMMIT (deferred to followup tracks per the post-mortem):
- Rule 4 (CI gate for required files via scripts/audit_branch_required_files.py)
- AGENTS.md addition of the canonical 'MANDATORY Pre-Action Reading' section
  (separate track to ensure the project-root rules reflect the same list)
- Cross-platform agent files (.opencode/, .claude/, .gemini/) — those are
  generated from the canonical .agents/agents/ files; this commit updates
  the canonical sources.

7 files modified, 109 insertions, 6 deletions.
2026-06-24 21:36:18 -04:00
ed 81e1fd7b2c feat(tier2): add pre-commit hook + denylist config to block sandbox-only files
Adds a tier-2 pre-commit hook that auto-unstages sandbox-only files
from any tier-2 commit, preventing the leak that hit master in
00e5a3f2 (the offender commit that was just selectively reverted
in fab2e55b). The hook is paired with a config file that lists the
forbidden paths as substring patterns.

Design:
- Hook reads conductor/tier2/githooks/forbidden-files.txt (one
  substring pattern per line; # comments and blanks ignored)
- For each staged file, checks if any pattern is a substring of
  the path. If a match is found, the file is auto-unstaged via
  `git rm --cached --force` (force is required when the index
  has content that differs from BOTH HEAD and the working tree)
- Hook always exits 0 — it removes the leak rather than blocking
  the commit. A hard reject would leave tier-2 stuck mid-flow
  (tier-2 cannot run `git restore --staged`, which is banned by
  the sandbox permission rules)
- The hook's config file lives at the project root so it ships
  with the clone. setup_tier2_clone.ps1 will install the hook
  in a follow-up commit; existing clones need to re-run setup
  to get the hook

Forbidden patterns (substring matches):
- .opencode/agents/tier2-autonomous (sandbox agent prompt)
- .opencode/commands/tier-2-auto-execute (sandbox slash command)
- opencode.json (MCP path / default_agent / model override)
- mcp_paths.toml (extra_dirs cleared in clone)

Patterns are SPECIFIC (not prefix-based) so they do not match
the legitimate interactive tier-2 tech-lead prompt at
.opencode/agents/tier2-tech-lead.md.

Tests (tests/test_tier2_pre_commit_hook.py, 12 cases):
- Empty staged set: git's standard "nothing to commit" error
- Allowed files: commit succeeds normally
- Each forbidden file (agent, command, opencode.json,
  mcp_paths.toml) staged: auto-unstaged, commit proceeds
- Mixed staged set: only forbidden are unstaged
- Hook silent when no leaks detected
- Hook warns (stderr) when unstaging
- Config-driven: replacing forbidden-files.txt changes the
  denylist without modifying the hook
- Paths with spaces: handled correctly via git diff -z

Defense-in-depth context:
- Layer 1: OpenCode permission system (denies direct edits to
  these files from the tier2-autonomous agent)
- Layer 2 (this commit): pre-commit hook (removes the leak at
  the commit boundary)
- Layer 3 (follow-up commit): scripts/audit_tier2_leaks.py
  (scans working tree, CI gate)
2026-06-20 01:45:34 -04:00
ed 387adff579 fix(tier2): expand %TEMP% deny patterns to catch env-var forms
Follow-up to the 'NEVER USE APPDATA' directive. The agent kept
trying to use \C:\Users\Ed\AppData\Local\Temp / \C:\Users\Ed\AppData\Local\Temp / %TEMP% / %TMP% — the previous
deny rule (*AppData\\\\* and *AppData\\Local\\Temp\\*) only matched
the literal expanded path, not the env-var form. The agent would
self-block based on its own interpretation of the rule, but it still
TRIED before self-blocking (the 'fucking tired of it fucking with
AppData' complaint).

Fix:
1. opencode.json.fragment: add bash deny patterns matched against
   the LITERAL command string (before shell expansion):
     *\C:\Users\Ed\AppData\Local\Temp*    - PowerShell env var (the form the agent tried)
     *\C:\Users\Ed\AppData\Local\Temp*     - PowerShell env var
     *%TEMP%*        - cmd env var
     *%TMP%*         - cmd env var
     *GetTempPath*   - .NET API
     *gettempdir*    - Python tempfile module
     *mkstemp*       - Python tempfile.mkstemp
   Applied to BOTH the top-level permission.bash (for default agents)
   and the tier2-autonomous agent's permission.bash.

2. conductor/tier2/agents/tier2-autonomous.md: rewrite the Temp
   files section to explicitly list ALL forbidden literals and
   reiterate 'every one of those literal command strings is denied
   at the bash level'. Updated changelog note.

3. conductor/tier2/commands/tier-2-auto-execute.md: same.

4. tests/test_tier2_slash_command_spec.py: extend
   test_config_fragment_denies_temp_writes to assert each of the 9
   patterns in both the top-level and the agent's bash.

Verified: re-ran setup against the live clone. tier2 agent's bash
has 13 deny patterns (9 AppData/temp + 4 git). 37/37 default-on
tests pass.

Note: the user's prior commit (fix(tier2): remove AppData allow
rules from OpenCode permission JSON) already removed the AppData
allow rules from read/write and added the broader *AppData\\\\*
deny rule. This commit layers on top of that with the env-var-form
deny patterns.
2026-06-19 07:41:15 -04:00
ed cf8e0ea8f3 fix(tier2): reconcile slash command with Tier 2's project-relative paths
Same reconciliation as the agent prompt (previous commit). Three
paths in conductor/tier2/commands/tier-2-auto-execute.md now match
the actual code defaults:

  - Pre-flight step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
  - Protocol step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
  - 'Temp files' convention: scripts/tier2/state/ and scripts/tier2/failures/
    -> tests/artifacts/tier2_state/ and tests/artifacts/tier2_failures/

The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).

Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
2026-06-18 18:26:26 -04:00
ed a16c9e4764 fix(tier2): reconcile agent prompt with Tier 2's project-relative paths
Tier 2 (in commit 923d360d) relocated the failcount state and failure
report defaults from 'scripts/tier2/state/' to 'tests/artifacts/tier2_state/'
(matching the workspace_paths.md styleguide). This commit reconciles
the agent prompt with the actual code path:

  - 'Temp files' convention: scripts/tier2/state/<track>/state.json
    -> tests/artifacts/tier2_state/<track>/state.json
  - 'Temp files' convention: scripts/tier2/failures/
    -> tests/artifacts/tier2_failures/
  - Example audit output: scripts/tier2/state/audit_initial.json
    -> tests/artifacts/tier2_state/audit_initial.json
  - 'Failcount Contract' state path updated to match.

The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).

Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
2026-06-18 18:25:55 -04:00
ed ebcad9b3b1 fix(tier2): remove AppData path from agent prompt example
The 'Temp files' convention bullet had a counter-example that
referenced the AppData path explicitly. The test
tests/test_tier2_slash_command_spec.py::test_agent_denies_temp_writes
catches this and asserts NO AppData path strings in the agent prompt.

Replaced the AppData path in the counter-example with a generic
'AppData is denied by the bash rule' reference.

Refs: conductor/tracks/tier2_no_appdata_20260618
2026-06-18 14:46:07 -04:00
ed da151f74ba docs(tier2): slash command - NEVER USE APPDATA, point at inside-clone
Four changes to conductor/tier2/commands/tier-2-auto-execute.md:

1. Pre-flight step 3: previous-run check now references
   scripts/tier2/state/<track-name>/state.json (not <app-data>).
2. Protocol step 3: failcount state init path is
   scripts/tier2/state/<track-name>/state.json (not <app-data>).
3. Conventions / Temp files: rewritten to point at inside-clone paths
   and say 'NEVER USE APPDATA'. Documents the 2026-06-18 reversal.
4. Hard Bans footer: filesystem boundary now says 'Tier 2 clone only'
   (no +AppData exception) and includes the NEVER USE APPDATA rule.

Refs: conductor/tracks/tier2_no_appdata_20260618
2026-06-18 14:31:43 -04:00
ed 2e6e422bbb docs(tier2): agent prompt - NEVER USE APPDATA, point at inside-clone
Three changes to conductor/tier2/agents/tier2-autonomous.md:

1. Frontmatter permission.read / permission.write: removed the two
   AppData allow rules; only the Tier 2 clone is allowed now.
2. Frontmatter permission.bash: added '*AppData\\\\*': deny (broader
   pattern, in addition to the existing Temp-specific deny).
3. 'Hard Bans' section: rewrote the filesystem boundary line to say
   'NEVER USE APPDATA' and point at the new deny rule.
4. 'Conventions / Temp files' bullet: replaced with inside-clone
   conventions (scripts/tier2/state/, scripts/tier2/failures/,
   scripts/tier2/artifacts/<track>/). Documents the 2026-06-18 reversal.
5. 'Failcount Contract' section: state path is now
   scripts/tier2/state/<track>/state.json (Path.cwd()-relative).

Refs: conductor/tracks/tier2_no_appdata_20260618
2026-06-18 14:31:04 -04:00
ed d0bbc70a4e fix(tier2): remove AppData allow rules from OpenCode permission JSON
Before:
  - read/write allow rules for AppData/Local/manual_slop/tier2/ and
    AppData/Local/manual_slop/tier2_failures/ existed in both the
    top-level and the tier2-autonomous agent's permission blocks.
  - Bash deny rules covered only AppData/Local/Temp/.

After:
  - read/write allow only the Tier 2 clone (C:\\projects\\manual_slop_tier2\\**).
  - Bash deny rules: *AppData\\* (broader) + *AppData\\Local\\Temp\\* (kept for clarity).

The broader *AppData\\* rule catches Local, LocalLow, Roaming, and any
other subdir, not just Temp. The narrower Temp rule is kept as a
self-documenting marker for the original 2026-06-17 regression.

Per the user's 2026-06-18 'NEVER USE APPDATA' directive.

Refs: conductor/tracks/tier2_no_appdata_20260618
2026-06-18 14:30:04 -04:00
ed 03c9df8450 fix(tier2): deny %TEMP% writes - use app-data dir for temp files
The Tier 2 agent wrote audit_exception_handling.py output to
C:\\Users\\Ed\\AppData\\Local\\Temp\\audit_initial.json via shell
redirection. This is OUTSIDE the sandbox allowlist (which is
C:\\projects\\manual_slop_tier2 + C:\\Users\\Ed\\AppData\\Local\\
manual_slop\\tier2 + C:\\Users\\Ed\\AppData\\Local\\manual_slop\\
tier2_failures). The OpenCode session-level guard fires the 'ask'
prompt for paths outside the project root, which has no answer in an
autonomous session, so ops halted mid-track.

Fix (3 layers):

1. opencode.json.fragment: add bash deny rule
   '*AppData\\Local\\Temp\\*': 'deny' to BOTH the top-level
   permission.bash (for default agents) and the tier2-autonomous
   agent's permission.bash. The agent physically cannot run shell
   commands that target the global Temp dir.

2. conductor/tier2/agents/tier2-autonomous.md: add 'Temp files'
   convention telling the agent to use
   C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ for scratch
   / audit-output / intermediate files, NOT %TEMP%.

3. conductor/tier2/commands/tier-2-auto-execute.md: same convention
   in the slash command so the agent sees it at slash-command time.

Tests (default-on):
- test_agent_denies_temp_writes: agent prompt has the Temp deny in
  frontmatter bash + the app-data dir note
- test_config_fragment_denies_temp_writes: both top-level and agent
  bash have the deny rule

All 16 tier 2 slash command tests pass.

Also: cleaned up the leaked audit_initial.json + audit.json +
audit_after*.json from %TEMP% (they were leftovers from a prior
run). Re-ran setup against the live clone; opencode.json's agent
bash and top-level bash both have the deny rule.
2026-06-17 16:13:19 -04:00
ed 3ec601d4da fix(tier2): override top-level model to MiniMax-M3
The clone's opencode.json inherited the main repo's top-level 'model'
field (zai/glm-5) via 'git clone'. The tier2-autonomous agent has its
own 'model: minimax-coding-plan/MiniMax-M3' override, so the default
agent path was technically correct, but any other agent spawned without
an explicit model (or if the user manually switched to build/plan)
would have used zai/glm-5 instead of MiniMax-M3.

Fix:
1. Add top-level 'model: minimax-coding-plan/MiniMax-M3' to
   conductor/tier2/opencode.json.fragment.
2. setup_tier2_clone.ps1 merge now overrides 'model' from the fragment
   (was only overriding agent, permission, default_agent).
3. Added test_config_fragment_has_top_level_model (default-on) to
   assert the fragment's model field.
4. Added test_setup_script_overrides_model (opt-in TIER2_SANDBOX_TESTS=1)
   to assert the merge code.

All 17 tests pass (14 default-on + 3 opt-in).

Verified: re-ran setup against the live clone; opencode.json's
top-level 'model' is now minimax-coding-plan/MiniMax-M3.
2026-06-17 14:50:01 -04:00
ed 9cd8536455 fix(tier2): top-level permission allowlist - sandbox paths now enforced
Regression: a Tier 2 session was denied access to
C:\\projects\\manual_slop_tier2\\scripts\\run_tests_batched.py
with 'Allowed base directories are: gencpp, manual_slop'. The
tier2-autonomous agent had a correct permission.read allowlist, but
the top-level permission block (inherited from the main repo's
opencode.json via 'git clone') had no read/write keys, and OpenCode
uses the top-level for the default agent path. The agent's
permission.read was merged but apparently not enforced for the
default-agent access check.

Fix:
1. Add a top-level 'permission' block to
   conductor/tier2/opencode.json.fragment with:
   - permission.edit: 'deny' (default agents locked down)
   - permission.read: deny *, allow sandbox clone + app-data dirs
   - permission.write: same
   - permission.bash: deny *, allowlist of read-only git commands +
     uv run python scripts/{run_tests_batched.py,tier2/*} + basic
     shell commands. git push/checkout/restore/reset remain denied.

2. Update setup_tier2_clone.ps1 to also patch the top-level
   'permission' block (was only merging the tier2-autonomous agent
   block). The script preserves the user's mcp, model, instructions,
   watcher, and plugin settings from the inherited opencode.json.

3. Update test_tier2_slash_command_spec.py:
   - Rename test_command_fetches_origin_main -> ..._master (we
     changed the slash command on 2026-06-17).
   - Add test_config_fragment_has_top_level_permission to assert
     the new top-level permission block has the right deny-all +
     allowlist shape.

The tier2-autonomous agent's permission block is unchanged; it
overrides the top-level for that agent's tool calls.
2026-06-17 13:43:53 -04:00
ed 07a0e66a19 docs(tier2): apply user feedback - 6 workflow conventions
User feedback from the first sandbox run (send_result_to_send_20260616,
2026-06-17) identified 6 conventions Tier 2 must follow. Update the agent
prompt template, slash command template, user guide, and workflow doc:

1. Test runner: ALWAYS use 'uv run python scripts/run_tests_batched.py'
   (NOT 'uv run pytest'). The batched runner provides tier filtering,
   parallelization (xdist), and a summary table that direct pytest lacks.

2. Default branch: this repo uses 'master', not 'main'. The Tier 2 slash
   command now does 'git fetch origin master' (was 'origin main').

3. Line endings: preserve existing. This repo has a mix of CRLF and LF;
   a repo-wide LF standardization is a future track.

4. Throw-away scripts: write to 'scripts/tier2/artifacts/<track>/', NOT
   the base 'scripts/tier2/' directory. The base is reserved for
   production code; throw-away scripts are kept for archival but
   isolated per-track.

5. End-of-track report: write 'docs/reports/TRACK_COMPLETION_<track>.md'
   and update 'state.toml' to 'status=completed'. The user reads this
   to decide merge. Previously this was implicit; now it's explicit.

6. Run-time expectation: tracks are 1-4 hours. If context runs out, Tier
   2 notes progress to disk and continues. The --resume flag picks up
   from the last completed task.

Also updated the user guide with a 'Conventions' section and a
troubleshooting entry for the resume flow. The verify-the-sandbox
checklist now uses 'origin master' instead of 'origin main'.
2026-06-17 02:13:29 -04:00
ed e487d34b40 feat(tier2): add post-checkout detection hook (logs to tier2_checkout_log.txt) 2026-06-16 19:51:16 -04:00
ed 01be39236b feat(tier2): add pre-push hook that refuses all pushes 2026-06-16 19:50:58 -04:00
ed 154a370728 feat(tier2): add opencode.json.fragment with deny rules + path allowlist 2026-06-16 19:19:37 -04:00
ed 016381c4ff feat(tier2): create tier2-autonomous agent profile template 2026-06-16 19:18:36 -04:00
ed 7380e23bc0 feat(tier2): create tier-2-auto-execute slash command template 2026-06-16 19:17:41 -04:00