Skip to content

docs(guard): clarify CCC_ALLOW_GATED only works in harness env, not agent command prefix#318

Merged
seoseo-ai merged 1 commit into
mainfrom
fix/guard-allow-gated-wording
Jul 7, 2026
Merged

docs(guard): clarify CCC_ALLOW_GATED only works in harness env, not agent command prefix#318
seoseo-ai merged 1 commit into
mainfrom
fix/guard-allow-gated-wording

Conversation

@jinon86

@jinon86 jinon86 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What

Reword the guard deny hint + header comment: CCC_ALLOW_GATED=1 is only honored when set in the harness process environment by the operator. A prefix inside an agent Bash command never reaches the PreToolUse hook (it runs first, in its own env).

Why

Live-verified on gwakga/vps7 (2026-07-07): after operator approval, re-running the approved read-only broker query with a CCC_ALLOW_GATED=1 prefix was still denied by secret-exfil. The old message ("re-run with CCC_ALLOW_GATED=1") misleads agents into a no-op self-approval attempt. The deny-by-default design is correct — only the guidance text was wrong.

Evidence

  • Deny path: agent-prefixed re-run → still BLOCKED by ccc-node guard [secret-exfil]
  • Hook source: escape hatch reads ${CCC_ALLOW_GATED:-0} from its own env (line ~50), before the Bash command executes
  • No behavior change: message/comment only; bash -n clean

Wiki cross-ref: gwakga A2A test session, LOG entry to follow.

🤖 Generated with Claude Code

…gent command prefix

The deny message told the caller to "re-run with CCC_ALLOW_GATED=1", which
misleads agents into prefixing the flag on the Bash command. The PreToolUse
hook runs BEFORE the command in its own environment, so such a prefix never
reaches the guard (verified live on gwakga/vps7, 2026-07-07: prefixed re-run
still denied). Reword the deny hint and the header comment to state that the
flag is operator-set harness-process-env only, and point agents to non-gated
alternatives or operator execution. No behavior change — message/comment only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jinon86 jinon86 requested a review from seoseo-ai as a code owner July 7, 2026 01:33

@seoseo-ai seoseo-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Message/comment-only change; live-verified behavior description matches guard.sh escape-hatch logic (env read pre-execution). CI 7/7 green.

@seoseo-ai seoseo-ai merged commit 2e920ce into main Jul 7, 2026
7 checks passed
@seoseo-ai seoseo-ai deleted the fix/guard-allow-gated-wording branch July 7, 2026 01:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants