Skip to content

Enforce manifest command trust before project command execution #1382

Description

@codeforester

Follow-up to #1367 and #1381

After manifest command trust records and basectl trust commands exist, wire enforcement into the command paths that execute project-owned manifest code.

Scope

  • Block basectl test [project] before execution when no matching allow record exists.
  • Block basectl run <project> <command> before execution when no matching allow record exists.
  • Block basectl build <project> [target...] before execution when no matching allow record exists.
  • Block basectl demo [project] before running manifest-declared demo scripts when no matching allow record exists.
  • Block basectl activate <project> before sourcing activate.source entries when no matching allow record exists.
  • Preserve read-only inspection paths: --dry-run, --list, projects list, workspace status/check/doctor, check, doctor, and export-context.
  • Print the blocked-command text from docs/manifest-command-trust.md, including review commands and the exact basectl trust allow ... --manifest-sha256 ... command.

Acceptance Criteria

  • BATS cover blocked execution for test/run/build/demo and activation source paths.
  • BATS cover that dry-run/list/read-only paths still work before approval.
  • Non-interactive shells fail closed without prompting.
  • Docs include the CI allow-step example once enforcement lands.

Metadata

Metadata

Assignees

Labels

securitySecurity hardening or vulnerability work

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions