Add trusted authorization for exact coding-agent pushes#281
Draft
pengfei-threemoonslab wants to merge 1 commit into
Draft
Add trusted authorization for exact coding-agent pushes#281pengfei-threemoonslab wants to merge 1 commit into
pengfei-threemoonslab wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
review_requiredreceipt and complete closed review set.agent_action_requiredcommand.Why
PR #274 correctly made conversation-level approval and coding-agent-authored declarations insufficient to clear a human-review boundary. That fail-closed behavior also exposed an adoption problem: users normally ask Codex or Claude Code to perform the reviewed operation.
This follow-up adds a narrow trusted bridge. A coding agent still cannot approve itself or invent semantic declarations. A separately protected host authenticates the human and signs one exact operation bound to the reviewed receipt, artifact set, engine, executor, repository, base/merge/source identities, trees, complete review set, destination ref, HTTPS endpoint, and force-with-lease OID.
Security and behavior
release_decision,merge_verdict, merge authority, and completion authority never change.git pushis never exposed as agent authority.index-pack/fsckvalidated. Pack stdout, stderr, and elapsed time are bounded; SHA-1 and SHA-256 repositories are covered.Validation
python -m pytest -q --ignore=tests/test_packaging.pypytest tests/test_packaging.py -q— 6 passedpython -m ruff check .python scripts/generate_schemas.py --checkllms-full.txtcontract checkscontrol.state=complete,decision=passed,merge_verdict=mergeablesha256:039fde3df8b743d4631d839079ec704933ad70ce546734e6bcacaa34d4646af5Human-owned follow-up before marking ready
Protected agent instructions were intentionally not edited by the coding agent. After reviewing this protocol, a human should update the protected
AGENTS.md, shippedSKILL.mdcopies, Cursor/Claude instruction surfaces, and mirrored verifier prompts to describe therequest → external sign → reverify → guarded executeflow, then regenerate parity outputs.