Skip to content

Configurable push range base (stop hardcoding origin/main..HEAD for trust-root scan) #28

Description

@suzuke

Parent

Part of Phase A in #25.

Problem

Trust-root push denylist enumerates the push range via something equivalent to:

git log --name-only origin/main..HEAD

Effects:

  • Repos whose default branch is not main, or whose upstream is not origin/main, fail closed (or miss the intended range).
  • Fine for many agend fleets; brittle for generic repos and embedders.

Fail-closed on unresolvable range is correct for security hygiene; the bug is the base is not configurable.

Goals

  1. Configurable range base with a clear precedence, e.g.:

    • explicit env / policy key (TBD names, keep AGENTIC_GIT_* + legacy if needed)
    • else upstream of current branch (@{upstream} / tracking)
    • else hardcode floor fallback documented as origin/main for back-compat or a documented fail-closed message that tells the user how to set the base
  2. Keep fail-closed if the range cannot be computed after applying config.

  3. Do not weaken basename trust-root matching (.config-integrity-key, policy.toml, fleet.yaml, *.jsonl).

Proposed surface (bikeshed in PR)

  • policy.toml: e.g. push_range_base = "origin/main" or "upstream"
  • and/or AGENTIC_GIT_PUSH_RANGE_BASE
  • Document interaction with protected-ref push guards (orthogonal)

Acceptance

  • Repo with only origin/master (or custom default) can pass trust-root scan when configured
  • Missing base still denies with an actionable message (fetch / set base)
  • Existing tests that assume origin/main updated or given explicit fixture base
  • Embedder contract mentions the setting

Non-goals

  • Full replace of remote branch protection
  • Content scanning beyond trust-root basenames in this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions