Skip to content

feat(v1.8): AGENTS.md enforcement + empirical enforcement#22

Merged
m9751 merged 2 commits into
mainfrom
feat/v1.8-complete
Jun 27, 2026
Merged

feat(v1.8): AGENTS.md enforcement + empirical enforcement#22
m9751 merged 2 commits into
mainfrom
feat/v1.8-complete

Conversation

@m9751

@m9751 m9751 commented Jun 27, 2026

Copy link
Copy Markdown
Owner

Summary

AOF v1.8 — "AGENTS.md enforcement + empirical enforcement"

6 new hook ports:

  • agentsmd-bash-gate.sh — blocks Bash in repos without AGENTS.md read
  • agentsmd-session-inject.sh — injects AGENTS.md at session start
  • three-failure-stop-gate.sh — blocks 4th fix(...) commit without attestation
  • claim-evidence-gate-dispatch.sh — cross-platform Gate 4 dispatcher
  • claim-evidence-gate.sh — bash floor for Gate 4
  • aof-eval-opportunity-counter.sh — DPMO telemetry counter

2 new guides: when-to-write-a-hook.md, go-hook-dispatch-pattern.md

Smoke test: tests/smoke/hooks/grok-shape-normalize.sh — 9/9 pass

Quality gates passed:

  • Codex adversarial pass 1: 6 findings → all fixed
  • Codex adversarial pass 2: 3 new HIGHs → all fixed
  • PRM-INFRA-001 Stage 1: 2 HIGHs + 3 MEDs → all fixed
  • Final smoke: 9/9 pass

Test plan

  • Smoke test passes: bash tests/smoke/hooks/grok-shape-normalize.sh
  • AGENTS.md enforcement: agentsmd-bash-gate.sh blocks Grok payload, allows harmless snake_case
  • Conflict sentinel: dual-shape payload fails closed (exit 2)
  • Opportunity counter: env var unset → fail open with log line

🤖 Generated with Claude Code

m9751 and others added 2 commits June 27, 2026 17:18
6 new hook ports, 2 guides, 1 smoke test, updated normalize lib.
Two Codex adversarial passes — 6 findings fixed before tag.

Hooks:
- agentsmd-bash-gate.sh (normalize + __NH_CONFLICT__ fail-closed + scoped allowlist)
- agentsmd-session-inject.sh
- three-failure-stop-gate.sh (normalize Grok payloads)
- claim-evidence-gate-dispatch.sh
- claim-evidence-gate.sh (bash floor, Gate 4)
- aof-eval-opportunity-counter.sh (env-var secret scrub + whitespace trim)

Guides:
- guides/advanced/when-to-write-a-hook.md (advisory exception + dedup question)
- guides/advanced/go-hook-dispatch-pattern.md

Tests:
- tests/smoke/hooks/grok-shape-normalize.sh (8/8 pass)

Docs:
- AGENT_FRAMEWORK.md v1.7 → v1.8, §5.3 matrix +5 rows
- CHANGELOG.md v1.8 section
- README.md + examples/hooks/README.md updated

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
HIGH agentsmd-bash-gate: remove broad case-arm allowlist (cat *AGENTS.md
bypass); replaced with anchored grep -qF on $AGENTS_PATH only.

HIGH three-failure-stop-gate: add no-op stubs for bc_record_exit/bc_write
when breadcrumb-lib.sh is absent — prevents exit-code corruption (127)
masking legitimate exit 2 blocks.

MED aof-eval-opportunity-counter: fix python3 silent-continue in
insert_opportunity (|| return on json-encode failure); use json.dumps
for tool_name and session_id to prevent JSON injection.

MED claim-evidence-gate: extract ALL backtick-quoted paths per hit, not
just the first — multi-path claims now check every cited path.

MED smoke test: add snake_case control payload to Test 6 to prevent
false-green from gate-blocks-everything scenario.

Smoke: 9/9 pass.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@m9751
m9751 merged commit edf7b31 into main Jun 27, 2026
1 of 2 checks passed
@m9751
m9751 deleted the feat/v1.8-complete branch June 27, 2026 21:36

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a6b6f2ce7a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

# Broad pattern matching (any command containing "AGENTS.md") was bypassable via
# "cat /other/repo/AGENTS.md; <dangerous command targeting $REPO_NAME>".
# Fix: anchor to $AGENTS_PATH only. The anchored grep below is the sole allow path.
if echo "$COMMAND" | grep -qF "$AGENTS_PATH"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Reject compound AGENTS.md read commands

When the first Bash call for a repo contains the exact AGENTS.md path plus any other repo operation, this branch exits 0 before checking the read breadcrumb (for example, cat ~/repos/foo/AGENTS.md; git -C ~/repos/foo status). That lets a single compound shell command bypass the AGENTS.md enforcement the hook is meant to provide, so the allow path needs to verify the command is only reading that AGENTS.md file rather than just containing its path.

Useful? React with 👍 / 👎.

Comment on lines +128 to +129
GC_MSG_BODY=$(echo "$COMMAND" | grep -oE -- '(-m[[:space:]]+|--message[[:space:]]+|--message=)("[^"]*"|[^ ]+)' | head -1 \
| sed -E 's/^(-m[[:space:]]+|--message[[:space:]]+|--message=)//; s/^"(.*)"$/\1/')

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Parse every commit message paragraph

This only captures the first -m/--message occurrence, but Git supports repeated -m options and concatenates them as separate paragraphs (git-scm docs: If multiple -m options are given, their values are concatenated as separate paragraphs.). In the common git commit -m "fix(x): ..." -m "# halted-and-researched: ..." form, the gate sees only the subject, misses the attestation in the body, and blocks the documented override on the 4th fix commit.

Useful? React with 👍 / 👎.

Comment on lines +105 to +106
reads_log="$(bc_dir)/$(bc_session_key)-reads-log"
[ -f "$reads_log" ] || return 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Ship or reuse the read breadcrumb producer

This hard-blocking gate relies on $(bc_dir)/$(bc_session_key)-reads-log entries containing READ, but I checked the public hooks with rg -n "reads-log| READ " examples/hooks and found no producer for that contract; the existing read-gate.sh uses a different agent-reads-${CLAUDE_SESSION_ID}.log format. With only the v1.8 public hooks installed, a user can Read the cited file and still every verified against \path`` claim is blocked because this log is never populated.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant