After manifest command trust records and basectl trust commands exist, wire enforcement into the command paths that execute project-owned manifest code.
Scope
- Block
basectl test [project] before execution when no matching allow record exists.
- Block
basectl run <project> <command> before execution when no matching allow record exists.
- Block
basectl build <project> [target...] before execution when no matching allow record exists.
- Block
basectl demo [project] before running manifest-declared demo scripts when no matching allow record exists.
- Block
basectl activate <project> before sourcing activate.source entries when no matching allow record exists.
- Preserve read-only inspection paths:
--dry-run, --list, projects list, workspace status/check/doctor, check, doctor, and export-context.
- Print the blocked-command text from
docs/manifest-command-trust.md, including review commands and the exact basectl trust allow ... --manifest-sha256 ... command.
Acceptance Criteria
- BATS cover blocked execution for test/run/build/demo and activation source paths.
- BATS cover that dry-run/list/read-only paths still work before approval.
- Non-interactive shells fail closed without prompting.
- Docs include the CI allow-step example once enforcement lands.
Follow-up to #1367 and #1381
After manifest command trust records and
basectl trustcommands exist, wire enforcement into the command paths that execute project-owned manifest code.Scope
basectl test [project]before execution when no matching allow record exists.basectl run <project> <command>before execution when no matching allow record exists.basectl build <project> [target...]before execution when no matching allow record exists.basectl demo [project]before running manifest-declared demo scripts when no matching allow record exists.basectl activate <project>before sourcingactivate.sourceentries when no matching allow record exists.--dry-run,--list,projects list,workspace status/check/doctor,check,doctor, andexport-context.docs/manifest-command-trust.md, including review commands and the exactbasectl trust allow ... --manifest-sha256 ...command.Acceptance Criteria