docs: always use make check + never push directly to main#37
Merged
Conversation
Agent ran ruff check nightshift/ (missing tests/) — lint errors reached main. Then pushed fixes directly to main instead of branch+PR. Adds two rules to every doc the agent reads: 1. Always use `make check` for final verification, never partial commands 2. If CI fails after merge, fix via fix/ branch + PR, never push to main Updated: CLAUDE.md, evolve-auto.md, evolve.md (Step 9) Added: learning (always-make-check-never-partial-lint)
fazxes
added a commit
that referenced
this pull request
Apr 5, 2026
Task #37: Two security improvements for running against untrusted repos: 1. read_repo_instructions() now rejects symlinks before reading. Checks is_symlink() before is_file() to catch both valid and dangling symlinks. Prevents path-traversal attacks where CLAUDE.md -> /etc/passwd. 2. Prompt self-modification guard now detects new files in docs/prompt/ created during a cycle. Snapshots directory listings before the cycle and compares after. Catches agents creating prompt files that bypass the fixed PROMPT_GUARD_FILES list. +9 tests (5 Python symlink, 4 bash guard), 616 total passing.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ruff check nightshift/(missingtests/) — lint errors reached main via PR feat: cost tracking and budget ceiling for daemon sessions #35make checkfor final verification, never partial lint/type/test commandsfix/branch + PR — never push directly to mainFiles
CLAUDE.md— code quality + git workflow rulesdocs/prompt/evolve-auto.md— VERIFICATION RULE + CI FAILURE RULEdocs/prompt/evolve.md— Step 9 updated with branch+PR flowdocs/learnings/— new learning documenting the failureTest plan