docs(security): document execution-environment constraints#24
Merged
smartwatermelon merged 1 commit intoApr 29, 2026
Merged
Conversation
The 2026-04-29 Q2 validation run of the recurring audit agent (routine trig_01JaKYSFQhPJoc3jADyQPBgM, issue dev-env#23) surfaced two environment-level constraints not previously documented: 1. The cloud sandbox may not have `gh` CLI. The agent falls back to MCP GitHub tools (code search + file reads), which can detect Patterns 1, 2, 3, 5, 7, 8, 9 from workflow content but cannot reach the workflow-permissions API (Pattern 6) or perform git reachability analysis (Pattern 4). 2. MCP write scope may be limited to smartwatermelon/dev-env. Issue creation works; cross-repo draft PR creation may fail. These are NOT methodology defects — the agent correctly reports them as PARTIAL coverage and skips PRs cleanly. The new "Execution environment notes" section documents: - What each constraint blocks (specific patterns and operations). - The local-verify workflow for Pattern 6 (matches the inaugural-audit one-liner that was used during the Q2 run validation). - When to consider switching environment_id (5+ skipped PRs/quarter, recurring PARTIAL on Pattern 6, or new patterns needing other API scope). Also appends the Q2 auto run to the audit history table. Q2 audit summary: 0 NEW, 0 RESOLVED, 1 UNCHANGED (the Tier-3 fetch-metadata@v3 finding already tracked in dev-env#19). Pattern 6 verified clean locally during Q2 run review (no regressions on the ralph-burndown / mac-server-setup flips from the inaugural audit). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
smartwatermelon
deleted the
claude/security-methodology-env-notes-20260429
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Captures the lesson from the 2026-04-29 Q2 validation run of the recurring audit agent (routine
trig_01JaKYSFQhPJoc3jADyQPBgM, audit issuedev-env#23).The agent ran successfully but encountered two environment-level constraints that aren't methodology defects but ARE worth documenting so future quarterly runs (and humans reading those audit issues) treat them as expected:
ghCLI may not be present in the cloud sandbox. Agent falls back to MCP GitHub tools (code search + file reads), which can detect Patterns 1, 2, 3, 5, 7, 8, 9 from workflow content but cannot reach the workflow-permissions API (Pattern 6) or perform git reachability analysis (Pattern 4).smartwatermelon/dev-env. Issue creation works; cross-repo draft PR creation may fail. The agent skips cleanly withPR creation skipped for repo X: <reason>rather than retrying or aborting.Doc additions
A new
## Execution environment notessection after## Recurring audit, with three subsections:ghCLI may be unavailable — what's covered, what's not, and the local-verify one-liner for Pattern 6.environment_id.Also appends the Q2-auto-validation row to the audit-history table at the bottom of the doc.
Test plan
🤖 Generated with Claude Code