manual_slop

ed/manual_slop

Private

Public Access

Fork 0

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
ed	0528c3e3f2	test(tier2): no_temp_writes - replace AppData refs in docstring + fix Updated tests/test_no_temp_writes.py to match the 2026-06-18 reversal: - Docstring no longer mentions C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2 or \\...\\tier2_failures as the allowed scratch dirs; the new allowed dirs are scripts/tier2/state/ and scripts/tier2/failures/ (inside the clone). - Failure-message fix string no longer suggests C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ as a target. Per the user's 2026-06-18 'NEVER USE APPDATA' directive. Refs: conductor/tracks/tier2_no_appdata_20260618	2026-06-18 14:40:04 -04:00
ed	7baef97d2c	feat(audit): add no-temp-writes audit + regression test Tier 2 sandbox invariant: no production script under ./scripts/ may write to the global %TEMP% directory (C:\\Users\\Ed\\AppData\\Local\\ Temp\\). All scratch / intermediate files must live in: - ./tests/artifacts/ (for test artifacts) - C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ (for app data) Writing to %TEMP% breaks the sandbox boundary: the OpenCode session fires the 'ask' prompt for paths outside the project root, halting autonomous ops (the 2026-06-17 bug with audit_exception_handling.py output being written to %TEMP% by the agent's shell redirection). Convention enforcement (per conductor/workflow.md Audit Script Policy): - scripts/audit_no_temp_writes.py: the canonical audit. Same shape as scripts/audit_exception_handling.py: --json for machine output, --strict for the CI gate (exits 1 on any violation). Patterns cover tempfile module, os.environ['TEMP'], C:\Users\Ed\AppData\Local\Temp, %TEMP%, /tmp/, etc. Excludes the throw-away archive at scripts/tier2/ artifacts/ and itself (so it can find its own pattern defs). - tests/test_no_temp_writes.py: default-on regression test. Calls the audit with --strict and asserts exit 0. If a new script under ./scripts/ ever uses %TEMP%, the test fails and CI breaks. Current state: CLEAN. All 36 tier2 tests pass (1 new + 16 slash command spec + 13 failcount + 6 opt-in). Sanity-checked: dropping a fake 'import tempfile' script into ./scripts/ triggered exit 1 with 'FOUND 1 matches: scripts/_test_temp_check/test_uses_temp.py:1: import tempfile'. Future: also add a corresponding deny rule to the sandbox bash permission in a follow-up if needed (already added in `03c9df84` for the agent's own bash). The audit + test is the structural guard.	2026-06-17 16:30:50 -04:00

0528c3e3f2

test(tier2): no_temp_writes - replace AppData refs in docstring + fix

Updated tests/test_no_temp_writes.py to match the 2026-06-18 reversal:
- Docstring no longer mentions C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2
  or \\...\\tier2_failures as the allowed scratch dirs; the new allowed
  dirs are scripts/tier2/state/ and scripts/tier2/failures/ (inside
  the clone).
- Failure-message fix string no longer suggests
  C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ as a target.

Per the user's 2026-06-18 'NEVER USE APPDATA' directive.

Refs: conductor/tracks/tier2_no_appdata_20260618

2026-06-18 14:40:04 -04:00

7baef97d2c

feat(audit): add no-temp-writes audit + regression test

Tier 2 sandbox invariant: no production script under ./scripts/ may
write to the global %TEMP% directory (C:\\Users\\Ed\\AppData\\Local\\
Temp\\). All scratch / intermediate files must live in:
- ./tests/artifacts/  (for test artifacts)
- C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\  (for app data)

Writing to %TEMP% breaks the sandbox boundary: the OpenCode session
fires the 'ask' prompt for paths outside the project root, halting
autonomous ops (the 2026-06-17 bug with audit_exception_handling.py
output being written to %TEMP% by the agent's shell redirection).

Convention enforcement (per conductor/workflow.md Audit Script Policy):

- scripts/audit_no_temp_writes.py: the canonical audit. Same shape
  as scripts/audit_exception_handling.py: --json for machine output,
  --strict for the CI gate (exits 1 on any violation). Patterns
  cover tempfile module, os.environ['TEMP'], C:\Users\Ed\AppData\Local\Temp, %TEMP%,
  /tmp/, etc. Excludes the throw-away archive at scripts/tier2/
  artifacts/ and itself (so it can find its own pattern defs).

- tests/test_no_temp_writes.py: default-on regression test. Calls
  the audit with --strict and asserts exit 0. If a new script
  under ./scripts/ ever uses %TEMP%, the test fails and CI breaks.

Current state: CLEAN. All 36 tier2 tests pass (1 new + 16 slash
command spec + 13 failcount + 6 opt-in). Sanity-checked: dropping
a fake 'import tempfile' script into ./scripts/ triggered exit 1
with 'FOUND 1 matches: scripts/_test_temp_check/test_uses_temp.py:1:
import tempfile'.

Future: also add a corresponding deny rule to the sandbox bash
permission in a follow-up if needed (already added in 03c9df84 for
the agent's own bash). The audit + test is the structural guard.

2026-06-17 16:30:50 -04:00

2 Commits