Enforce lockdown targets by exec basename across every matching binary #225
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#225
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
cli-guard lockdown rules must not depend on one absolute binary path. A protected target like kubectl, aws, gh, docker, or tailscale should be identified by executable name / basename and enforced across every matching binary path an agent can reach.
Problem:
Existing evidence:
Required behavior:
Acceptance criteria:
This is a security-boundary issue, not a style cleanup.
WARD-OUTCOME: submitted
details
workflow: pull-request-and-merge; review summary: skipped (temporary ward default pending brokered QA)
The implementation felt straightforward once the basename identity split was traced through doctor, hook, and docs. Confidence is high. Surprise: the godoc snapshot and doc-size guards needed a small cleanup after the comment changes.
Follow-up: PR #226 is open and green.