Initial v3.1 spec + plan for the delta thickening of v3. v3.1 is the canonical v3 review at depth (>=3,800 LOC main review) with a chunking strategy that v3 lacked. Adds 3 new top-level sections (YAML avoidance, agent context-window, fine-tuning). Load-bearing principle: v3.1 is standalone-readable without consulting v2.3 or v3.
Adds the end-of-track artifacts for the tier2_leak_prevention_20260620
fix track:
- docs/reports/TRACK_COMPLETION_tier2_leak_prevention_20260620.md:
Full track completion report following the precedent set by
TRACK_COMPLETION_tier2_autonomous_sandbox_20260616.md. Documents
the 4 atomic commits, the 25 default-on tests, the manual
end-to-end verification, the key design decisions (auto-unstage
not exit 1, git rm --cached --force, CRLF handling, specific not
prefix patterns), the known limitations, and the next steps for
the user (push to origin, rebase stale tier-2 branches, re-run
setup on the existing clone, optional CI wiring).
- conductor/tracks/tier2_leak_prevention_20260620/metadata.json:
Track metadata (status=shipped, scope: 5 new files + 1 modified,
25 default-on tests, 5 verification criteria, 5 risk-register
entries, 2 deferred follow-up tracks).
- conductor/tracks/tier2_leak_prevention_20260620/spec.md:
Track spec (background on the 00e5a3f2 offender commit, design
with the 3-layer defense-in-depth, forbidden patterns, tests,
out-of-scope items).
- conductor/tracks/tier2_leak_prevention_20260620/plan.md:
Track plan (4 phases: revert + hook + audit + install; tasks
recorded retroactively per workflow.md "Plan is the source of
truth").
- conductor/tracks/tier2_leak_prevention_20260620/state.toml:
Track state (status=completed, current_phase=complete, 4 phases
with checkpoint SHAs, 16 tasks all completed with commit SHAs).
- conductor/tracks.md: registered as track 6f in the Active
Tracks table; added a "Recently Completed" entry with the
commit-history summary.
Per conductor/workflow.md "End-of-track report" protocol. The
report includes a "Mistake to flag" section about the
`Remove-Item -Recurse -Force` accident during verification, per
the AGENTS.md "Hard ban on destructive commands" rule (which is
specifically about `git restore`/`git checkout`/`git reset`/`git
push` but the lesson generalizes: destructive PowerShell commands
on directories with tracked files require explicit verification
before running).
Initial v3 spec + plan for the major nagent review update. Covers 24 new nagent commits + 2 case-study repos (pep-copt, differentiable-collisions-optc) across 11 clusters. v2.3 historical reviews preserved; v3 is the canonical going forward.
TIER-2 READ conductor/code_styleguides/error_handling.md end-to-end before Phase 13.
Final state:
- All 13 phases completed (checksha recorded)
- All verification flags = true (audit_strict_exits_0,
site_inventory_has_42_rows, drain_plane_render_functions_exist,
silent_swallow_count_zero, rethrow_count_zero, unclear_count_zero,
broad_catch_count_zero)
- batched_suite_11_of_11_pass = false (Tier 3 has 1 known issue:
test_gui2_performance.py measures FPS 28.46 vs 30 threshold; documented
in TRACK_COMPLETION report as a known issue for user review)
- tracks.md updated: sub-track 4 row -> 'shipped 2026-06-20'
Track shipped on the success path. All 42 migration-target sites in
src/gui_2.py resolved.
Adds a tier-2 pre-commit hook that auto-unstages sandbox-only files
from any tier-2 commit, preventing the leak that hit master in
00e5a3f2 (the offender commit that was just selectively reverted
in fab2e55b). The hook is paired with a config file that lists the
forbidden paths as substring patterns.
Design:
- Hook reads conductor/tier2/githooks/forbidden-files.txt (one
substring pattern per line; # comments and blanks ignored)
- For each staged file, checks if any pattern is a substring of
the path. If a match is found, the file is auto-unstaged via
`git rm --cached --force` (force is required when the index
has content that differs from BOTH HEAD and the working tree)
- Hook always exits 0 — it removes the leak rather than blocking
the commit. A hard reject would leave tier-2 stuck mid-flow
(tier-2 cannot run `git restore --staged`, which is banned by
the sandbox permission rules)
- The hook's config file lives at the project root so it ships
with the clone. setup_tier2_clone.ps1 will install the hook
in a follow-up commit; existing clones need to re-run setup
to get the hook
Forbidden patterns (substring matches):
- .opencode/agents/tier2-autonomous (sandbox agent prompt)
- .opencode/commands/tier-2-auto-execute (sandbox slash command)
- opencode.json (MCP path / default_agent / model override)
- mcp_paths.toml (extra_dirs cleared in clone)
Patterns are SPECIFIC (not prefix-based) so they do not match
the legitimate interactive tier-2 tech-lead prompt at
.opencode/agents/tier2-tech-lead.md.
Tests (tests/test_tier2_pre_commit_hook.py, 12 cases):
- Empty staged set: git's standard "nothing to commit" error
- Allowed files: commit succeeds normally
- Each forbidden file (agent, command, opencode.json,
mcp_paths.toml) staged: auto-unstaged, commit proceeds
- Mixed staged set: only forbidden are unstaged
- Hook silent when no leaks detected
- Hook warns (stderr) when unstaging
- Config-driven: replacing forbidden-files.txt changes the
denylist without modifying the hook
- Paths with spaces: handled correctly via git diff -z
Defense-in-depth context:
- Layer 1: OpenCode permission system (denies direct edits to
these files from the tier2-autonomous agent)
- Layer 2 (this commit): pre-commit hook (removes the leak at
the commit boundary)
- Layer 3 (follow-up commit): scripts/audit_tier2_leaks.py
(scans working tree, CI gate)