Add P3b-3 agent registry gate#20

Merged

lantiscooperdev merged 1 commit into

mainfrom

p3b-3-agent-registry-gate

Jun 15, 2026

lantisprime commented Jun 15, 2026

Owner

Summary

add user/project agent registry path, read/write, and exact-hash matching helpers
add canonical path/project-root helpers and project-root SHA-256 isolation
add shared canRunAgent runtime gate for built-in, ephemeral, user, and project specs
export registry/gate helpers from agents/index.ts
add registry/runtime gate negative and disk-backed tests

Tests

agents/test-fixtures/run-p3b-3-tests.sh
scripts/test-security-scan.mjs
git diff --check

Negative coverage

unregistered user specs blocked
raw-byte hash mismatch blocked
project trust inactive blocked
project registry root mismatch blocked
project approvals do not apply across roots
saved ephemeral-as-user specs blocked until registered
dangerous candidate and dangerous registry entry blocked
ephemeral without explicit request blocked
suspicious ephemeral without confirmation blocked
ephemeral non-read-only tools blocked

Scope notes

no child argv construction
no child Pi execution
no run_subagent
no chain mode
no broad TUI/registration flows


          Add P3b-3 agent registry gate

d4eb90a

lantiscooperdev approved these changes

View reviewed changes

lantiscooperdev merged commit 44e2b43 into main

1 check passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet