From 944a13ec2635b6ed7c4097797744d060ae5c8809 Mon Sep 17 00:00:00 2001 From: "anthony.wen" Date: Mon, 30 Mar 2026 15:05:23 -0400 Subject: [PATCH] Tighten ATVM git push approval gate --- atvm/AGENTS.md | 3 +++ atvm/docs/automation/run-learnings.md | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/atvm/AGENTS.md b/atvm/AGENTS.md index 7691ff3..700c4eb 100644 --- a/atvm/AGENTS.md +++ b/atvm/AGENTS.md @@ -64,6 +64,9 @@ This file defines how to operate and maintain the ATVM workspace in `/home/aw/co - For ATVM run approvals, treat `approve` as run-with-watcher and `approve without watcher` as run-without-watcher. - Treat git/commit requests as a separate approval gate. - Follow `/home/aw/code/cds/git-guide.md` for commit-request handling, including the rule that phrases such as `create me a git`, `create a git`, `create a git description`, `make me a git`, `make a git`, `make me a git description`, `create me a git description`, and close variations are prepare-only until the operator explicitly approves the displayed commit command. +- Never execute `git push` from the assistant for this workspace. +- After creating a local commit, stop and give the operator the exact manual push command reference, defaulting to `git push origin main` unless they explicitly ask for a different remote or branch. +- Do not treat `approve` after a commit as permission to push; pushing requires separate explicit wording and still remains manual-reference-only unless the operator explicitly overrides this workspace rule. - After `cmc-templates.py`, always verify that the generated spec files and the config `specPattern` still include every requested VM before starting `run-sorry-cypress.py`. - If any requested VM is missing after template generation, stop and report the mismatch instead of launching the runner. - When the watcher is requested, start the watcher before `run-sorry-cypress.py`. diff --git a/atvm/docs/automation/run-learnings.md b/atvm/docs/automation/run-learnings.md index 97388c7..c0c5ea8 100644 --- a/atvm/docs/automation/run-learnings.md +++ b/atvm/docs/automation/run-learnings.md @@ -373,3 +373,13 @@ This file stores run-specific examples only when a run produced a new learning r - When grouped XML lacks explicit host testcase results, recover grouped host status from the per-host reporter JSON or equivalent detailed artifact. - Carry through the real `failures`, `pending`, and failure message from that host artifact instead of assuming `PASS completed`. - If a correction post is needed because stale or reconstructed state was wrong, mark it explicitly as a correction that supersedes the earlier result. + +## Run Learning: 2026-03-30 (Git push must stay manual even after commit approval) +- Observed failure mode: + - After creating a requested local commit, the assistant treated a later `approve` as permission to run `git push`. + - The operator expectation was stricter: the assistant should stop at the local commit and only provide the manual push command reference. +- Action for future runs: + - Treat commit creation and push as separate gates. + - Never execute `git push` for this workspace unless the operator explicitly overrides the workspace rule. + - After creating a local commit, provide the manual push command reference only, defaulting to `git push origin main` unless the operator explicitly asks for a different remote or branch. + - Do not interpret a generic `approve` after a commit as push approval.