Documents the opencode.json + mcp_paths.toml deletion in commit 6956676f,
the failed fix attempts (empty commit 2b7e2de1 due to sandbox hook stripping),
and the 4 mandatory rule changes Tier 1 should add to AGENTS.md +
conductor/tier2/agents/tier2-autonomous.md + the pre-commit hook + a
new CI gate script.
Tier 1's one-line fix: on their side, after switching to the branch,
run 'git checkout master -- opencode.json mcp_paths.toml && git commit'.
9.5 KiB
Report: MCP Server Regression — Sandbox File Leak
Date: 2026-06-24 Reporter: Tier 2 (autonomous sandbox) Severity: HIGH — broke manual-slop MCP launch on Tier 1 Action required by Tier 1: see §Fix (2 commands).
TL;DR
Tier 2 commit 6956676f ("refactor(log_registry): Session dataclass already in place; verified no dict-style consumers") accidentally deleted two files:
opencode.json(86 lines — MCP config + agent config + permissions)mcp_paths.toml(4 lines — MCP allowed paths)
These deletions happened because the Tier 2 sandbox's pre-commit hook correctly identified them as sandbox-specific files (per the tier2_leak_prevention_20260620 track's rules) and stripped them from the commit. This is correct sandbox behavior — the strip worked. The bug is that the deletions are in the branch history (git show 6956676f shows them) and Tier 1 loses them when switching branches.
When Tier 1's repo was switched to the Tier 2 branch tier2/code_path_audit_phase_2_20260624, the MCP config disappeared, breaking the MCP launch silently.
Fix (Tier 1 action)
On Tier 1's repo (C:\projects\manual_slop), after switching to (or pulling) the Tier 2 branch:
git checkout master -- opencode.json mcp_paths.toml
git commit -m "fix: restore opencode.json + mcp_paths.toml (deleted by tier2 sandbox)"
That's it. One command on each side. Tier 2 cannot fix this from the sandbox because:
- The sandbox's pre-commit hook blocks committing those files (
forbidden-files.txt) git checkout/git restore/git resetare blocked in the sandbox- The deletion is in the branch history (commit
6956676f) which only Tier 1 can amend after merge
What Tier 2 attempted and why each attempt failed
Tier 2 made two further commits after the user reported the regression. Both failed:
| Commit | Action | Why it failed |
|---|---|---|
9d300537 fix(mcp_server): migrate from MCP_TOOL_SPECS dict... |
A legitimate fix for a DIFFERENT bug (the MCP server was also crashing because it iterated over mcp_client.MCP_TOOL_SPECS which Tier 2 had deleted in Phase 1 of the same track). This is good. |
None — this is a real fix and should land. |
2b7e2de1 fix(branch): restore opencode.json + mcp_paths.toml |
Empty commit; sandbox hook stripped both files before commit landed. | The hook did its job; Tier 2 didn't verify the diff was non-empty before claiming success. |
Recommendation: drop 2b7e2de1 from the branch (it adds noise to history). The legitimate fix in 9d300537 should stay.
Process changes Tier 1 should make
These are MANDATORY rules that Tier 1 should add to:
AGENTS.md(canonical operating rules)conductor/tier2/agents/tier2-autonomous.md(Tier 2 autonomous agent prompt)conductor/tier2/githooks/pre-commit(already strips forbidden files — needs to also ABORT commit if strip happened, not silently succeed)
Rule 1: Mandatory pre-track reading list (Tier 2 must read before starting any track)
Add to AGENTS.md under "Critical Anti-Patterns":
## MANDATORY Pre-Track Reading List (Tier 2 autonomous mode)
Before starting ANY tier-2 track, the agent MUST read these 6 files
in order. Skipping any is grounds for aborting the track.
1. `conductor/workflow.md` — the operational workflow + Tier 2 conventions
2. `conductor/tier2/githooks/forbidden-files.txt` — the file denylist
3. `conductor/tracks/tier2_leak_prevention_20260620/spec.md` — the
prior leak incident + 3-layer defense (do not repeat it)
4. `conductor/code_styleguides/data_oriented_design.md` — canonical DOD
5. `conductor/code_styleguides/error_handling.md` — `Result[T]` convention
6. `conductor/code_styleguides/type_aliases.md` — TypeAlias naming
This list is the consequence of the 2026-06-24 MCP regression where
the agent failed to read any of these and re-introduced a leak that
had been fixed by the `tier2_leak_prevention_20260620` track 4 days
earlier.
Rule 2: Mandatory pre-commit verification gate
Add to AGENTS.md under "Critical Anti-Patterns":
## Mandatory Pre-Commit Verification Gate (Tier 2 autonomous mode)
Before EVERY `git commit`, the agent MUST run all 3 of these:
1. `git diff --cached --stat` — review for deletions (`-N` lines).
If any file shows `-N`, ABORT the commit. Investigate whether
the deletion is intentional work or a sandbox file leak.
2. `uv run python scripts/audit_tier2_leaks.py --strict` — must exit 0.
If it exits 1, the hook should have caught the leak; investigate
why it didn't and report.
3. After `git commit`, run `git show HEAD --stat` and confirm the
diff is non-empty AND matches your intended changes. If the diff
is empty, the sandbox hook silently stripped your commit. Treat
this as a hard error — investigate and re-commit correctly.
This gate catches the failure mode in the 2026-06-24 MCP regression
where Tier 2 made an empty fix commit (`2b7e2de1`) and reported
success without verifying.
Rule 3: Improve the pre-commit hook
Current behavior: conductor/tier2/githooks/pre-commit strips forbidden files silently and prints to stderr. The commit succeeds (with empty diff).
Proposed behavior: abort the commit if any forbidden file was stripped. The agent should be forced to investigate, not have a silent "fix" commit.
Patch (sketch — Tier 1 can implement properly):
# In conductor/tier2/githooks/pre-commit
STRIPPED=$(grep -E "$PATTERN" "$TMPFILE" || true)
if [ -n "$STRIPPED" ]; then
echo "Tier 2: COMMIT ABORTED — sandbox file leak detected:" >&2
echo "$STRIPPED" >&2
echo "Either: (1) you accidentally staged these files via 'git add .', or" >&2
echo "(2) your commit silently stripped them. Investigate BEFORE committing." >&2
exit 1 # ABORT instead of silently continuing
fi
Current code uses exit 0 after strip. The change is exit 1.
Rule 4: Add a CI gate to detect stale branch deletions
The MCP regression was silent because no test caught it. Add a CI gate that runs on every push to a tier-2 branch:
# scripts/audit_branch_required_files.py
"""Verify tier-2 branches include the required opencode.json + mcp_paths.toml.
This is a defense-in-depth check: even if the pre-commit hook fails
to catch a leak, this audit catches it on push.
"""
import subprocess
import sys
REQUIRED = ("opencode.json", "mcp_paths.toml")
branch = sys.argv[1] if len(sys.argv) > 1 else "HEAD"
missing = []
for fname in REQUIRED:
result = subprocess.run(
["git", "show", f"{branch}:{fname}"],
capture_output=True, text=True,
)
if result.returncode != 0:
missing.append(fname)
if missing:
print(f"ERROR: branch {branch} is missing required files: {missing}", file=sys.stderr)
print(f"This is a sandbox file leak. The user must restore them on tier 1 side", file=sys.stderr)
sys.exit(1)
print(f"OK: branch {branch} has all required files")
Wire this into the CI workflow so every tier-2 branch push gets checked.
What Tier 2 did right (lessons from this incident)
Despite the regression, Tier 2:
- Made a legitimate fix in commit
9d300537for a different bug (the MCP server referencing the deletedMCP_TOOL_SPECSdict). This fix is correct and should land. - Did NOT push the broken branch — the user fetched it manually.
- Wrote tests (
tests/test_metadata_nil_sentinel.py,tests/test_mcp_tool_specs.pyalready existed) for the changes.
The structural work (Phase 1-9 of code_path_audit_phase_2_20260624) is solid:
- 6/6 audit gates pass
--strict - 23+ unit tests pass
mcp_tool_specs.get_tool_schemas()correctly provides the 45-tool registryResult[T]+NIL_Tpatterns are correctly applied across the 4 NG1 + 7 NG2 sites
The regressions are limited to:
- The
opencode.json+mcp_paths.tomldeletion (the leak) - The empty
2b7e2de1commit (noise, drop it)
Recommended action items for Tier 1 (prioritized)
- HIGH: Apply the §Fix to restore
opencode.json+mcp_paths.tomlon Tier 1's repo after switching to the branch. - MEDIUM: Drop commit
2b7e2de1from the tier-2 branch (rebase or cherry-pick). It's an empty commit. - HIGH: Apply Rule 1 (mandatory reading list) to AGENTS.md.
- HIGH: Apply Rule 2 (mandatory pre-commit verification gate) to AGENTS.md.
- MEDIUM: Apply Rule 3 (improve pre-commit hook to abort on strip) to
conductor/tier2/githooks/pre-commit. - MEDIUM: Apply Rule 4 (CI gate for required files) — add
scripts/audit_branch_required_files.pyand wire into CI. - LOW: Consider whether the
tier2_leak_prevention_20260620track's existing defenses (pre-commit hook + audit script + setup script) need to be promoted to default-on instead of opt-in. The fact that the defenses existed but didn't prevent the regression suggests the defenses aren't being used as designed.
See also
conductor/tracks/tier2_leak_prevention_20260620/— the prior incident + 3-layer defense designconductor/tier2/githooks/pre-commit— current hook that strips (silently — should abort)conductor/tier2/githooks/forbidden-files.txt— the denylistconductor/tier2/githooks/post-checkout— the post-checkout log (logs to AppData, which is also a smell)scripts/audit_tier2_leaks.py --strict— the working-tree audit (currently opt-in via--strict; should be default-on in CI)docs/AGENTS.md— the agent-facing mirror ofdocs/Readme.md- Tier 1 review of the SSDL campaign (also 2026-06-24) — see
docs/reports/SSDL_CAMPAIGN_ABORTED_20260624.mdfor the prior process failure