azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(harness-guard): FATAL-promotion prerequisite — test matrix + pair-required conflict rule (VERSION 1.4.3)

Browse Source 
Builds the false-positive/true-positive proof the plan requires before the guard can be
promoted to blocking, and fixes the one false-positive it surfaced.

- test-harness-guard.sh: 12-case matrix in a throwaway repo, runs the REAL guard, asserts
  WARN/clean for real conflicts/secrets/keys vs legit content (setext underlines, dividers,
  docs that mention a marker, encrypted sops, public keys, .example templates).
- harness-guard.sh: conflict rule now requires a real hunk (BOTH ^<<<<<<< AND ^>>>>>>>),
  dropping the lone =======$ trigger that false-positived on a 7-char setext underline /
  divider. Identical true-positive power (git writes all three markers); FP surface -> 0.
- /self-check: new harness.guard_selftest runs the matrix in an isolated temp repo (read-only
  vs the real tree) so guard correctness is continuously proven.

Verified 12/12 pass, true positives intact, real-tree FP surface = 0. FATAL flip (todo
f1c11d0d, on/after 2026-06-22) is now evidence-backed + one-step.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-08 08:41:53 -07:00
parent cfa264947b
commit 512ceb4727
8 changed files with 221 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
specs/claudetools-harness-optimization/plan.md
View File

@@ -44,9 +44,18 @@
1.4.0 invariants (VERSION/min-version, skill-registry description budget, global deploy targets
populated, guard wired, core scripts parse, now-phoenix valid). Read-only; 9/9 PASS; budget WARN
negative-tested. Tunables in `self-check/baseline/manifest.json` `harness` block. (VERSION 1.4.1.)
- [DONE] Task 4 pre-FATAL prerequisite — guard false-positive/true-positive test matrix built
(`.claude/scripts/test-harness-guard.sh`, 12 cases) and a guard REFINEMENT shipped: the conflict
rule now requires a real hunk (BOTH `^<<<<<<< ` AND `^>>>>>>> ` present) instead of also firing on
a lone `=======` line. That lone-marker trigger was a false-positive vector (markdown setext
underlines / `=======` dividers of exactly 7 chars) with zero detection value — git always writes
all three markers. Verified: 12/12 cases pass, true positives still caught, real-tree false-positive
surface = 0. The matrix is wired into `/self-check` (`harness.guard_selftest`) so the guard's
correctness is continuously proven. The FATAL flip is now evidence-backed + one-step. (VERSION 1.4.3.)
- REMAINING (ops follow-ups, not blocking):
- Promote the warn-only guard (Task 4) to FATAL after a clean warn window (check
`.claude/harness/guard.log` across the fleet).
`.claude/harness/guard.log` across the fleet). Prerequisite test matrix DONE (above); coord
todo `f1c11d0d` set for on/after 2026-06-22.
- Schedule `memory-dream --apply-safe` per-machine (deliberate per-box ops setup; default is
read-only/proposals, so unattended --apply-safe is a judgment call left to the operator).
- Optional later: migrate existing flat session-logs into month folders if/when the flat dir