Skip to content

chore(crew): revert AMoS scope to enumerated allowlist (lr-3ec5)#307

Merged
clagentic-merger[bot] merged 2 commits into
mainfrom
chore/lr-3ec5-amos-allow-all
Jul 4, 2026
Merged

chore(crew): revert AMoS scope to enumerated allowlist (lr-3ec5)#307
clagentic-merger[bot] merged 2 commits into
mainfrom
chore/lr-3ec5-amos-allow-all

Conversation

@clagentic-builder

@clagentic-builder clagentic-builder Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Supersedes allow_all approach in same PR lr-3ec5. Reverted scope.allow_all plus empty blocked_paths back to explicit scope.allowed_paths enumeration: prior ladder (bin, lib, .crew, test, deploy, scripts, docs, package.json, README.md, CHANGELOG.md, .gitignore) unchanged, plus release.config.js (unblocks lr-8a08), plus the two existing workflow files by exact path: .github/workflows/pr-checks.yml and .github/workflows/release.yml -- not a wildcard glob. schema_version, merge_allowed, branch_conventions, focus, avoid, builder_identity untouched. Why: operator decision (lore task lr-3ec5 comment 1) -- intended posture is existing workflows editable, new workflow files denied until explicitly approved. allow_all cannot express this since guard-scope Rule 0 grants write-everywhere under allow_all regardless of allowed_paths, and blocked_paths cannot gate files that do not exist yet. Enumerated allowlist is the only construct where not-listed equals denied-by-default for future files. Resolves BOBBIE blocking finding on this PR (review 4629787115): allow_all plus empty blocked_paths gave AMoS unbounded write to the workflows directory, a CI-injection surface. Task lr-3ec5. Tests: npm test -- 683 passed, 0 failed, 0 skipped. Schema-validated amos.yaml against crew-config.schema.json (Draft 2020-12) -- valid, no allow_all key, allowed_paths matches intended list exactly. Config change -- BOBBIE re-review requested.

Replace the explicit allowed_paths ladder with the crew-canonical
allow_all + empty blocklist form. Widens AMoS write scope for this
repo; unblocks lr-8a08 (release.config.js and .github/workflows edits
were previously out of the allowlist). schema_version stays 1.

@clagentic-reviewer clagentic-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PEACHES — clean (0 nits)

Scope migration to allow_all: true posture is schema-valid and correctly removes the allowed_paths key entirely. No unintended edits beyond .crew/amos.yaml. All other config fields (schema_version, merge_allowed, branch_conventions, builder_identity) remain unchanged. Widening is documented via task ID lr-3ec5 and PR title.

  • .crew/amos.yaml: allow_all and blocked_paths conform to crew-config.schema.json; no dangling allowed_paths key.

Ready for merge.

@clagentic-security clagentic-security Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BOBBIE — blocking (1)

  • .crew/amos.yaml:19-20 — bobbie.bleed.scope-widening-no-compensating-denylist — allow_all:true + blocked_paths:[] newly grants AMoS write access to .github/workflows/** (previously excluded from allowed_paths), a CI-injection surface, with zero compensating denylist entries; .crew/** was already writable pre-change so no incremental risk there, but the workflows gap is new and unmitigated.

Diff verified via GitHub API at head_sha 677a6f0: single file, .crew/amos.yaml only, 14 lines removed / 2 added (allowed_paths ladder replaced by allow_all + empty blocked_paths). No secrets, no stray files, no injection payloads — diff is scope-only as claimed.

Determination: an empty blocked_paths is not an acceptable posture on its own merits when allow_all is enabled for a repo that has a CI/CD workflow directory. Recommend blocked_paths include at minimum .github/workflows/** before merge; .crew/** was already in-scope under the prior allowlist so is not a new exposure from this diff.

scanners_run: gitleaks=not-run (single YAML config file, no scanner invoked — judgment-only per lr-e41b), trufflehog=not-run, semgrep=not-applicable (no code), osv-scanner=not-applicable (no dependency manifest touched)

review.status: blocking

allow_all + empty blocked_paths could not express 'existing workflows
editable, new workflow files denied until approved' -- guard-scope.py
Rule 0 ignores allowed_paths under allow_all, and blocked_paths cannot
gate files that do not exist yet. Reverts to an explicit allowed_paths
ladder: prior paths + release.config.js (unblocks lr-8a08) + the two
existing workflow files enumerated individually (pr-checks.yml,
release.yml) -- not a .github/workflows/** glob. New workflow files
remain denied until added to allowed_paths via a reviewed .crew change.

Resolves BOBBIE blocking finding (review 4629787115) on PR #307:
allow_all gave AMoS unbounded write to .github/workflows/** (CI-
injection surface). schema_version unchanged at 1.
@clagentic-builder clagentic-builder Bot changed the title chore(crew): switch AMoS scope to allow_all posture (lr-3ec5) chore(crew): revert AMoS scope to enumerated allowlist (lr-3ec5) Jul 4, 2026

@clagentic-reviewer clagentic-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PEACHES — clean (0 nits)

  • .crew/amos.yaml scope expansion: added release.config.js, .github/workflows/pr-checks.yml, .github/workflows/release.yml to enumerated allowed_paths list.
  • No allow_all, no blocked_paths glob residue. Workflows specified by exact path (intentional design: new workflow files require explicit entry, no auto-match).
  • Diff scope verified: only .crew/amos.yaml modified, no stray scripts; schema_version, merge_allowed, branch_conventions, focus, avoid, builder_identity unchanged.
  • YAML format normalization (quotes added for consistency) is incidental.
  • All custom peaches rules (brand, SDK, hardcoded paths, cross-layer imports) orthogonal to scope config.

Ready to merge.

@clagentic-security clagentic-security Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BOBBIE — clean

Re-audit of PR #307 (lr-3ec5) at verified head defc5e4. Diff is scoped to .crew/amos.yaml only.

Prior blocking finding (invocation 4629787115): allow_all: true combined with an empty blocked_paths gave AMoS unbounded write access to .github/workflows/**, a CI-injection surface (bobbie.bleed.3-class exposure — unbounded scope where a parameterized allow-list should serve).

This PR removes allow_all entirely and replaces it with an explicit scope.allowed_paths enumeration. New entries added: release.config.js, .github/workflows/pr-checks.yml, .github/workflows/release.yml — all three are literal file paths, not globs. No .github/workflows/** or any wildcard workflow pattern is present anywhere in the current file. blocked_paths does not appear in the file (no residue, no re-introduction). AMoS can now only write the two named pre-existing workflow files; any new/renamed workflow file is denied by default until added to allowed_paths via a reviewed .crew change.

Finding: RESOLVED. The CI-injection exposure from the prior blocking review is bounded by this change.

Diff scope check: single file changed (.crew/amos.yaml), no other files touched. gitleaks and semgrep both ran clean against the file (0 findings). No secrets, no stray files, no injection payload. Quoting-style changes (unquoted -> quoted YAML strings) on the pre-existing path entries are cosmetic and carry no security implication.

Note (non-blocking, out of scope for this finding): .crew/** remains in allowed_paths (pre-existing, unchanged by this PR), which permits AMoS to modify .crew/amos.yaml itself. This is a governance/self-modifying-scope consideration, not a citable bobbie.bleed/sast/secret/dep rule violation, and is unchanged by this diff — not raised as a finding here.

scanners_run: gitleaks (clean, 0 findings), semgrep --config=auto (clean, 0 findings, 82 rules). osv-scanner not applicable (no dependency manifest in diff).

{"reviewer": "bobbie", "review_status": "clean", "head_sha": "defc5e474ea4ce2c3bb18e8fde958153ab073f19", "pr_number": 307}

@clagentic-merger

Copy link
Copy Markdown
Contributor

clagentic gate-note — authorized

field value
Task (not recorded)
PR #307 (github)
Gated HEAD SHA defc5e474ea4ce2c3bb18e8fde958153ab073f19
Merged SHA defc5e474ea4ce2c3bb18e8fde958153ab073f19
CI at HEAD (not recorded)
PEACHES reviewed
Pre-checks secret-scan · SAST · dep/vuln
Merged-by naomi

Authorize rationale: PEACHES clean, BOBBIE clean (prior blocking resolved), tests 683/683. Scope-widening allowed_paths ladder revert in .crew/amos.yaml to unblock lr-8a08. task lr-3ec5.

@clagentic-merger clagentic-merger Bot merged commit e7f60fe into main Jul 4, 2026
1 check passed
@clagentic-merger clagentic-merger Bot deleted the chore/lr-3ec5-amos-allow-all branch July 4, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants