coilyco-flight-deck/ward
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions 2

coily lockdown does not enforce its routes when a session runs from the coilysiren repo-parent directory #7

New issue
Open
opened 2026-05-23 20:53:17 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:53:17 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-21T05:00:08Z - https://github.com/coilysiren/agent-guard/issues/25

Problem - coily's lockdown routes (including the mcporter deny) are not enforced when a Claude Code session runs from the coilysiren repo-parent directory ~/projects/coilysiren.

Mechanism - The PreToolUse hook calls detectGuard(cwd) (cmd/agent-guard/hook.go), which walks up from cwd looking for a .coily/coily.yaml or .agent-guard/agent-guard.yaml marker. ~/projects/coilysiren has no marker, nor does any parent (~/projects, ~). So detectGuard reaches its parent == dir fallthrough and returns "agent-guard".

routeHint then consults agentGuardRoutes, the smaller table. mcporter lives only in coilyRoutes. Result: bare mcporter runs un-denied from the repo-parent cwd. Verified twice this session - once at /luca-inspect start, once right after upgrading agent-guard to v0.1.0. Inside an actual coily repo (e.g. ~/projects/coilysiren/luca, which has .coily/coily.yaml) the guard correctly resolves to coily and mcporter is denied.

Why it matters - Sessions are deliberately launched from ~/projects/coilysiren to widen the harness auto-allow scope for cross-repo work (the "elevated cwd" / Workspace Shape pattern). That is the intended workflow, so the repo-parent is a first-class working directory. Today every coily-only lockdown route silently no-ops there.

Candidate fixes (pick one, design call):

  1. Add host-level binaries like mcporter to agentGuardRoutes as well. Cleanest for mcporter specifically - it is a host-level tool that should be denied regardless of which repo the cwd sits in. Does not fix coily-only routes that are genuinely repo-scoped.
  2. Make detectGuard resolve the coilysiren repo-parent to coily - e.g. if every immediate child dir is a coily repo, or via an explicit marker dropped at ~/projects/coilysiren. Fixes the whole class, but needs a non-repo marker convention.
  3. Drop a .coily/coily.yaml (or a lighter marker file) at ~/projects/coilysiren so the existing walk-up finds it. Smallest change, but puts a coily marker in a non-repo directory.

Found via /luca-inspect on 2026-05-20.

_Originally filed by @coilysiren on 2026-05-21T05:00:08Z - [https://github.com/coilysiren/agent-guard/issues/25](https://github.com/coilysiren/agent-guard/issues/25)_ **Problem** - coily's lockdown routes (including the `mcporter` deny) are not enforced when a Claude Code session runs from the coilysiren repo-parent directory `~/projects/coilysiren`. **Mechanism** - The PreToolUse hook calls `detectGuard(cwd)` (`cmd/agent-guard/hook.go`), which walks up from cwd looking for a `.coily/coily.yaml` or `.agent-guard/agent-guard.yaml` marker. `~/projects/coilysiren` has no marker, nor does any parent (`~/projects`, `~`). So `detectGuard` reaches its `parent == dir` fallthrough and returns `"agent-guard"`. `routeHint` then consults `agentGuardRoutes`, the smaller table. `mcporter` lives only in `coilyRoutes`. Result: bare `mcporter` runs un-denied from the repo-parent cwd. Verified twice this session - once at `/luca-inspect` start, once right after upgrading agent-guard to v0.1.0. Inside an actual coily repo (e.g. `~/projects/coilysiren/luca`, which has `.coily/coily.yaml`) the guard correctly resolves to `coily` and `mcporter` is denied. **Why it matters** - Sessions are deliberately launched from `~/projects/coilysiren` to widen the harness auto-allow scope for cross-repo work (the "elevated cwd" / Workspace Shape pattern). That is the intended workflow, so the repo-parent is a first-class working directory. Today every coily-only lockdown route silently no-ops there. **Candidate fixes** (pick one, design call): 1. Add host-level binaries like `mcporter` to `agentGuardRoutes` as well. Cleanest for `mcporter` specifically - it is a host-level tool that should be denied regardless of which repo the cwd sits in. Does not fix coily-only routes that are genuinely repo-scoped. 2. Make `detectGuard` resolve the coilysiren repo-parent to `coily` - e.g. if every immediate child dir is a coily repo, or via an explicit marker dropped at `~/projects/coilysiren`. Fixes the whole class, but needs a non-repo marker convention. 3. Drop a `.coily/coily.yaml` (or a lighter marker file) at `~/projects/coilysiren` so the existing walk-up finds it. Smallest change, but puts a coily marker in a non-repo directory. Found via `/luca-inspect` on 2026-05-20.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#7
No description provided.