Deny-by-structure foundation: shim generator + sudo-floor doctor #80

Closed
opened 2026-06-06 05:12:02 +00:00 by coilysiren · 0 comments
Owner

Foundation slice of #79 (deny-by-structure engine). The engine half of #79 already landed on main out-of-band (repocfg.Security, hook.Protected basename-deny, hookcfg.ProtectedFor, cmd/cli-guard-hook). This issue tracks the two remaining foundation pieces.

Scope

  • shim package: expand a []hook.Protected (the same set the PreToolUse engine denies, via hookcfg.ProtectedFor) into one deny shim per binary. POSIX-sh, single-quote-escaped, sh -n validated, sorted + deduped by basename. UX layer, not enforcement.
  • doctor package: verify the enforcement floor from a parsed repocfg.Security - no passwordless sudo (sudo.forbid_passwordless), real binary not agent-executable (expected_real_paths), credential env absent (credential_env). Injectable Probes; build-tagged unix exec-bit check.
  • docs: docs/deny-by-structure.md boundary-honesty walkthrough (shim is UX, sudo/ownership floor is enforcement); FEATURES + features-detail entries; regenerated godoc-current.txt.

Out of scope (stays on #79)

  • Retiring the rendered exhaustive deny path (claudeCodeRenderHookScript deny-prefix case).
  • Stripping the coily-specific binary list from lockdown/defaults.yaml.
  • These are the hard-delete retire, coordinated with the companion coily bump.

Acceptance

  • shim.For([]hook.Protected) returns sh -n-valid deny shims, table-tested.
  • doctor.Check(repocfg.Security, Probes) returns the three posture findings, table-tested.
  • make build / make test / make lint / go vet green; pre-commit clean.
Foundation slice of #79 (deny-by-structure engine). The engine half of #79 already landed on `main` out-of-band (`repocfg.Security`, `hook.Protected` basename-deny, `hookcfg.ProtectedFor`, `cmd/cli-guard-hook`). This issue tracks the two remaining foundation pieces. ## Scope - **shim** package: expand a `[]hook.Protected` (the same set the PreToolUse engine denies, via `hookcfg.ProtectedFor`) into one deny shim per binary. POSIX-sh, single-quote-escaped, `sh -n` validated, sorted + deduped by basename. UX layer, not enforcement. - **doctor** package: verify the enforcement floor from a parsed `repocfg.Security` - no passwordless sudo (`sudo.forbid_passwordless`), real binary not agent-executable (`expected_real_paths`), credential env absent (`credential_env`). Injectable `Probes`; build-tagged unix exec-bit check. - **docs**: `docs/deny-by-structure.md` boundary-honesty walkthrough (shim is UX, sudo/ownership floor is enforcement); FEATURES + features-detail entries; regenerated `godoc-current.txt`. ## Out of scope (stays on #79) - Retiring the rendered exhaustive deny path (`claudeCodeRenderHookScript` deny-prefix case). - Stripping the coily-specific binary list from `lockdown/defaults.yaml`. - These are the hard-delete retire, coordinated with the companion coily bump. ## Acceptance - `shim.For([]hook.Protected)` returns `sh -n`-valid deny shims, table-tested. - `doctor.Check(repocfg.Security, Probes)` returns the three posture findings, table-tested. - `make build` / `make test` / `make lint` / `go vet` green; pre-commit clean.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/cli-guard#80
No description provided.