Objective
Enforce that AGenNext Code Assist updates repositories only through approved write paths:
No arbitrary filesystem writes, hidden side channels, or untracked repository mutations should be allowed.
Requirements
- Add explicit
update_mode=github-api|git-cli to request/config/result.
- Validate update mode before each run.
- In
github-api mode, all file changes must go through GitHub Contents/Git APIs.
- In
git-cli mode, all file writes must stay inside a checked-out Git worktree.
- Reject writes outside repo/worktree.
- Record update mode in changelog and audit trace.
- Keep commit/push/PR/merge authorization separate.
Acceptance criteria
- Every changed file is traceable to GitHub API or Git CLI.
- Local writes outside the target worktree are refused.
- GitHub API mode can update simple files without local checkout.
- Git CLI mode uses git status/diff as source of truth.
- Memory/RAG/cache/generated artifacts follow the same write-path rules.
Objective
Enforce that AGenNext Code Assist updates repositories only through approved write paths:
github-apigit-cliNo arbitrary filesystem writes, hidden side channels, or untracked repository mutations should be allowed.
Requirements
update_mode=github-api|git-clito request/config/result.github-apimode, all file changes must go through GitHub Contents/Git APIs.git-climode, all file writes must stay inside a checked-out Git worktree.Acceptance criteria