fix: complete CLI --contain for all write paths by SebTardif · Pull Request #1410 · patchloom/patchloom · GitHub
Skip to content

fix: complete CLI --contain for all write paths#1410

Merged
SebTardif merged 2 commits into
mainfrom
fix/contain-full-write-paths-20260704
Jul 4, 2026
Merged

fix: complete CLI --contain for all write paths#1410
SebTardif merged 2 commits into
mainfrom
fix/contain-full-write-paths-20260704

Conversation

@SebTardif

Copy link
Copy Markdown
Contributor

Summary

Completes optional CLI workspace containment after partial land in #1407.

Test plan

  • cargo test --lib --all-features rename::
  • cargo test --test integration --all-features contain (filter via names)
  • make check-fast

Closes #1406
Closes #1409
Ref #1408

SebTardif added 2 commits July 4, 2026 05:20
Engine-backed renames already used PathGuard via stage_for_write. The
write_dispatch callback path (binary and case-only renames) did not,
so agents could still escape a --cwd workspace with rename ../ under
--contain. Check both from and to early for all rename modes, document
full write coverage, and add unit plus integration tests.

Closes #1406
Closes #1409

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Phase 4 (#1376) closed while four domain monofiles still carried that
tracker. Point waivers at open #1408, document co-located MCP tests as
intentional, and accept any #NNNN in the hygiene check so the living
tracker can move without hardcoding a closed issue.

Ref #1408

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif enabled auto-merge (squash) July 4, 2026 12:20
@SebTardif SebTardif merged commit 7a242fe into main Jul 4, 2026
51 checks passed
@SebTardif SebTardif deleted the fix/contain-full-write-paths-20260704 branch July 4, 2026 12:28
SebTardif added a commit that referenced this pull request Jul 4, 2026
## Summary

Multi-perspective improvement cycle (post #1410) focused on agent-facing
accuracy and residual `--contain` edge cases.

- **Agent rules / PATCHLOOM.md:** stop claiming the CLI has no
containment;
document `patchloom --cwd <ws> --contain` for CLI sandboxes (MCP+CLI and
  CLI-only modes)
- **concepts.md:** agent-author guidance mentions CLI `--contain`
- **Tests:** delete `--contain` integration coverage; create rejects
absolute paths under `--contain` (MCP `AbsolutePathPolicy::Reject`
parity)
- **Help text:** `--contain` documents absolute path rejection
- **Hygiene:** clarify misleading `doc` write-dispatch comment

## Perspectives (cycle 12)

| Perspective | Outcome |
|-------------|---------|
| QA | delete contain tests; agent-rules stale claim fixed |
| Developer | machete clean; doc comment fix |
| End User | agent-rules + concepts |
| Maintainer | no unused deps |
| Ops/SRE | AGENTS.md `make check` matches Makefile |
| Security / Adversarial | absolute-path under contain |
| Spec/Contract | `--help` wording |
| Others (PM, Perf, Compat, Arch, Contributor, Observability) | no-op /
verified |

## Test plan

- [x] `make check-fast`
- [x] `cargo test --lib --all-features documents_contain
create_with_contain`
- [x] `cargo test --test integration --all-features test_delete_contain`

---------

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant