Skip to content

P0: complete the zero-config multi-host boundary wedge#271

Merged
pengfei-threemoonslab merged 7 commits into
mainfrom
codex/p0-multi-host-boundary
Jul 13, 2026
Merged

P0: complete the zero-config multi-host boundary wedge#271
pengfei-threemoonslab merged 7 commits into
mainfrom
codex/p0-multi-host-boundary

Conversation

@pengfei-threemoonslab

@pengfei-threemoonslab pengfei-threemoonslab commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Completes the zero-config, multi-host boundary wedge for Codex, Claude Code, and Cursor. --agent is now actor metadata only: it cannot select a weaker host evaluator or change violations/control for identical input.

The former implementation had two divergent paths: shipgate check --agent claude-code|cursor still used the Codex-only evaluator, while audit --host maintained a separate, partial inventory engine. That allowed non-Codex permission expansion and protected host changes to return complete.

What changed

  • Adds one static AgentBoundaryAssessment and adapter registry shared by check, MCP, verify, preflight/trigger classification, first-look, host audit, and drift.
  • Adds a deterministic worktree collector covering staged, unstaged, deleted, renamed, and untracked protected files, with containment, symlink, encoding, and size fail-closed behavior.
  • Makes Codex, Claude Code, and Cursor first-class host adapters; keeps VS Code MCP experimental and fail-closed when changed.
  • Normalizes redacted host grants, host coverage, input coverage, violations, policies, and issues into one snapshot. Local-static host inspection remains an explicit audit --host --scope local-static opt-in.
  • Adds the neutral shipgate.agent_boundary_result/v1; keeps Codex boundary v2 as a deprecated projection of the same assessment.
  • Publishes typed host inventory/baseline/drift 0.2, including incomparability and exact re-export routing for incomplete or legacy baselines.
  • Consolidates boundary policy discovery into the packaged agent-boundary union while retaining legacy family readers for 0.16.x.
  • Adds trigger surface_class metadata and registry-derived protected paths, eliminating the hard-coded capability-trigger list.
  • Publishes package 0.16.0b4, runtime contract 15, downstream local contract 4, and regenerated schemas, instructions, skills, adoption kits, examples, and discovery artifacts. Report remains 0.32.

Safety properties

  • Static-only: no user-code imports, host execution, server calls, network access, or runtime/session authority claims.
  • One unresolved relevant file prevents complete.
  • Actor substitution cannot change coverage, violations, or control.
  • Unknown protected semantics, malformed trust roots, ambiguous local precedence, and experimental VS Code MCP changes fail closed.
  • Secret-bearing values are redacted before normalization and hashing.
  • The legacy boundary projection is derived from, and cannot be less restrictive than, the neutral result.

Review hardening

  • Redacts permission-mode and sandbox value fields before grant identity construction and serialization. Regression coverage proves the raw values cannot enter inventory, saved baseline, or drift JSON.
  • Treats comparison_status != comparable / has_drift != false as human-routed host drift in preflight and organization governance, including legacy v0.1 baselines.
  • Restores case-insensitive and nested protected-path matching for Codex config, .mcp.json, and GitHub workflows. Nested copies prevent complete; specialized host-grant semantics remain root-anchored so Shipgate does not claim a nested fixture is runtime-effective authority.
  • Extends both pre-commit hooks to static requirements, Claude commands, Cursor MCP/rules, VS Code MCP, the local downstream contract, nested workflows, and case variants.
  • Removes the dead git_diff_text wrapper and consolidates duplicate policy serialization. Deprecated legacy control models remain intentionally available as frozen-reader compatibility surfaces.

The broader boundary is intentionally fail-closed: instruction, policy, skill, and ordinary workflow edits without specialized safe semantics route to human review. This is a deliberate noise increase from the Codex-only evaluator and is documented in docs/host-boundary-support.md.

Validation

  • CI-equivalent aggregate: 3318 passed, 5 skipped; coverage 88.59% (minimum 85%).
  • Static-only adapter enforcement passed.
  • Semantic P0, binding P0, and 48-case boundary canary suites passed.
  • Unchanged large-scan 10-second wall-clock gate passed under the CI aggregate.
  • Four isolated latency-budget tests passed.
  • ruff passed across src, tests, scripts, benchmark, and harness.
  • Generated schema check passed.
  • Wheel/sdist build and twine check passed for 0.16.0b4.

Required review

Shipgate self-review correctly returns human_review_required for the boundary check and insufficient_evidence / can_merge_without_human=false for verify because this PR changes release trust roots, policies, CI, schemas, and agent instructions. This draft requires explicit maintainer review; the agent is not self-approving those changes.

@pengfei-threemoonslab
pengfei-threemoonslab marked this pull request as ready for review July 13, 2026 05:37
@pengfei-threemoonslab
pengfei-threemoonslab merged commit 15beff6 into main Jul 13, 2026
4 checks passed
@pengfei-threemoonslab
pengfei-threemoonslab deleted the codex/p0-multi-host-boundary branch July 13, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant