chore(runbooks): log merge-guard v4.4.54 post-install live-probe (dual-independent CONVERGE)#1107
Merged
Merged
Conversation
…l-independent CONVERGE) (#1094) 26/26 PASS under both interpreters (3.9.6 floor + 3.12.7), 52/52 row-executions: cured-compound ALLOW at function + real-main grades, preserved DENY everywhere probed, laundering closed end-to-end with fidelity control, clustered pin unchanged (4.4.53-installed non-vacuity control), SEC-S1 scoped-half coverage-parity rows. Blind security verify: CONVERGE-SAFE, zero findings.
There was a problem hiding this comment.
Pull request overview
Logs the v4.4.54 post-install live-probe results for the installed merge-guard hooks, serving as the runbook “gated-closure discharge” record for #1094 (no production code changes).
Changes:
- Appends a new runbook section for the merge-guard v4.4.54 post-install live-probe.
- Records dual-interpreter, dual-independent convergence evidence and controls for the installed hooks.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| | Run date (UTC) | Operator | Plugin version | Verdict | Harness-independence evidence | Notes (corpus; controls; per-set outcomes) | | ||
| | -------------- | -------- | -------------- | ------- | ----------------------------- | ------------------------------------------ | | ||
| | 2026-07-04 | michael-wojcik | 4.4.54 installed (hooks byte-identical to origin/main 7619ba1d, verified by full `diff -r` excl. `__pycache__` + sha256 of `merge_guard_common.py`) | **26/26 PASS under BOTH interpreters (52/52 row-executions, row-identical) · DUAL-INDEPENDENT FULL CONVERGE** — #1094 branch-delete cross-leg over-block REMOVED at BOTH grades: function-grade (5 cured separator families `&&`/`;`/`\|\|`/`\|`/`&` → `is_dangerous` False + `detect` None + `extract_command_context` `{}` mint-scan clean) AND real-main subprocess grade (`git branch new-feature && echo -D` and `git branch backup ; ls -D` → pre main exit 0 ALLOW, no token present); same-leg dangerous STILL gates in every probed leg position incl. the CRITICAL `cd /repo && git branch -D temp` (function-grade True/branch-delete + real-main exit 2 `permissionDecision: deny`), quoted-separator `git commit -m "a && b" && git branch -D temp`, env-prefix, both spelled-out arm orders; classification parity (read floor == detect) asserted on EVERY row; #1094 laundering CLOSED end-to-end at the real mains (ambiguous-compound approve → post main exit 0, mints 0 → escalated single `git branch -D new-feature` DENIES exit 2); faithful round-trip §0 control (approve `git branch -D stale` → mints exactly 1 → same single AUTHORIZEs exit 0) PASSED before any REFUSE was interpreted; clustered-flag pin `cd /repo && git branch -Df temp` ungated-by-design UNCHANGED (False on installed 4.4.53 AND 4.4.54 — pre-adjudicated limitation, NOT a finding); reversed-order `echo -D && git branch new` stays ungated (pre-existing-False pin); SEC-S1 session-gate SCOPED half confirmed on the installed mains (coverage-parity rows, see Notes): mint under session A carries `session_id=sessA` in the token → authorize attempt under session B DENIES exit 2 → same-session A AUTHORIZEs exit 0, 3/3 both interpreters. No HALT. | DUAL-INDEPENDENT: a pact-security-engineer ran a BLIND parallel adversarial verify of the same installed surface (harness + results NOT shared in either direction before verdict lock; reconciliation routed through the lead) → locked verdict **CONVERGE-SAFE, zero findings** — FULL CONVERGE with this probe's 26/26×2. JOINT-COVERAGE SPLIT: SE covered the populated-TOKEN half (11 mint→authorize round trips across op/target/bound-flags axes, AUTHORIZE + mismatch-DENY); on the session-scoping sub-axis BOTH runs were INERT-half (SE empirically confirmed `get_session_id()==""` in their probe env), so the SCOPED half was added HERE post-reconciliation (S0-S2 rows) to match the v4.4.53 precedent's joint coverage. RUNTIME SPAN covered by THIS harness alone: the identical probe files run under macOS `/usr/bin/python3` 3.9.6 (runtime floor) AND pyenv 3.12.7 — 26/26 PASS both, zero row divergence (a version-specific regex/slicing divergence would have contradicted). IDENTITY GATE first: full `diff -r` of `/Users/mj/.claude/plugins/cache/pact-plugin/PACT/4.4.54/hooks` vs the worktree at 7619ba1d byte-identical (excl. `__pycache__`); probe output asserts the imported module `__file__` is under the 4.4.54 cache path (A0 row) so no repo-copy contamination is possible. Harness-fidelity control (B0 mint→authorize round trip) PASSED before interpreting any deny. | Corpus recovered VERBATIM from the merged artifacts (NOT re-derived from prose): `TestBranchDeleteLiteralArmCrossLegSweep` cured/preserved/parity/pin rows (7619ba1d) + the `\|\|`/`\|`/`&` separator-cure rows (ecde737c) + the branch-delete laundering canary shape (test_merge_guard_auth_symmetry.py). Part A = in-process import of the INSTALLED `shared/merge_guard_common.py` (function grade: `is_dangerous_command` / `detect_command_operation_type` / `extract_command_context`). Part B = REAL SUBPROCESSES of the installed `merge_guard_pre.py`/`merge_guard_post.py` mains (hooks.json `python3 <hook>.py` shape); per-scenario isolated `CLAUDE_CONFIG_DIR` (== `TOKEN_DIR`, import-time env binding) + `HOME`, no `CLAUDE_PROJECT_DIR` → `get_session_id()`=="" → session gate INERT; zero `~/.claude` contamination; dangerous literals confined to the harness `.py` + subprocess stdin (an inline `python -c` control attempt was itself DENIED by the LIVE session guard — expected behavior, harness moved to a file). **4.4.53-INSTALLED CONTROL** (both interpreters): the cured compound `git branch new-feature && echo -D` WAS `is_dangerous=True`/`OP=branch-delete` on the prior installed version — the over-block existed installed-side pre-fix, so the v4.4.54 ALLOW is the CURE (installed-side non-vacuity), and the clustered pin is False on BOTH versions (UNCHANGED — not a v4.4.54 delta). This row DISCHARGES the post-install gate for #1094 (gated-closure discipline: the fix-level certification ran worktree hooks pre-merge — suite 10595/0/0 at commit ecde737c tip; this is the installed-binary confirmation per the v4.4.45/v4.4.53 post-install standard). Residual honestly graded: none new — the mint/authorize round-trip grade WAS achieved installed-side (B0/B3 real-main subprocess), no downgrade needed. **SEC-S1 SCOPED-HALF ROWS (S0-S2, coverage-parity NOT fix certification — PR #1102 did not touch session-gate code)**: real-main subprocesses with `CLAUDE_PROJECT_DIR` set and per-session `pact-session-context.json` files pre-seeded under `{CLAUDE_CONFIG_DIR}/pact-sessions/{slug}/{session_id}/` (the sessions root derives from `get_claude_config_dir()`, NOT `Path.home()` — a first harness draft seeded `HOME/.claude/pact-sessions` and correctly produced a session-UNSCOPED token, caught by the S0 `token_sid` assertion and fixed harness-side; the hook was never wrong); asymmetric predicate verified: populated current-session honors only a matching token (`sessB` attempt vs `sessA` token → deny; `sessA` → authorize), while the main probe's B rows cover the `get_session_id()==""` INERT half — both branches of the session-scoping gate now exercised on the INSTALLED binary this cycle, matching the v4.4.53 joint-coverage standard. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Logs the v4.4.54 post-install live-probe of the INSTALLED merge-guard hooks — the gated-closure discharge for #1094 (per the standing post-install-probe discipline; PR body of #1102 deliberately carried no auto-close keyword).
Result
DUAL-INDEPENDENT FULL CONVERGE:
/usr/bin/python33.9.6 floor + pyenv 3.12.7 — 52/52 row-executions, row-identical). Identity gate (installed hooks byte-identical to7619ba1d), cured-compound ALLOW at function + real-main subprocess grades, preserved DENY in every probed leg position, laundering closed end-to-end with a passing fidelity control, clustered-flag pin unchanged, 4.4.53-installed control proving the cure non-vacuous installed-side, SEC-S1 scoped-half coverage-parity rows.Effect
Discharges the post-install gate for #1094 (closure comment follows merge). No production code changes — runbook log entry only.