ci: Landlock probe workflow + Beat-0 safety sentinel (stacked on Batch F)#34
Merged
Conversation
Ports the dedicated Lane C Linux Landlock probe workflow (the lane whose green run the 0.3.0 Landlock-executed claim cites) and wires release-evidence-beat0 into the per-PR macOS test job (19 offline legs; the fence/refusal/W0 sentinels guard every PR, including community PRs — the D2 rule's point). Stacked on batch-f-030 (the workflow references the beat0 make target and test files that batch delivers); retarget to main after #33 merges. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Deploying shepherd-agents-docs with
|
| Latest commit: |
20c0790
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://82394480.shepherd-agents-docs.pages.dev |
| Branch Preview URL: | https://ci-landlock-beat0.shepherd-agents-docs.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CI: Linux sandbox-enforcement workflow + safety checks on every PR
Two additions to this repo's CI, following the 0.3.0 feature PR (#33):
lane-c-linux-probe.yml— a dedicated workflow that runs the OS-level permission-enforcement test suite on Linux under Landlock, inside a privileged container. The 0.3.0 release claims Linux enforcement is executed (not just designed), and this is the lane that proves it reproducibly.make release-evidence-beat0on every PR — 19 fast, offline checks guarding the 0.3.0 safety behaviors: the refusal of un-sandboxed repository-access calls, the schema fence against fabricated repository-handle results, and the loud-failure paths for uninspectable task bodies. Running them per-PR means no future change — including community PRs — can silently regress those guarantees.Opened stacked on #33 because the workflow references the make target and test files that PR delivers; retargeted to
mainafter it merged.🤖 Generated with Claude Code