Adds a tier-2 pre-commit hook that auto-unstages sandbox-only files
from any tier-2 commit, preventing the leak that hit master in
00e5a3f2 (the offender commit that was just selectively reverted
in fab2e55b). The hook is paired with a config file that lists the
forbidden paths as substring patterns.
Design:
- Hook reads conductor/tier2/githooks/forbidden-files.txt (one
substring pattern per line; # comments and blanks ignored)
- For each staged file, checks if any pattern is a substring of
the path. If a match is found, the file is auto-unstaged via
`git rm --cached --force` (force is required when the index
has content that differs from BOTH HEAD and the working tree)
- Hook always exits 0 — it removes the leak rather than blocking
the commit. A hard reject would leave tier-2 stuck mid-flow
(tier-2 cannot run `git restore --staged`, which is banned by
the sandbox permission rules)
- The hook's config file lives at the project root so it ships
with the clone. setup_tier2_clone.ps1 will install the hook
in a follow-up commit; existing clones need to re-run setup
to get the hook
Forbidden patterns (substring matches):
- .opencode/agents/tier2-autonomous (sandbox agent prompt)
- .opencode/commands/tier-2-auto-execute (sandbox slash command)
- opencode.json (MCP path / default_agent / model override)
- mcp_paths.toml (extra_dirs cleared in clone)
Patterns are SPECIFIC (not prefix-based) so they do not match
the legitimate interactive tier-2 tech-lead prompt at
.opencode/agents/tier2-tech-lead.md.
Tests (tests/test_tier2_pre_commit_hook.py, 12 cases):
- Empty staged set: git's standard "nothing to commit" error
- Allowed files: commit succeeds normally
- Each forbidden file (agent, command, opencode.json,
mcp_paths.toml) staged: auto-unstaged, commit proceeds
- Mixed staged set: only forbidden are unstaged
- Hook silent when no leaks detected
- Hook warns (stderr) when unstaging
- Config-driven: replacing forbidden-files.txt changes the
denylist without modifying the hook
- Paths with spaces: handled correctly via git diff -z
Defense-in-depth context:
- Layer 1: OpenCode permission system (denies direct edits to
these files from the tier2-autonomous agent)
- Layer 2 (this commit): pre-commit hook (removes the leak at
the commit boundary)
- Layer 3 (follow-up commit): scripts/audit_tier2_leaks.py
(scans working tree, CI gate)
Follow-up to the 'NEVER USE APPDATA' directive. The agent kept
trying to use \C:\Users\Ed\AppData\Local\Temp / \C:\Users\Ed\AppData\Local\Temp / %TEMP% / %TMP% — the previous
deny rule (*AppData\\\\* and *AppData\\Local\\Temp\\*) only matched
the literal expanded path, not the env-var form. The agent would
self-block based on its own interpretation of the rule, but it still
TRIED before self-blocking (the 'fucking tired of it fucking with
AppData' complaint).
Fix:
1. opencode.json.fragment: add bash deny patterns matched against
the LITERAL command string (before shell expansion):
*\C:\Users\Ed\AppData\Local\Temp* - PowerShell env var (the form the agent tried)
*\C:\Users\Ed\AppData\Local\Temp* - PowerShell env var
*%TEMP%* - cmd env var
*%TMP%* - cmd env var
*GetTempPath* - .NET API
*gettempdir* - Python tempfile module
*mkstemp* - Python tempfile.mkstemp
Applied to BOTH the top-level permission.bash (for default agents)
and the tier2-autonomous agent's permission.bash.
2. conductor/tier2/agents/tier2-autonomous.md: rewrite the Temp
files section to explicitly list ALL forbidden literals and
reiterate 'every one of those literal command strings is denied
at the bash level'. Updated changelog note.
3. conductor/tier2/commands/tier-2-auto-execute.md: same.
4. tests/test_tier2_slash_command_spec.py: extend
test_config_fragment_denies_temp_writes to assert each of the 9
patterns in both the top-level and the agent's bash.
Verified: re-ran setup against the live clone. tier2 agent's bash
has 13 deny patterns (9 AppData/temp + 4 git). 37/37 default-on
tests pass.
Note: the user's prior commit (fix(tier2): remove AppData allow
rules from OpenCode permission JSON) already removed the AppData
allow rules from read/write and added the broader *AppData\\\\*
deny rule. This commit layers on top of that with the env-var-form
deny patterns.
Same reconciliation as the agent prompt (previous commit). Three
paths in conductor/tier2/commands/tier-2-auto-execute.md now match
the actual code defaults:
- Pre-flight step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
- Protocol step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
- 'Temp files' convention: scripts/tier2/state/ and scripts/tier2/failures/
-> tests/artifacts/tier2_state/ and tests/artifacts/tier2_failures/
The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).
Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
Tier 2 (in commit 923d360d) relocated the failcount state and failure
report defaults from 'scripts/tier2/state/' to 'tests/artifacts/tier2_state/'
(matching the workspace_paths.md styleguide). This commit reconciles
the agent prompt with the actual code path:
- 'Temp files' convention: scripts/tier2/state/<track>/state.json
-> tests/artifacts/tier2_state/<track>/state.json
- 'Temp files' convention: scripts/tier2/failures/
-> tests/artifacts/tier2_failures/
- Example audit output: scripts/tier2/state/audit_initial.json
-> tests/artifacts/tier2_state/audit_initial.json
- 'Failcount Contract' state path updated to match.
The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).
Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
The 'Temp files' convention bullet had a counter-example that
referenced the AppData path explicitly. The test
tests/test_tier2_slash_command_spec.py::test_agent_denies_temp_writes
catches this and asserts NO AppData path strings in the agent prompt.
Replaced the AppData path in the counter-example with a generic
'AppData is denied by the bash rule' reference.
Refs: conductor/tracks/tier2_no_appdata_20260618
Four changes to conductor/tier2/commands/tier-2-auto-execute.md:
1. Pre-flight step 3: previous-run check now references
scripts/tier2/state/<track-name>/state.json (not <app-data>).
2. Protocol step 3: failcount state init path is
scripts/tier2/state/<track-name>/state.json (not <app-data>).
3. Conventions / Temp files: rewritten to point at inside-clone paths
and say 'NEVER USE APPDATA'. Documents the 2026-06-18 reversal.
4. Hard Bans footer: filesystem boundary now says 'Tier 2 clone only'
(no +AppData exception) and includes the NEVER USE APPDATA rule.
Refs: conductor/tracks/tier2_no_appdata_20260618
Three changes to conductor/tier2/agents/tier2-autonomous.md:
1. Frontmatter permission.read / permission.write: removed the two
AppData allow rules; only the Tier 2 clone is allowed now.
2. Frontmatter permission.bash: added '*AppData\\\\*': deny (broader
pattern, in addition to the existing Temp-specific deny).
3. 'Hard Bans' section: rewrote the filesystem boundary line to say
'NEVER USE APPDATA' and point at the new deny rule.
4. 'Conventions / Temp files' bullet: replaced with inside-clone
conventions (scripts/tier2/state/, scripts/tier2/failures/,
scripts/tier2/artifacts/<track>/). Documents the 2026-06-18 reversal.
5. 'Failcount Contract' section: state path is now
scripts/tier2/state/<track>/state.json (Path.cwd()-relative).
Refs: conductor/tracks/tier2_no_appdata_20260618
Before:
- read/write allow rules for AppData/Local/manual_slop/tier2/ and
AppData/Local/manual_slop/tier2_failures/ existed in both the
top-level and the tier2-autonomous agent's permission blocks.
- Bash deny rules covered only AppData/Local/Temp/.
After:
- read/write allow only the Tier 2 clone (C:\\projects\\manual_slop_tier2\\**).
- Bash deny rules: *AppData\\* (broader) + *AppData\\Local\\Temp\\* (kept for clarity).
The broader *AppData\\* rule catches Local, LocalLow, Roaming, and any
other subdir, not just Temp. The narrower Temp rule is kept as a
self-documenting marker for the original 2026-06-17 regression.
Per the user's 2026-06-18 'NEVER USE APPDATA' directive.
Refs: conductor/tracks/tier2_no_appdata_20260618
The Tier 2 agent wrote audit_exception_handling.py output to
C:\\Users\\Ed\\AppData\\Local\\Temp\\audit_initial.json via shell
redirection. This is OUTSIDE the sandbox allowlist (which is
C:\\projects\\manual_slop_tier2 + C:\\Users\\Ed\\AppData\\Local\\
manual_slop\\tier2 + C:\\Users\\Ed\\AppData\\Local\\manual_slop\\
tier2_failures). The OpenCode session-level guard fires the 'ask'
prompt for paths outside the project root, which has no answer in an
autonomous session, so ops halted mid-track.
Fix (3 layers):
1. opencode.json.fragment: add bash deny rule
'*AppData\\Local\\Temp\\*': 'deny' to BOTH the top-level
permission.bash (for default agents) and the tier2-autonomous
agent's permission.bash. The agent physically cannot run shell
commands that target the global Temp dir.
2. conductor/tier2/agents/tier2-autonomous.md: add 'Temp files'
convention telling the agent to use
C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ for scratch
/ audit-output / intermediate files, NOT %TEMP%.
3. conductor/tier2/commands/tier-2-auto-execute.md: same convention
in the slash command so the agent sees it at slash-command time.
Tests (default-on):
- test_agent_denies_temp_writes: agent prompt has the Temp deny in
frontmatter bash + the app-data dir note
- test_config_fragment_denies_temp_writes: both top-level and agent
bash have the deny rule
All 16 tier 2 slash command tests pass.
Also: cleaned up the leaked audit_initial.json + audit.json +
audit_after*.json from %TEMP% (they were leftovers from a prior
run). Re-ran setup against the live clone; opencode.json's agent
bash and top-level bash both have the deny rule.
The clone's opencode.json inherited the main repo's top-level 'model'
field (zai/glm-5) via 'git clone'. The tier2-autonomous agent has its
own 'model: minimax-coding-plan/MiniMax-M3' override, so the default
agent path was technically correct, but any other agent spawned without
an explicit model (or if the user manually switched to build/plan)
would have used zai/glm-5 instead of MiniMax-M3.
Fix:
1. Add top-level 'model: minimax-coding-plan/MiniMax-M3' to
conductor/tier2/opencode.json.fragment.
2. setup_tier2_clone.ps1 merge now overrides 'model' from the fragment
(was only overriding agent, permission, default_agent).
3. Added test_config_fragment_has_top_level_model (default-on) to
assert the fragment's model field.
4. Added test_setup_script_overrides_model (opt-in TIER2_SANDBOX_TESTS=1)
to assert the merge code.
All 17 tests pass (14 default-on + 3 opt-in).
Verified: re-ran setup against the live clone; opencode.json's
top-level 'model' is now minimax-coding-plan/MiniMax-M3.
Regression: a Tier 2 session was denied access to
C:\\projects\\manual_slop_tier2\\scripts\\run_tests_batched.py
with 'Allowed base directories are: gencpp, manual_slop'. The
tier2-autonomous agent had a correct permission.read allowlist, but
the top-level permission block (inherited from the main repo's
opencode.json via 'git clone') had no read/write keys, and OpenCode
uses the top-level for the default agent path. The agent's
permission.read was merged but apparently not enforced for the
default-agent access check.
Fix:
1. Add a top-level 'permission' block to
conductor/tier2/opencode.json.fragment with:
- permission.edit: 'deny' (default agents locked down)
- permission.read: deny *, allow sandbox clone + app-data dirs
- permission.write: same
- permission.bash: deny *, allowlist of read-only git commands +
uv run python scripts/{run_tests_batched.py,tier2/*} + basic
shell commands. git push/checkout/restore/reset remain denied.
2. Update setup_tier2_clone.ps1 to also patch the top-level
'permission' block (was only merging the tier2-autonomous agent
block). The script preserves the user's mcp, model, instructions,
watcher, and plugin settings from the inherited opencode.json.
3. Update test_tier2_slash_command_spec.py:
- Rename test_command_fetches_origin_main -> ..._master (we
changed the slash command on 2026-06-17).
- Add test_config_fragment_has_top_level_permission to assert
the new top-level permission block has the right deny-all +
allowlist shape.
The tier2-autonomous agent's permission block is unchanged; it
overrides the top-level for that agent's tool calls.
User feedback from the first sandbox run (send_result_to_send_20260616,
2026-06-17) identified 6 conventions Tier 2 must follow. Update the agent
prompt template, slash command template, user guide, and workflow doc:
1. Test runner: ALWAYS use 'uv run python scripts/run_tests_batched.py'
(NOT 'uv run pytest'). The batched runner provides tier filtering,
parallelization (xdist), and a summary table that direct pytest lacks.
2. Default branch: this repo uses 'master', not 'main'. The Tier 2 slash
command now does 'git fetch origin master' (was 'origin main').
3. Line endings: preserve existing. This repo has a mix of CRLF and LF;
a repo-wide LF standardization is a future track.
4. Throw-away scripts: write to 'scripts/tier2/artifacts/<track>/', NOT
the base 'scripts/tier2/' directory. The base is reserved for
production code; throw-away scripts are kept for archival but
isolated per-track.
5. End-of-track report: write 'docs/reports/TRACK_COMPLETION_<track>.md'
and update 'state.toml' to 'status=completed'. The user reads this
to decide merge. Previously this was implicit; now it's explicit.
6. Run-time expectation: tracks are 1-4 hours. If context runs out, Tier
2 notes progress to disk and continues. The --resume flag picks up
from the last completed task.
Also updated the user guide with a 'Conventions' section and a
troubleshooting entry for the resume flow. The verify-the-sandbox
checklist now uses 'origin master' instead of 'origin main'.
ed