You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The validate job's Run tests step fails because test_permission_guard.py runs on the main branch in CI, triggering the BLOCKED_ON_MAIN guard in git-permission-guard.py before the expected ask/silent_allow logic can execute.
Trigger: push to main — fix(content-guards): bound validate-markdown parent-walk at repo / $HOME (#247)
Failed Step: Step 13 — Run tests
Root Cause Analysis
git-permission-guard.py has a BLOCKED_ON_MAIN = {"add", "commit", "push"} set. Whenever the first git subcommand token is in that set, _is_on_main_branch() is called (runs git branch --show-current). In CI the working directory is checked out on main, so it returns True and immediately returns deny — before the downstream ASK_GIT / silent-allow code paths run.
The three affected test cases expected ask or silent_allow, but the main-branch guard intercepts them first:
Test case
Command
Expected
Actual
git push --force feature branch
git push --force origin feature/my-branch
ask
deny
hooksPath in value only
git -c some.key=echo-core.hooksPath commit -m test
Note: This failure is not caused by PR #247. All 9 validate-markdown.bats tests (including the new TC9 HOME-boundary regression) pass cleanly. The test_permission_guard.py test gap surfaces whenever CI runs on the main branch.
Failed Jobs and Errors
FAIL [git push --force feature branch]: decision=deny (Expected: ask, Got: deny)
FAIL [hooksPath in value only]: decision=deny (Expected: silent_allow, Got: deny)
FAIL [hooksPath in commit message]: decision=deny (Expected: silent_allow, Got: deny)
SOME TESTS FAILED (from test_permission_guard.py)
Process completed with exit code 1.
```
## Recommended Actions
- [ ] **Option A (preferred):** Run `test_permission_guard.py` from a temporary git repo initialised on a feature branch, so `_is_on_main_branch()` returns `False` and tests execute against the logic they were written for.
- [ ] **Option B:** Add a `GIT_GUARD_SKIP_MAIN_CHECK=1` environment variable to `git-permission-guard.py` that disables `BLOCKED_ON_MAIN` when set — for test isolation only.
- [ ] **Option C (minimal):** Update the 3 failing test expectations to `deny` and add comments clarifying that those commands are correctly blocked on main — accepting that the test is now a main-branch-only scenario.
## Prevention Strategies
- Test scripts that exercise commands blocked by branch-specific guards should either create an isolated git repo on a non-main branch **or** mock/stub the branch detection function.
- Consider adding a CI check that runs `test_permission_guard.py` inside a temporary repo on a dedicated `test/guard-tests` branch to guarantee consistent behaviour regardless of the checkout branch.
## AI Team Self-Improvement
> Copy-paste into your AI coding instructions / `instructions.md`:
```
When writing or updating guard scripts that branch on `git branch --show-current`
(or any mechanism that detects the active branch), ensure the accompanying test
suite runs inside a temporary git repository initialised on a *non-main* branch,
or mocks the branch-detection call. Tests that rely on the real working directory's
branch will produce false failures when run on main in CI.
Historical Context
No prior investigations on record for this repository. This is the first captured failure pattern: test_permission_guard_py_main_branch_check — BLOCKED_ON_MAIN guard intercepting tests that assume a feature-branch context.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
8e5df03list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
Summary
The
validatejob's Run tests step fails becausetest_permission_guard.pyruns on themainbranch in CI, triggering theBLOCKED_ON_MAINguard ingit-permission-guard.pybefore the expectedask/silent_allowlogic can execute.Failure Details
8e5df03e64c0fe8825e5296c2a9a3123d6db358emain—fix(content-guards): bound validate-markdown parent-walk at repo / $HOME (#247)Root Cause Analysis
git-permission-guard.pyhas aBLOCKED_ON_MAIN = {"add", "commit", "push"}set. Whenever the first git subcommand token is in that set,_is_on_main_branch()is called (runsgit branch --show-current). In CI the working directory is checked out onmain, so it returnsTrueand immediately returnsdeny— before the downstreamASK_GIT/ silent-allow code paths run.The three affected test cases expected
askorsilent_allow, but the main-branch guard intercepts them first:git push --force feature branchgit push --force origin feature/my-branchaskdenyhooksPath in value onlygit -c some.key=echo-core.hooksPath commit -m testsilent_allowdenyhooksPath in commit messagegit -c user.name=test commit -m "allow -c core.hooksPath bypass example"silent_allowdenyFailed Jobs and Errors
Historical Context
No prior investigations on record for this repository. This is the first captured failure pattern:
test_permission_guard_py_main_branch_check— BLOCKED_ON_MAIN guard intercepting tests that assume a feature-branch context.Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter: