Enforce lockdown targets by exec basename across every matching binary #226

Merged
coilysiren merged 1 commit from issue-225 into main 2026-07-13 23:18:41 +00:00
Member

Closes #225
ward.workflow: pull-request-and-merge

This change keys lockdown protection on the executable basename, keeps expected_real_paths as integrity hints, and updates the doctor and hook paths so bare names, absolute paths, and PATH-discovered invocations all hit the same target.

  • Tests cover kubectl and gcloud across bare and absolute-path spellings.
  • Docs now tell exec authors to prefer bare names unless they intentionally pin one artifact.
  • make test and pre-commit run --all-files passed.
Closes #225 ward.workflow: pull-request-and-merge This change keys lockdown protection on the executable basename, keeps `expected_real_paths` as integrity hints, and updates the doctor and hook paths so bare names, absolute paths, and PATH-discovered invocations all hit the same target. - Tests cover `kubectl` and `gcloud` across bare and absolute-path spellings. - Docs now tell `exec` authors to prefer bare names unless they intentionally pin one artifact. - `make test` and `pre-commit run --all-files` passed.
enforce basename-wide lockdown targets
All checks were successful
ci / lint (pull_request) Successful in 16s
ci / secrets (pull_request) Successful in 2m41s
ci / test (pull_request) Successful in 3m19s
c5f8e8e664
Sign in to join this conversation.
No description provided.