9cd8536455
Regression: a Tier 2 session was denied access to
C:\\projects\\manual_slop_tier2\\scripts\\run_tests_batched.py
with 'Allowed base directories are: gencpp, manual_slop'. The
tier2-autonomous agent had a correct permission.read allowlist, but
the top-level permission block (inherited from the main repo's
opencode.json via 'git clone') had no read/write keys, and OpenCode
uses the top-level for the default agent path. The agent's
permission.read was merged but apparently not enforced for the
default-agent access check.
Fix:
1. Add a top-level 'permission' block to
conductor/tier2/opencode.json.fragment with:
- permission.edit: 'deny' (default agents locked down)
- permission.read: deny *, allow sandbox clone + app-data dirs
- permission.write: same
- permission.bash: deny *, allowlist of read-only git commands +
uv run python scripts/{run_tests_batched.py,tier2/*} + basic
shell commands. git push/checkout/restore/reset remain denied.
2. Update setup_tier2_clone.ps1 to also patch the top-level
'permission' block (was only merging the tier2-autonomous agent
block). The script preserves the user's mcp, model, instructions,
watcher, and plugin settings from the inherited opencode.json.
3. Update test_tier2_slash_command_spec.py:
- Rename test_command_fetches_origin_main -> ..._master (we
changed the slash command on 2026-06-17).
- Add test_config_fragment_has_top_level_permission to assert
the new top-level permission block has the right deny-all +
allowlist shape.
The tier2-autonomous agent's permission block is unchanged; it
overrides the top-level for that agent's tool calls.
113 lines
4.2 KiB
Python
113 lines
4.2 KiB
Python
"""Contract tests for the Tier 2 slash command, agent profile, and config fragment.
|
|
|
|
These tests verify that the templates the bootstrap copies to the Tier 2
|
|
clone contain the protocol contract that Tier 2 autonomous relies on.
|
|
"""
|
|
import json
|
|
import re
|
|
from pathlib import Path
|
|
|
|
COMMAND_PATH = Path("conductor/tier2/commands/tier-2-auto-execute.md")
|
|
AGENT_PATH = Path("conductor/tier2/agents/tier2-autonomous.md")
|
|
CONFIG_PATH = Path("conductor/tier2/opencode.json.fragment")
|
|
|
|
|
|
def test_command_file_exists() -> None:
|
|
assert COMMAND_PATH.exists()
|
|
|
|
|
|
def test_command_has_frontmatter() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert re.match(r"^---\n.*?\n---\n", content, re.DOTALL)
|
|
|
|
|
|
def test_command_takes_track_name_argument() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "$ARGUMENTS" in content
|
|
assert "track-name" in content or "<track-name>" in content
|
|
|
|
|
|
def test_command_uses_git_switch_not_checkout() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "git switch -c" in content
|
|
protocol_marker = "## Protocol"
|
|
next_section_marker = "## Hard Bans"
|
|
start = content.find(protocol_marker)
|
|
end = content.find(next_section_marker)
|
|
assert start != -1 and end != -1
|
|
protocol_section = content[start:end]
|
|
import re as _re
|
|
shell_lines = _re.findall(r"^\s*\d+\.\s*`(git [^`]+)`", protocol_section, _re.MULTILINE)
|
|
assert shell_lines, "expected numbered git commands in protocol"
|
|
assert all("checkout" not in line for line in shell_lines), f"protocol uses git checkout: {shell_lines}"
|
|
|
|
|
|
def test_command_fetches_origin_master() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "git fetch origin master" in content
|
|
|
|
|
|
def test_command_initializes_failcount_state() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "load_state" in content or "fresh state" in content.lower()
|
|
|
|
|
|
def test_command_calls_should_give_up() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "should_give_up" in content
|
|
|
|
|
|
def test_command_writes_report_on_give_up() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "write_failure_report" in content
|
|
|
|
|
|
def test_command_prints_abort_banner() -> None:
|
|
content = COMMAND_PATH.read_text(encoding="utf-8")
|
|
assert "TRACK ABORTED" in content or "ABORTED" in content
|
|
|
|
|
|
def test_agent_file_exists() -> None:
|
|
assert AGENT_PATH.exists()
|
|
|
|
|
|
def test_agent_denies_destructive_git() -> None:
|
|
content = AGENT_PATH.read_text(encoding="utf-8")
|
|
assert '"git push*": deny' in content
|
|
assert '"git checkout*": deny' in content
|
|
assert '"git restore*": deny' in content
|
|
assert '"git reset*": deny' in content
|
|
|
|
|
|
def test_config_fragment_valid_json() -> None:
|
|
data = json.loads(CONFIG_PATH.read_text(encoding="utf-8"))
|
|
assert data["default_agent"] == "tier2-autonomous"
|
|
perms = data["agent"]["tier2-autonomous"]["permission"]
|
|
assert "git push*" in perms["bash"]
|
|
assert "git checkout*" in perms["bash"]
|
|
assert "git restore*" in perms["bash"]
|
|
assert "git reset*" in perms["bash"]
|
|
|
|
|
|
def test_config_fragment_has_top_level_permission() -> None:
|
|
"""Top-level permission.read/write MUST allow the sandbox dirs (added
|
|
2026-06-17 after the bug where the agent's permission.read was not
|
|
enforced for the default agent, leading to ACCESS DENIED on
|
|
manual_slop_tier2 paths)."""
|
|
data = json.loads(CONFIG_PATH.read_text(encoding="utf-8"))
|
|
assert "permission" in data
|
|
top = data["permission"]
|
|
assert "read" in top, "top-level permission.read is required"
|
|
assert top["read"].get("*") == "deny", "top-level permission.read MUST deny *"
|
|
assert top["read"].get("C:\\projects\\manual_slop_tier2\\**") == "allow", "sandbox clone path must be allowlisted"
|
|
assert "write" in top
|
|
assert top["write"].get("*") == "deny"
|
|
assert top["write"].get("C:\\projects\\manual_slop_tier2\\**") == "allow"
|
|
assert "bash" in top
|
|
assert top["bash"].get("*") == "deny", "top-level bash MUST deny * (default agents are locked down)"
|
|
assert top["bash"].get("git status*") == "allow", "read-only git commands must be in the allowlist"
|
|
assert top["bash"].get("git push*") == "deny"
|
|
assert top["bash"].get("git checkout*") == "deny"
|
|
assert top["bash"].get("git restore*") == "deny"
|
|
assert top["bash"].get("git reset*") == "deny"
|