Same reconciliation as the agent prompt (previous commit). Three
paths in conductor/tier2/commands/tier-2-auto-execute.md now match
the actual code defaults:
- Pre-flight step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
- Protocol step 3: scripts/tier2/state/ -> tests/artifacts/tier2_state/
- 'Temp files' convention: scripts/tier2/state/ and scripts/tier2/failures/
-> tests/artifacts/tier2_state/ and tests/artifacts/tier2_failures/
The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).
Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
Tier 2 (in commit 923d360d) relocated the failcount state and failure
report defaults from 'scripts/tier2/state/' to 'tests/artifacts/tier2_state/'
(matching the workspace_paths.md styleguide). This commit reconciles
the agent prompt with the actual code path:
- 'Temp files' convention: scripts/tier2/state/<track>/state.json
-> tests/artifacts/tier2_state/<track>/state.json
- 'Temp files' convention: scripts/tier2/failures/
-> tests/artifacts/tier2_failures/
- Example audit output: scripts/tier2/state/audit_initial.json
-> tests/artifacts/tier2_state/audit_initial.json
- 'Failcount Contract' state path updated to match.
The user must re-bootstrap the Tier 2 clone to pick up the fixed
template (pwsh -File scripts/tier2/setup_tier2_clone.ps1).
Refs: conductor/tracks/tier2_no_appdata_20260618 (post-merge followup)
The 'Temp files' convention bullet had a counter-example that
referenced the AppData path explicitly. The test
tests/test_tier2_slash_command_spec.py::test_agent_denies_temp_writes
catches this and asserts NO AppData path strings in the agent prompt.
Replaced the AppData path in the counter-example with a generic
'AppData is denied by the bash rule' reference.
Refs: conductor/tracks/tier2_no_appdata_20260618
Four changes to conductor/tier2/commands/tier-2-auto-execute.md:
1. Pre-flight step 3: previous-run check now references
scripts/tier2/state/<track-name>/state.json (not <app-data>).
2. Protocol step 3: failcount state init path is
scripts/tier2/state/<track-name>/state.json (not <app-data>).
3. Conventions / Temp files: rewritten to point at inside-clone paths
and say 'NEVER USE APPDATA'. Documents the 2026-06-18 reversal.
4. Hard Bans footer: filesystem boundary now says 'Tier 2 clone only'
(no +AppData exception) and includes the NEVER USE APPDATA rule.
Refs: conductor/tracks/tier2_no_appdata_20260618
Three changes to conductor/tier2/agents/tier2-autonomous.md:
1. Frontmatter permission.read / permission.write: removed the two
AppData allow rules; only the Tier 2 clone is allowed now.
2. Frontmatter permission.bash: added '*AppData\\\\*': deny (broader
pattern, in addition to the existing Temp-specific deny).
3. 'Hard Bans' section: rewrote the filesystem boundary line to say
'NEVER USE APPDATA' and point at the new deny rule.
4. 'Conventions / Temp files' bullet: replaced with inside-clone
conventions (scripts/tier2/state/, scripts/tier2/failures/,
scripts/tier2/artifacts/<track>/). Documents the 2026-06-18 reversal.
5. 'Failcount Contract' section: state path is now
scripts/tier2/state/<track>/state.json (Path.cwd()-relative).
Refs: conductor/tracks/tier2_no_appdata_20260618
Before:
- read/write allow rules for AppData/Local/manual_slop/tier2/ and
AppData/Local/manual_slop/tier2_failures/ existed in both the
top-level and the tier2-autonomous agent's permission blocks.
- Bash deny rules covered only AppData/Local/Temp/.
After:
- read/write allow only the Tier 2 clone (C:\\projects\\manual_slop_tier2\\**).
- Bash deny rules: *AppData\\* (broader) + *AppData\\Local\\Temp\\* (kept for clarity).
The broader *AppData\\* rule catches Local, LocalLow, Roaming, and any
other subdir, not just Temp. The narrower Temp rule is kept as a
self-documenting marker for the original 2026-06-17 regression.
Per the user's 2026-06-18 'NEVER USE APPDATA' directive.
Refs: conductor/tracks/tier2_no_appdata_20260618
The Tier 2 agent wrote audit_exception_handling.py output to
C:\\Users\\Ed\\AppData\\Local\\Temp\\audit_initial.json via shell
redirection. This is OUTSIDE the sandbox allowlist (which is
C:\\projects\\manual_slop_tier2 + C:\\Users\\Ed\\AppData\\Local\\
manual_slop\\tier2 + C:\\Users\\Ed\\AppData\\Local\\manual_slop\\
tier2_failures). The OpenCode session-level guard fires the 'ask'
prompt for paths outside the project root, which has no answer in an
autonomous session, so ops halted mid-track.
Fix (3 layers):
1. opencode.json.fragment: add bash deny rule
'*AppData\\Local\\Temp\\*': 'deny' to BOTH the top-level
permission.bash (for default agents) and the tier2-autonomous
agent's permission.bash. The agent physically cannot run shell
commands that target the global Temp dir.
2. conductor/tier2/agents/tier2-autonomous.md: add 'Temp files'
convention telling the agent to use
C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\ for scratch
/ audit-output / intermediate files, NOT %TEMP%.
3. conductor/tier2/commands/tier-2-auto-execute.md: same convention
in the slash command so the agent sees it at slash-command time.
Tests (default-on):
- test_agent_denies_temp_writes: agent prompt has the Temp deny in
frontmatter bash + the app-data dir note
- test_config_fragment_denies_temp_writes: both top-level and agent
bash have the deny rule
All 16 tier 2 slash command tests pass.
Also: cleaned up the leaked audit_initial.json + audit.json +
audit_after*.json from %TEMP% (they were leftovers from a prior
run). Re-ran setup against the live clone; opencode.json's agent
bash and top-level bash both have the deny rule.
The clone's opencode.json inherited the main repo's top-level 'model'
field (zai/glm-5) via 'git clone'. The tier2-autonomous agent has its
own 'model: minimax-coding-plan/MiniMax-M3' override, so the default
agent path was technically correct, but any other agent spawned without
an explicit model (or if the user manually switched to build/plan)
would have used zai/glm-5 instead of MiniMax-M3.
Fix:
1. Add top-level 'model: minimax-coding-plan/MiniMax-M3' to
conductor/tier2/opencode.json.fragment.
2. setup_tier2_clone.ps1 merge now overrides 'model' from the fragment
(was only overriding agent, permission, default_agent).
3. Added test_config_fragment_has_top_level_model (default-on) to
assert the fragment's model field.
4. Added test_setup_script_overrides_model (opt-in TIER2_SANDBOX_TESTS=1)
to assert the merge code.
All 17 tests pass (14 default-on + 3 opt-in).
Verified: re-ran setup against the live clone; opencode.json's
top-level 'model' is now minimax-coding-plan/MiniMax-M3.
Regression: a Tier 2 session was denied access to
C:\\projects\\manual_slop_tier2\\scripts\\run_tests_batched.py
with 'Allowed base directories are: gencpp, manual_slop'. The
tier2-autonomous agent had a correct permission.read allowlist, but
the top-level permission block (inherited from the main repo's
opencode.json via 'git clone') had no read/write keys, and OpenCode
uses the top-level for the default agent path. The agent's
permission.read was merged but apparently not enforced for the
default-agent access check.
Fix:
1. Add a top-level 'permission' block to
conductor/tier2/opencode.json.fragment with:
- permission.edit: 'deny' (default agents locked down)
- permission.read: deny *, allow sandbox clone + app-data dirs
- permission.write: same
- permission.bash: deny *, allowlist of read-only git commands +
uv run python scripts/{run_tests_batched.py,tier2/*} + basic
shell commands. git push/checkout/restore/reset remain denied.
2. Update setup_tier2_clone.ps1 to also patch the top-level
'permission' block (was only merging the tier2-autonomous agent
block). The script preserves the user's mcp, model, instructions,
watcher, and plugin settings from the inherited opencode.json.
3. Update test_tier2_slash_command_spec.py:
- Rename test_command_fetches_origin_main -> ..._master (we
changed the slash command on 2026-06-17).
- Add test_config_fragment_has_top_level_permission to assert
the new top-level permission block has the right deny-all +
allowlist shape.
The tier2-autonomous agent's permission block is unchanged; it
overrides the top-level for that agent's tool calls.
User feedback from the first sandbox run (send_result_to_send_20260616,
2026-06-17) identified 6 conventions Tier 2 must follow. Update the agent
prompt template, slash command template, user guide, and workflow doc:
1. Test runner: ALWAYS use 'uv run python scripts/run_tests_batched.py'
(NOT 'uv run pytest'). The batched runner provides tier filtering,
parallelization (xdist), and a summary table that direct pytest lacks.
2. Default branch: this repo uses 'master', not 'main'. The Tier 2 slash
command now does 'git fetch origin master' (was 'origin main').
3. Line endings: preserve existing. This repo has a mix of CRLF and LF;
a repo-wide LF standardization is a future track.
4. Throw-away scripts: write to 'scripts/tier2/artifacts/<track>/', NOT
the base 'scripts/tier2/' directory. The base is reserved for
production code; throw-away scripts are kept for archival but
isolated per-track.
5. End-of-track report: write 'docs/reports/TRACK_COMPLETION_<track>.md'
and update 'state.toml' to 'status=completed'. The user reads this
to decide merge. Previously this was implicit; now it's explicit.
6. Run-time expectation: tracks are 1-4 hours. If context runs out, Tier
2 notes progress to disk and continues. The --resume flag picks up
from the last completed task.
Also updated the user guide with a 'Conventions' section and a
troubleshooting entry for the resume flow. The verify-the-sandbox
checklist now uses 'origin master' instead of 'origin main'.