feat(daemon): per-repo allowed write paths (default stays docs-only)#8
Merged
Conversation
The operations-lane daemon hardcoded allowed_paths=("docs",), so the live
loop could only ever modify docs/. To let the loop attempt scoped code work
(e.g. the VPS launch-proof wedge) it needs a way to widen write paths for
specific repos without abandoning the conservative default.
- DaemonConfig.allowed_paths_by_repo: per-repo override keyed by sibling
checkout name; any repo not listed falls back to allowed_paths (docs-only).
- daemon --allow REPO=PATH_PREFIX (repeatable) wires it via the existing
_parse_repo_paths helper.
- daemon_once resolves the effective allowed paths for the picked issue's repo.
Backward compatible: no --allow → docs-only everywhere, exactly as before.
All safety rails unchanged (draft PR only, human merge, gates, eval corpus).
Validation: ruff clean, mypy --strict clean, 175 passed, evals 15/15.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Prep for Phase D (tracker network-operations#225): to dogfood the loop on the VPS launch-proof code (hyrule-cloud/hyrule-web), it must be able to write non-docs paths. Today the operations-lane daemon hardcodes
allowed_paths=("docs",)with no override on thedaemonsubcommand, so the live loop is docs-only and would be path-blocked from any code change.Change
DaemonConfig.allowed_paths_by_repo: per-repo override keyed by sibling checkout name (e.g.hyrule-cloud). Any repo not listed falls back toallowed_paths(docs-only).daemon --allow REPO=PATH_PREFIX(repeatable), parsed via the existing_parse_repo_pathshelper.daemon_onceresolves the effective allowed paths for the picked issue's repo before invoking the feature runner.Safety
--allow→ docs-only everywhere, exactly as before. The conservative default is unchanged; widening is explicit and per-repo.Validation
uvx ruff check src tests— cleanuv run --group dev mypy --strict src— cleanuv run --group dev pytest -q— 175 passed (+3: default docs-only, per-repo override, unlisted-repo fallback)evals run --strict— 15/15Next
After merge + pin/deploy on
loop(network-operations, scoping e.g.hyrule-cloud=hyrule_cloud,hyrule-cloud=tests,hyrule-cloud=scripts,hyrule-cloud=docs), queue the step 8–9loop:approvedissues for the loop to attempt.