Add the two Phase-5 refusal guards: pipefail env + Mind commit guard#132
Merged
Conversation
…130) Mitigations 1+2 of docs/agent_failure_modes.md, implemented. agent_bash_env.sh applies pipefail to bash -c invocations only (BASH_EXECUTION_STRING discriminator — the $0 approach was measured wrong inside BASH_ENV before shipping); mind_commit_guard.py is a PreToolUse refusal denying PyAutoMind commits without explicit file pathspecs or with directory pathspecs (the four-incidents-in-two-days shared-index sweep, converted from the memory note that failed three times). Fail-open, escape hatches, API-gate conventions. Wiring in the workspace .claude/settings.json is local config, applied separately. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This was referenced Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mitigations 1 + 2 from
docs/agent_failure_modes.md(#130/#131; campaign #155 Phase 5) — the two cheap refusal conversions, implemented:bin/agent_bash_env.sh(mitigation 1): sourced viaBASH_ENV, appliesset -o pipefailtobash -cinvocations ONLY — the agent's top-level tool commands — leaving script files' authored semantics untouched. Deletes the F2 instrument class (cmd | head; $?read the pager's exit three times in one day). Discriminator isBASH_EXECUTION_STRING; the obvious$0approach was tried first and measured wrong before shipping (inside BASH_ENV,$0readsbasheven for script invocations) — the file's comment records that, per the doc's own moral.bin/mind_commit_guard.py(mitigation 2): a PreToolUse(Bash) refusal for the shared PyAutoMind checkout — deniesgit commitwithout explicit-- <files>, and denies directory pathspecs (both sweep concurrent sessions' staged index; four incidents in two days, E1+F1×3). Follows the API gate's conventions: fail-open on its own bugs,PYAUTO_SKIP_MIND_GUARD=1escape hatch (env or command prefix), textual+cheap-fs detection with ambiguity → allow. This is the memory note that failed three times, converted into the refusal that can't not fire.Wiring (the workspace
.claude/settings.jsonenv.BASH_ENV+ the added hook entry) is local config outside any repo — applied separately and documented here; takes effect for new sessions.10 new guard tests; full suite 114 passed.
Shipped under the human-authorized corrective-PR exception for Heart RED (standing this session). PR-open only; merge stays human.
API Changes
None — two new standalone
bin/files; nothing existing changes.Test Plan
tests/test_mind_commit_guard.py: 10 cases (bare commit denied,-Cform denied, file pathspecs allowed, directory pathspec denied, non-Mind allowed, non-commit allowed, escape hatch, cwd detection, compound commands, amend/dry-run exempt).bash -c 'false | true'exits 1; a script file under the same BASH_ENV keeps pipefail off.Generated by the PyAutoLabs agent workflow.