chore(crew): revert AMoS scope to enumerated allowlist (lr-3ec5)#307
Conversation
Replace the explicit allowed_paths ladder with the crew-canonical allow_all + empty blocklist form. Widens AMoS write scope for this repo; unblocks lr-8a08 (release.config.js and .github/workflows edits were previously out of the allowlist). schema_version stays 1.
There was a problem hiding this comment.
PEACHES — clean (0 nits)
Scope migration to allow_all: true posture is schema-valid and correctly removes the allowed_paths key entirely. No unintended edits beyond .crew/amos.yaml. All other config fields (schema_version, merge_allowed, branch_conventions, builder_identity) remain unchanged. Widening is documented via task ID lr-3ec5 and PR title.
.crew/amos.yaml: allow_all and blocked_paths conform to crew-config.schema.json; no dangling allowed_paths key.
Ready for merge.
There was a problem hiding this comment.
BOBBIE — blocking (1)
- .crew/amos.yaml:19-20 — bobbie.bleed.scope-widening-no-compensating-denylist — allow_all:true + blocked_paths:[] newly grants AMoS write access to .github/workflows/** (previously excluded from allowed_paths), a CI-injection surface, with zero compensating denylist entries; .crew/** was already writable pre-change so no incremental risk there, but the workflows gap is new and unmitigated.
Diff verified via GitHub API at head_sha 677a6f0: single file, .crew/amos.yaml only, 14 lines removed / 2 added (allowed_paths ladder replaced by allow_all + empty blocked_paths). No secrets, no stray files, no injection payloads — diff is scope-only as claimed.
Determination: an empty blocked_paths is not an acceptable posture on its own merits when allow_all is enabled for a repo that has a CI/CD workflow directory. Recommend blocked_paths include at minimum .github/workflows/** before merge; .crew/** was already in-scope under the prior allowlist so is not a new exposure from this diff.
scanners_run: gitleaks=not-run (single YAML config file, no scanner invoked — judgment-only per lr-e41b), trufflehog=not-run, semgrep=not-applicable (no code), osv-scanner=not-applicable (no dependency manifest touched)
review.status: blocking
allow_all + empty blocked_paths could not express 'existing workflows editable, new workflow files denied until approved' -- guard-scope.py Rule 0 ignores allowed_paths under allow_all, and blocked_paths cannot gate files that do not exist yet. Reverts to an explicit allowed_paths ladder: prior paths + release.config.js (unblocks lr-8a08) + the two existing workflow files enumerated individually (pr-checks.yml, release.yml) -- not a .github/workflows/** glob. New workflow files remain denied until added to allowed_paths via a reviewed .crew change. Resolves BOBBIE blocking finding (review 4629787115) on PR #307: allow_all gave AMoS unbounded write to .github/workflows/** (CI- injection surface). schema_version unchanged at 1.
There was a problem hiding this comment.
PEACHES — clean (0 nits)
.crew/amos.yamlscope expansion: addedrelease.config.js,.github/workflows/pr-checks.yml,.github/workflows/release.ymlto enumeratedallowed_pathslist.- No
allow_all, noblocked_pathsglob residue. Workflows specified by exact path (intentional design: new workflow files require explicit entry, no auto-match). - Diff scope verified: only
.crew/amos.yamlmodified, no stray scripts;schema_version,merge_allowed,branch_conventions,focus,avoid,builder_identityunchanged. - YAML format normalization (quotes added for consistency) is incidental.
- All custom peaches rules (brand, SDK, hardcoded paths, cross-layer imports) orthogonal to scope config.
Ready to merge.
There was a problem hiding this comment.
BOBBIE — clean
Re-audit of PR #307 (lr-3ec5) at verified head defc5e4. Diff is scoped to .crew/amos.yaml only.
Prior blocking finding (invocation 4629787115): allow_all: true combined with an empty blocked_paths gave AMoS unbounded write access to .github/workflows/**, a CI-injection surface (bobbie.bleed.3-class exposure — unbounded scope where a parameterized allow-list should serve).
This PR removes allow_all entirely and replaces it with an explicit scope.allowed_paths enumeration. New entries added: release.config.js, .github/workflows/pr-checks.yml, .github/workflows/release.yml — all three are literal file paths, not globs. No .github/workflows/** or any wildcard workflow pattern is present anywhere in the current file. blocked_paths does not appear in the file (no residue, no re-introduction). AMoS can now only write the two named pre-existing workflow files; any new/renamed workflow file is denied by default until added to allowed_paths via a reviewed .crew change.
Finding: RESOLVED. The CI-injection exposure from the prior blocking review is bounded by this change.
Diff scope check: single file changed (.crew/amos.yaml), no other files touched. gitleaks and semgrep both ran clean against the file (0 findings). No secrets, no stray files, no injection payload. Quoting-style changes (unquoted -> quoted YAML strings) on the pre-existing path entries are cosmetic and carry no security implication.
Note (non-blocking, out of scope for this finding): .crew/** remains in allowed_paths (pre-existing, unchanged by this PR), which permits AMoS to modify .crew/amos.yaml itself. This is a governance/self-modifying-scope consideration, not a citable bobbie.bleed/sast/secret/dep rule violation, and is unchanged by this diff — not raised as a finding here.
scanners_run: gitleaks (clean, 0 findings), semgrep --config=auto (clean, 0 findings, 82 rules). osv-scanner not applicable (no dependency manifest in diff).
{"reviewer": "bobbie", "review_status": "clean", "head_sha": "defc5e474ea4ce2c3bb18e8fde958153ab073f19", "pr_number": 307}
clagentic gate-note — authorized
Authorize rationale: PEACHES clean, BOBBIE clean (prior blocking resolved), tests 683/683. Scope-widening allowed_paths ladder revert in .crew/amos.yaml to unblock lr-8a08. task lr-3ec5. |
Supersedes allow_all approach in same PR lr-3ec5. Reverted scope.allow_all plus empty blocked_paths back to explicit scope.allowed_paths enumeration: prior ladder (bin, lib, .crew, test, deploy, scripts, docs, package.json, README.md, CHANGELOG.md, .gitignore) unchanged, plus release.config.js (unblocks lr-8a08), plus the two existing workflow files by exact path: .github/workflows/pr-checks.yml and .github/workflows/release.yml -- not a wildcard glob. schema_version, merge_allowed, branch_conventions, focus, avoid, builder_identity untouched. Why: operator decision (lore task lr-3ec5 comment 1) -- intended posture is existing workflows editable, new workflow files denied until explicitly approved. allow_all cannot express this since guard-scope Rule 0 grants write-everywhere under allow_all regardless of allowed_paths, and blocked_paths cannot gate files that do not exist yet. Enumerated allowlist is the only construct where not-listed equals denied-by-default for future files. Resolves BOBBIE blocking finding on this PR (review 4629787115): allow_all plus empty blocked_paths gave AMoS unbounded write to the workflows directory, a CI-injection surface. Task lr-3ec5. Tests: npm test -- 683 passed, 0 failed, 0 skipped. Schema-validated amos.yaml against crew-config.schema.json (Draft 2020-12) -- valid, no allow_all key, allowed_paths matches intended list exactly. Config change -- BOBBIE re-review requested.