coilyco-flight-deck/agentic-os
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

security: add pre-commit hook that rejects staged files containing merge-conflict markers #39

New issue
Open
opened 2026-05-27 07:08:08 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-27 07:08:08 +00:00
Owner
Copy link

Source: background security review on coilysiren/agent-guard during a stash-pop conflict that surfaced raw merge-conflict markers (<<<<<<<, =======, >>>>>>>) inside .claude/lockdown-deny.sh until coily lockdown regenerated the file.

Finding (MEDIUM, Agent/Subprocess Permission Bypass): A conflicted security-config file is risky to commit. Conflict markers are not valid shell, so a script-style file like lockdown-deny.sh would silently break at the next invocation. The current case resolved cleanly because the file is auto-generated, but the class of bug stands.

Suggested fix: Add a pre-commit hook (or extend an existing one in coilysiren/agentic-os/scripts/) that fails on staged files containing conflict markers. One-liner shape:

grep -RnE '^(<<<<<<< |======= |>>>>>>> )' --include='*' <staged-files>

Wire it into the cross-repo pre-commit suite alongside catalog-doc-size, documentation-layout, etc. Catches conflict markers in any tracked file, not just .claude/.

Why agentic-os, not consumer repos: the existing pre-commit suite rolls out from coilysiren/agentic-os to every catalog repo, so the fix lands once and propagates.

**Source:** background security review on coilysiren/agent-guard during a stash-pop conflict that surfaced raw merge-conflict markers (`<<<<<<<`, `=======`, `>>>>>>>`) inside `.claude/lockdown-deny.sh` until coily lockdown regenerated the file. **Finding (MEDIUM, Agent/Subprocess Permission Bypass):** A conflicted security-config file is risky to commit. Conflict markers are not valid shell, so a script-style file like `lockdown-deny.sh` would silently break at the next invocation. The current case resolved cleanly because the file is auto-generated, but the class of bug stands. **Suggested fix:** Add a pre-commit hook (or extend an existing one in `coilysiren/agentic-os/scripts/`) that fails on staged files containing conflict markers. One-liner shape: ``` grep -RnE '^(<<<<<<< |======= |>>>>>>> )' --include='*' <staged-files> ``` Wire it into the cross-repo pre-commit suite alongside `catalog-doc-size`, `documentation-layout`, etc. Catches conflict markers in any tracked file, not just `.claude/`. **Why agentic-os, not consumer repos:** the existing pre-commit suite rolls out from `coilysiren/agentic-os` to every catalog repo, so the fix lands once and propagates.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 07:00:06 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs-o2r-command-delivery-qwen-storage
v0.11.1
v0.11.0
v0.10.0
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.0
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/agentic-os#39
No description provided.