coilyco-flight-deck/agentic-os
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

Stop telling Claude to sweep .claude/settings.json: harness blocks it, CI owns the bump #92

New issue
Open
opened 2026-05-28 08:22:49 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-28 08:22:49 +00:00
Owner
Copy link

Problem

agentic-os/AGENTS.md ("Coily-Managed Lockdown Files") tells agents to sweep .claude/lockdown-deny.sh and .claude/settings.json into whatever commit they are already making, last-pushed wins, don't ask. But the Claude Code harness hard-blocks Claude from committing or pushing .claude/settings.json: the auto-mode classifier flags it as Self-Modification ("a hard block that user authorization cannot clear"). Observed during a fleet sync on kai-server 2026-05-28: 9 repos pushed before the classifier engaged, then it began denying, leaving the sweep half-applied.

Resolution: the harness block is correct, the policy is wrong

Claude rewriting and committing its own permission file is exactly the self-modification an agent must never be able to do. The boundary can only be widened by something outside the agent it constrains. So the block stays, and the AGENTS.md instruction must change:

  • Claude must not commit .claude/settings.json (or lockdown-deny.sh). Remove the "sweep them into your commit" guidance for these two files. Update the AGENTS.md section to say the agent leaves them dirty and does not stage them.
  • Keep committing them (do not gitignore) so a fresh clone is fail-closed before coily setup runs. See agentic-os-kai#457.
  • The canonical-bump is a CI/human operation, not an agent one. When coily's deny list changes, a CI job re-renders and commits the lockdown files across catalog repos via a bot account. Tracked in agentic-os-kai#457.

Secondary: classifier non-determinism

The same action (commit+push settings.json) succeeded on 9 repos then was hard-denied in the same batch. It should block consistently. Worth a separate report to the harness owners, noted here for the record.

Doc edit needed here

Rewrite the "Coily-Managed Lockdown Files" section of agentic-os/AGENTS.md: agents leave the files dirty, never stage them; CI owns the canonical-bump; the files stay committed for fail-closed bootstrap.

**Problem** `agentic-os/AGENTS.md` ("Coily-Managed Lockdown Files") tells agents to sweep `.claude/lockdown-deny.sh` and `.claude/settings.json` into whatever commit they are already making, last-pushed wins, don't ask. But the Claude Code harness hard-blocks Claude from committing or pushing `.claude/settings.json`: the auto-mode classifier flags it as Self-Modification ("a hard block that user authorization cannot clear"). Observed during a fleet sync on kai-server 2026-05-28: 9 repos pushed before the classifier engaged, then it began denying, leaving the sweep half-applied. **Resolution: the harness block is correct, the policy is wrong** Claude rewriting and committing its own permission file is exactly the self-modification an agent must never be able to do. The boundary can only be widened by something outside the agent it constrains. So the block stays, and the AGENTS.md instruction must change: - **Claude must not commit `.claude/settings.json` (or `lockdown-deny.sh`).** Remove the "sweep them into your commit" guidance for these two files. Update the AGENTS.md section to say the agent leaves them dirty and does not stage them. - **Keep committing them** (do not gitignore) so a fresh clone is fail-closed before `coily setup` runs. See agentic-os-kai#457. - **The canonical-bump is a CI/human operation**, not an agent one. When coily's deny list changes, a CI job re-renders and commits the lockdown files across catalog repos via a bot account. Tracked in agentic-os-kai#457. **Secondary: classifier non-determinism** The same action (commit+push `settings.json`) succeeded on 9 repos then was hard-denied in the same batch. It should block consistently. Worth a separate report to the harness owners, noted here for the record. **Doc edit needed here** Rewrite the "Coily-Managed Lockdown Files" section of `agentic-os/AGENTS.md`: agents leave the files dirty, never stage them; CI owns the canonical-bump; the files stay committed for fail-closed bootstrap.
coilysiren changed title from Lockdown-file sweep policy contradicts harness self-modification block on .claude/settings.json to Stop telling Claude to sweep .claude/settings.json: harness blocks it, CI owns the bump 2026-05-28 08:30:31 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs-o2r-command-delivery-qwen-storage
v0.11.1
v0.11.0
v0.10.0
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.0
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/agentic-os#92
No description provided.