From b6a977cec25fddf1e498896cec3ad9462fc149db Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Thu, 2 Jul 2026 05:19:01 -0400 Subject: feat(rules): add the host-identity guard rule and startup probe A tracked or synced doc asserting "this machine is X" is false on every machine but its origin, and an agent trusting it reasons backwards all session. It happened live: a stale "ratio" claim steered a session running on velox. The new rule bans fixed identity claims in tracked/synced docs and requires the runtime derivation instead (uname -n, since the hostname binary is often absent). Describing the fleet stays legal. Claiming the current member doesn't. startup gained a read-only probe that greps CLAUDE.md and notes.org for the pattern and surfaces hits as a judgment flag, never a block. Fixture-verified under bash and zsh. --- todo.org | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'todo.org') diff --git a/todo.org b/todo.org index 3e54355..5ce251f 100644 --- a/todo.org +++ b/todo.org @@ -161,7 +161,8 @@ The work project edited two synced scripts locally as a stopgap (2026-06-17) and Note (2026-06-24): the Anki =#+TITLE= deck-name fix landed (commit 060a938) — =default_deck_name= is now =default_deck_name(input_path, org_text)= with a new docstring. The preserved 2026-06-17 =to-anki.py= predates that, so *don't* copy it wholesale (it would revert the title-fix). Re-derive the multi-tag changes against the current canonical =flashcard-to-anki.py= and keep the =#+TITLE= behavior. -** TODO [#C] Guard against hardcoded host identity in synced files :feature:solo: +** DONE [#C] Guard against hardcoded host identity in synced files :feature:solo: +CLOSED: [2026-07-02 Thu] :PROPERTIES: :CREATED: [2026-06-22 Mon] :LAST_REVIEWED: 2026-06-24 @@ -170,6 +171,8 @@ A =CLAUDE.md= / notes file that asserts mutable environment identity as a fixed 2026-07-02 Thu @ 05:09:58 -0400 — Craig (speedrun pre-flight): rule + startup lint. A new claude-rules file plus a cheap grep probe in startup flagging host-identity claims in CLAUDE.md / notes.org fleet-wide. +Resolution 2026-07-02: claude-rules/host-identity.md written (fixed-identity claims banned in tracked/synced docs, runtime derivation via uname -n, fleet-description carve-out, the archsetup worked failure) and linked machine-wide by make install. startup.org gained Phase A probe 13 (grep for "this machine/host/box is" claims in CLAUDE.md + notes.org, fixture-verified bash+zsh) and the Phase C host-identity flag line. Flags for judgment, never blocks. + ** TODO [#C] coverage-summary.el documented as a local-only helper :chore: :PROPERTIES: :CREATED: [2026-06-22 Mon] -- cgit v1.2.3