From 4c51be5a6ddbaf1d36428cb7e7b00e7f160a160d Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Sat, 20 Jun 2026 06:17:02 -0700
Subject: [PATCH] harness: fix guard detection failure on macOS bash 3.2

Replace mapfile (bash 4.0+) with bash 3.2-compatible while-read loop.
macOS ships bash 3.2.57 (last GPLv2 version); mapfile silently failed,
leaving STAGED array empty, so no security checks ran (conflict markers,
secrets, private keys all missed). Guard self-test now passes 12/12.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .claude/scripts/harness-guard.sh | 5 ++++-
 errorlog.md                      | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.claude/scripts/harness-guard.sh b/.claude/scripts/harness-guard.sh
index cf7d8943..5db32a30 100644
--- a/.claude/scripts/harness-guard.sh
+++ b/.claude/scripts/harness-guard.sh
@@ -25,7 +25,10 @@ if [ "${SKIP_HARNESS_GUARD:-0}" = "1" ]; then
 fi
 
 ISSUES=0
-mapfile -t STAGED < <(git diff --cached --name-only --diff-filter=ACM 2>/dev/null)
+STAGED=()
+while IFS= read -r file; do
+    STAGED+=("$file")
+done < <(git diff --cached --name-only --diff-filter=ACM 2>/dev/null)
 
 for f in "${STAGED[@]}"; do
     [ -n "$f" ] || continue
diff --git a/errorlog.md b/errorlog.md
index a214bfc3..3ae8165c 100644
--- a/errorlog.md
+++ b/errorlog.md
@@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
 
 <!-- Append entries below this line -->
 
+2026-06-20 | Mikes-MacBook-Air.local | harness-guard | [friction] mapfile not available on macOS bash 3.2; guard silently skips all checks [ctx: ref=.claude/scripts/harness-guard.sh line 28; bash 3.2 predates mapfile (bash 4.0); replace with bash 3.2-compatible while-read loop]
+
 2026-06-19 | GURU-5070 | rmm/mspbackups cbb delete | cbb delete -g (generation purge) on Blaster2 Local destination is blocked: 'File deletion on backup storage is restricted due to your service provider policy'. Agent-side deletion of MSP360 backup data is disabled by the provider policy; MBS REST API (api.mspbackups.com) is monitoring-only (no plan/storage delete endpoints, probed 404). Reclaiming local backup space must be done in the MSP360 management console (lift the restrict-deletion policy and let 90-day retention purge, or delete old generations/legacy bunches there). 90-day retention WAS set successfully via cbb editBackupPlan/editBackupIBBPlan. [ctx: machine=GURU-5070 client=jimmy host=Blaster2]
 
 2026-06-19 | GURU-5070 | rmm/onboard vault | [friction] stashed onboard vars in a scratch .env and sourced it; NAME=Jimmy Company (unquoted space) made 'source' exec the 2nd word as a command and left NAME unset -> vault file written with client: null. Fix: quote values when writing the env (printf '%s=%q'), or read back with grep|cut not source. [ctx: machine=GURU-5070 client=jimmy]